Authorities on Thursday disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.

The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.

“The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 

Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.

Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 

The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown. 

Proofpoint, which also participated in the disruption, described Evil Corp as one of the most prominent cybercrime groups in operation and the “grandfather” of a threat type that compromises websites and uses TDS to redirect users to malware.

Following the takedown, the FBI issued a public service announcement warning about cybercriminals using TDS to break into victim networks for ransomware or other financial scams. 

Cybercriminals redirect traffic from sites to bypass firewalls, obscure their activity, identify potential victims and send them to phishing pages to steal credentials, initiate financial scams, access networks, deliver other malware, and sell access to other cybercriminals, officials said.

The law enforcement action was part of Operation Endgame, a multinational effort targeting cybercrime since 2024, and more narrowly for the FBI part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post Authorities disrupt Evil Corp’s SocGholish botnet appeared first on CyberScoop.

TeamPCP is on a rampage through open-source software.

In less than four months, the threat actor has compromised and injected malicious code into more than 1,000 software packages. The extraordinary spree has transformed how software developers and maintainers distribute and manage their code, as their dependencies and repositories have become one of the most effective and prevalent attack vectors this year.

While there has been a host of technical exploits, TeamPCP’s greatest attack has been the uprooting of trust — repeatedly proving that most organizations fail to verify the code they ingest into their systems is legitimate, abusing a nearly blind faith that much of the software development industry relies on to power today’s modern economy.

Starting with Trivy in February, TeamPCP’s attacks have shaken that trust many times over.

The scale of TeamPCP’s attacks lies partly in the automated systems companies use to deploy code, like CI/CD pipelines. It is also capitalizing on new security gaps created by developers’ increasing reliance on AI. Yet, with relatively low effort and unoriginal tactics, TeamPCP is wrecking open-source frameworks and underlying systems at levels the technology community has rarely reckoned with.

“Developers didn’t do a great job of analyzing the security of their open-source dependencies before but, now with AI, there’s in some cases virtually no human in the loop or any kind of sanity check on what these tools are doing,” Feross Aboukhadijeh, founder and CEO at Socket, told CyberScoop.

“You have agents installing packages that haven’t been vetted,” he said. “When an attacker gets in, the impact is even broader because there’s less checks and balances to stop it from affecting everybody.”

TeamPCP hasn’t identified a new problem or proved anything novel. The crux of these attacks hinge on a central theme — defensive vulnerabilities the entire software industry has known about for years. Researchers and developers know the open source trust model is broken and susceptible to sabotage. Yet, the software industry has not fixed this problem. 

“The speed and scale of these attacks is what makes it most notable, not necessarily the methodology behind it, because at the core it is really about exploiting third-party trusts that we have,” said Kimberly Goody, senior manager at Google Threat Intelligence Group.

Software packages are typically subjected to intensive security monitoring to test for vulnerabilities and poisoned updates before they are released to live environments. 

Yet, the real vulnerability highlighted by TeamPCP lies further up the chain of command with the organizations or individuals that publish these packages to the wider market, according to Nathaniel Quist, manager of cloud threat intelligence at Palo Alto Networks.

“It is their responsibility to secure their credentials and not provide a jump off point to trigger a supply-chain event,” he said. “Everything that interacts with or crosses through that zone must be highly monitored and controlled to ensure a compromise can be contained quickly and easily.”

TeamPCP’s motivation

TeamPCP, like any prolific cybercriminal, has captured significant attention from threat hunters since it emerged in late 2025. Google attributes the activity to one core operator.

The company said it traced TeamPCP’s residential and mobile IP address connections to South Africa, indicating the primary operator was located there during at least some of its attacks.

“We don’t believe that there’s an established core group, at least not yet, and that a lot of this has been conducted by an individual,” Goody said. Google declined to name the core operator or confirm it knows the person’s true identity. 

Palo Alto Networks said the core manager of TeamPCP uses the “ResoluteXBF” handle on multiple platforms. The cybersecurity firm is also tracking two additional core members: “diencracked” and “Shinigami.”

If TeamPCP is primarily run by one person, law enforcement has a rare opportunity to make a lasting impact with a single arrest.

TeamPCP has collaborated with other cybercriminals, but most of those partnerships were short-lived and ended in a public feud or otherwise failed to get off the ground in any meaningful way, Goody said.

Researchers have linked TeamPCP to extortion crews, dark web forums and affiliates including Lapsus$, ShinyHunters, Vect, DragonForce, BreachForums and “HasanBroker.” TeamPCP listed about 4,000 private code repositories on a dark web forum with an asking price of $95,000.

The actions to date, including unpredictable behavior, indicate motivations beyond financial gain and a “clear desire for notoriety,” Goody said. “They seem to like to make chaos.”

Quist draws the same conclusion from his months-long investigation, noting that it encourages other cybercriminals to get in on the action, at one point offering financial rewards for the largest software supply-chain attack. 

TeamPCP isn’t in the game for extortion payments, he said. “These actors are more interested in the underground street cred they are gaining” and “causing as much damage and mayhem as possible.”

Victims abound, but exposure limited

TeamPCP has been remarkably noisy, opportunistically injecting malware into open-source software for the purpose of stealing credentials for Kubernetes environments, Amazon Web Services, Microsoft Azure, Google Cloud and many other connected services.

The group’s claimed victim list is staggering: Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, MistralAI, Microsoft DurableTask, Red Hat and Nx Console.

The full collection of packages compromised or poisoned by TeamPCP to date accounts for roughly 500 million weekly downloads combined, according to Quist.

While the breadth of potential downstream compromise flowing from those downloads is substantial, many endpoints infected with those malware-riddled packages aren’t exposed to the internet and less susceptible to attack, he added.

“I don’t think there’s going to be a very extremely large number of victims,” Quist said. “There’s going to be a lot of people who potentially could be compromised and have potentially vulnerable packages in their environment, but that doesn’t necessarily mean they’re in an exploitable position.”

While these incidents have grabbed headlines, TeamPCP hasn’t accumulated payouts nearly as large as other cybercriminals. The broader reputational impact it has wrought, however, is massive.

TeamPCP has publicly claimed more than 10,000 victims and about $90,000 in extortions, according to Quist.

“They might not be making a lot of money, but they are causing a lot of impact,” Goody said. “Their campaigns have been very disruptive.”

How TeamPCP’s operating model targets development

TeamPCP’s victim list has grown as its hijacked open-source repositories on npm, PyPI, GitHub and other outsourced developer tools that are incorporated into upstream code running in production environments.

Developer laptops and other endpoints that are assigned to install, build and publish software widely contain keys and access to source code that create incredibly valuable supply-chain targets for attackers, Amitai Cohen, head of the attack vector intel team at Wiz, explained during a June presentation on TeamPCP at SleuthCon in Arlington, Va. 

The group targets CI runners, which are automated systems that build, test, and publish code. TeamPCP injects malware into the code repositories these runners maintain. When other developers pull that code into their own systems, they unknowingly download the malware alongside it. 

Some of these artifacts, including Python libraries, npm registries and GitHub Actions, are downloaded almost immediately by thousands or millions of developers who’ve set their runners up to consistently pull the latest version, according to Cohen. “We as a security industry have taught them that that is the right thing to do. You want to use the latest version because you want to be protected against vulnerabilities, and obviously you want to benefit from all the latest features.”

That instinct is exactly what TeamPCP exploits. By compromising one company’s CI/CD workflow, the group gains access to every downstream user who automatically pulls that infected code. “This is what allows [TeamPCP] to leverage initial access to some patient zero, some company that had a vulnerability in their CI/CD workflow, in order to gain access to their downstream users,” Cohen said. “That’s just how the software supply chain works. Everything has dependencies upon dependencies upon dependencies.”

Some of the packages compromised by TeamPCP were live for almost 13 hours, but security practitioners have responded by identifying code-injection attacks much quicker now, pulling some compromised repositories within 15 minutes, said Ben Read, director of strategic intelligence at Wiz.

The threat group’s operations remain high-tempo. TeamPCP infects new software packages almost daily, validates compromises and captures sensitive data within 24 hours, according to Wiz researchers.

The threat group has consistently evolved its tactics, developing payloads in JavaScript and Python while spreading from local files to Kubernetes application programming interfaces and bundled software development kits. Most recently, it’s been stealing credentials via custom protocols. 

The group’s ambitions have expanded beyond its own attacks. TeamPCP is also responsible for a self-replicating piece of malware known as Mini Shai-Hulud, which infected hundreds of software packages across open-source registries in back-to-back attack sprees last month. A TeamPCP affiliate published the full source code for the malware on GitHub last month and encouraged other cybercriminals to use it for their own campaigns.

“TeamPCP is going for volume. They are not being discriminating, they’re not necessarily trying to be stealthy or trying to maximize ROI. They’re going for an all-of-the-above strategy,” Read said during the Sleuthcon presentation.

Defensive gaps create openings for attack

TeamPCP’s attack spree has also underscored how difficult it is for organizations to revoke compromised secrets. Multiple victims have experienced recurring infections, sometimes falling prey to TeamPCP three times within a month, because they didn’t rotate secrets properly, Cohen said. 

At its core, these attacks highlight a direct trade-off organizations accept when they update software quickly to fix vulnerabilities, but learn that doing so too quickly could expose them to illegitimate registries containing malware.

TeamPCP has targeted what Aboukhadijeh describes as a “public good,” open-source registries that were never perfect but widely trusted and rarely turned into a point of entry for supply-chain attacks. 

Rapid open source software installation is one of the most dangerous things an organization can do right now, he said, adding that there’s a roughly 1 in 10 chance that any package installed by an organization could trigger an active attack. 

TeamPCP has compromised security scanners, password managers, automation tools, data visualization software, and CI/CD infrastructure across various environments.

And it’s lifted a trove of credentials and other sensitive data from victims.

Researchers like Cohen at Wiz, who have been tracking this attack spree since the beginning, are nearing a breaking point. 

“This is also too hard on us. We’re very tired. I’m sure a lot of people working on this problem space are very tired, and it’s just kind of become untenable,” Cohen said.

“You can’t keep existing in a world where you wake up every morning and some super prevalent package is compromised and everybody’s just going to be using it like nothing,” he added. “We need to start taking this a bit more seriously.”

The post How software development’s speed obsession enabled TeamPCP’s chaos crusade appeared first on CyberScoop.

Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.

The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.

Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture. 

“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email. 

Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”

The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.

Google threat hunters spotted yet another Chinese state-sponsored espionage group that for years had burrowed into systems belonging to government and private organizations to steal data across academia, medicine, military, cybersecurity and foreign policy. 

Google Threat Intelligence Group discovered the previously unknown threat group UNC6508, which targeted organizations in the United States and Canada, in late 2025 but traced its earliest known compromise back to September 2023. 

The revelation mirrors an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to pre-position for potential sabotage, intercept research and steal data with national security implications. These groups working at the behest of China’s government, including UNC6508, operated in stealth for years before authorities or researchers discovered their activity.

“We don’t know the full extent or impact of the campaign,” Patrick Whitsell, senior security engineer at GTIG, told CyberScoop. Researchers said the threat group intruded a medical research university in September 2023, stole credentials and communications, and remained active on the institution’s systems through November 2025 when it was discovered.

Google said it confirmed multiple victims compromised with INFINITERED, a custom backdoor the threat group deployed on targeted networks to steal administrative credentials after it exploited externally facing REDCap (Research Electronic Data Capture) servers.

Researchers still don’t know how UNC6508 gained initial access to the REDCap servers. Google said the survey and database software, which was created at Vanderbilt University and issued multiple patches for critical remote-code execution vulnerabilities throughout 2023, is widely used across the medical research community. 

“Given the breadth of the threat actor’s intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign,” Whitsell said. “We also assess that this highly capable threat actor will remain active and continue to be a threat to the defense, technology and medical industries for the foreseeable future.”

Google said the campaign targeted clinical providers, academic medical centers and U.S. military health institutions, demonstrating advanced capabilities from a threat group that doesn’t currently overlap with any other publicly known groups.

The threat group abused domain compliance rules to steal data, a technique that doesn’t rely on malware or living-off-the-land tools, and routed traffic through U.S.-based IPs to blend in with legitimate traffic, researchers said.

“We have some evidence to suggest this is a large threat group with multiple sub-teams, but this is not confirmed,” Whitsell said.

Like other previously identified China state-sponsored espionage groups, UNC6508 remains active.

Google said it disrupted some of UNC6508’s known infrastructure by disabling an Gmail account it used to exfiltrate data, notified the affected organizations and helped remediate compromises before it published research on UNC6508’s activities.

Whitsell said several unconfirmed instances of compromise remain under investigation.

The post Google exposes China espionage group that’s been lurking in networks undetected since 2023 appeared first on CyberScoop.

The FBI, along with Google and Lumen Technologies, took down a major cybercrime network based in China that was responsible for an estimated $1.9 billion in losses, officials said Friday. 

Outsider, which provided phishing kits and hosted infrastructure for cybercriminals since July 2023, facilitated a wave of phishing attacks against people and businesses in 55 countries, including the United States, the FBI said in a LinkedIn post.

The jointly coordinated effort dubbed “Operation Ghost Hook” netted the seizure of several domains of the group’s core admin servers, a Shopify storefront, roughly $100,000 from Outsider payment wallets and thousands of domains registered through U.S.-based providers, officials said.

The FBI said it also used an Outsider Telegram bot to access information on the cybercrime network’s customers.

“The criminals behind Outsider Enterprise built a business out of impersonating trusted brands to defraud hundreds of thousands of victims,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement.

Authorities traced Outsider’s phishing domains to nearly 3.9 million stolen credit cards.

Google, one of the vendors impersonated by the phishing kits, described Outsider as a massive AI-powered operation. 

Outsider provided its phishing kit, which allowed cybercriminals to create fake sites and phishing campaigns to steal credit cards, bank account credentials and personal data, for a weekly subscription as low as $88 per week, the company said in a civil lawsuit it filed to dismantle the cybercrime network’s infrastructure. 

The China-based group behind the operation encouraged and provided step-by-step instructions for customers to use Gemini and other AI platforms to generate custom code for phishing lures and corresponding sites for illegitimate missed packages, overdue highway tolls, parking violations, issues with a brokerage account or wireless carrier rewards.

“The Outsider software allows scammers to request multiple types of verification from victims, including SMS, PIN, email and app verification,” Google wrote in the lawsuit filed in the U.S. District for the Southern District of New York. “This flexibility enables the enterprise to defeat various forms of authentication security.”

Google said it’s working with AT&T, T-Mobile and Verizon to intercept the spam messages before they reach customers, but these types of phishing attacks are prevalent and have been spreading for years. 

Google is also pushing for legislative action, including a series of bills, to combat these scams, General Counsel Halimah DeLaine Prado wrote in a blog post.

“Litigation alone won’t end this,” she wrote. “As threats evolve, our laws must, too.”

Google said it doesn’t know the real names of the people or entities involved in Outsider, but said the operation is supported by multiple cybercrime groups providing different roles with overlapping infrastructure.

The FBI said the takedown was part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post FBI takes down massive China-based cybercrime network that caused $1.9B in losses appeared first on CyberScoop.

A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty to participating in some of those attacks in federal court Wednesday, the Justice Department said.

Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, admitted he joined the prolific cybercrime group in September 2021 and held data on 12 victims, including eight based in the United States. The 44-year-old told the court he developed malware that Conti used in some of its attacks, according to officials. 

“The defendant and his conspirators used the Conti ransomware to terrorize people and businesses in the United States and around the world, causing millions of dollars in damage,” A. Tysen Duva, assistant attorney general of the Justice Department’s criminal division, said in a statement.

Lytvynenko and his co-conspirators used the ransomware to attack more than 1,000 victims globally, ensnaring victims in 47 states, Washington, Puerto Rico and about 31 countries, according to the Justice Department. The FBI estimates Conti extorted more than $150 million in ransom payments from victims.

The Ukrainian national pleaded guilty to conspiracy to commit wire fraud and faces up to 20 years in prison upon sentencing, which is scheduled for Sept. 10. 

Lytvynenko was arrested in Ireland in July 2023, extradited to the United States in October 2025, and remains in federal custody in Tennessee where at least three of his victims are based. He left Ukraine in 2022 and obtained temporary protective status in Ireland, residing in Cork at the time of his arrest. 

Prosecutors said Lytvynenko and his co-conspirators extorted about $634,000 in Bitcoin from two victims in Tennessee, including an undisclosed government entity that resulted in the compromise of a sheriff’s department, local emergency medical services and a local police department. According to an indictment that was unsealed last fall, Lytvynenko and his co-conspirators also leaked data they stole from another Tennessee-based victim after it refused to pay a $3 million ransom demand.

Four of Lytvynenko’s alleged co-conspirators — Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov — were indicted in 2023 in the same federal court for crimes related to their suspected involvement in Conti attacks from 2020 to 2022. 

Authorities said Lytvynenko engaged in cybercrime after Conti disbanded and its members splintered off into new groups, adding that he “was asleep but within arms’ reach of an open laptop running Cobalt Strike” at the time of his arrest.

At one point, Conti was among the most prolific ransomware groups globally, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

“Lytvynenko’s guilty plea is a significant step toward holding cyber criminals accountable for the damage they inflict on victims worldwide,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement “Lytvynenko profited from fear and coercion, conspiring to use Conti ransomware to extort victims and steal their data.”

The post Conti ransomware group member pleads guilty, faces up to 20 years in prison appeared first on CyberScoop.

Researchers are warning that cybercriminals exploited an Oracle PeopleSoft zero-day vulnerability and potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.

Mandiant and Google Threat Intelligence Group said it became aware of the attacks earlier this month as part of its ongoing monitoring of ShinyHunters operations. The notorious cybercrime group claims it hacked more than 100 organizations and started naming victims and publishing allegedly stolen data Tuesday.

University of Nottingham, one of ShinyHunters’ alleged victims, on Wednesday confirmed a significant amount of student data was stolen during a cyberattack after the threat group leaked some of the school’s data.

The attacks date back to at least May 27, according to Mandiant, and involve the exploitation of CVE-2026-35273, a defect in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to execute remote code and takeover affected servers.

Oracle disclosed the vulnerability and recommended some steps for mitigation Wednesday, weeks after the attacks were already underway. The vendor hasn’t released a patch to address the defect and did not respond to a request for comment.

Google said it alerted more than 100 organizations of potentially vulnerable endpoints in their environments, but it declined to confirm how many victims are compromised. 

“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today,” Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop Thursday evening. He added that more victims, beyond Google’s visibility, may be impacted.

Most of the potential victim pool is based in the United States and 68% are in the higher education sector, according to Google.

“We have previously observed ShinyHunters target the education sector this year, however it’s possible this targeting is representative of the majority of exposed PeopleSoft instances belonging to the sector,” Carmakal said. 

Oracle PeopleSoft PeopleTools includes more than 40 tools for human resources and customer relationship management.

The attacks come less than a year after the Clop ransomware group exploited a zero-day in Oracle E-Business Suite that affected dozens of victims. The data theft extortion campaign that followed those attacks, which began in August, didn’t get underway until October.

The post ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw appeared first on CyberScoop.

Microsoft addressed a whopping 206 vulnerabilities lurking in its vast portfolio of business products and foundational systems in this month’s Patch Tuesday update, marking the vendor’s largest monthly batch of security patches on record, according to researchers.

The massive assortment of vulnerabilities in Microsoft’s latest defect dump accentuates an alarming trend across technology — fears and warnings about a roaring flood of error-riddled software have materialized. And the disease is spreading. 

“It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Researchers consistently highlight the role artificial intelligence is playing in discovering more vulnerabilities and aiding in the development of patches and testing. Childs isn’t alone in wondering if this is the new normal and how that will impact defenders’ strategies for patch prioritization and deployment. 

“Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday,” Satnam Narang, senior staff research engineer at Tenable, said in an email.

This vulnerability flood isn’t a one-off or rare event. Half of Microsoft’s Patch Tuesday updates through the first half of this year contained a volume of defects well into the triple digits. 

“The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018,” Childs wrote. 

Microsoft disclosed three vulnerabilities — CVE-2026-45586, CVE-2026-50507 and CVE-2026-49160 — that were publicly known at the time of release, but not yet exploited in the wild, according to the company. 

Yet, in an out-of-band update May 19, the vendor did disclose and release a patch for CVE-2026-41091, an actively exploited zero-day vulnerability affecting Microsoft Defender.

Microsoft disclosed one max-severity vulnerability — CVE-2026-48567, affecting Azure HorizonDB — and nine defects with critical CVSS ratings. The company designated 15 of the vulnerabilities it addressed this month as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft breaks Patch Tuesday record with 206 vulnerabilities appeared first on CyberScoop.

Cisco customers are confronting yet another actively exploited zero-day vulnerability affecting the vendor’s SD-WAN management software, reinforcing pressure on organizations that have experienced rare breaks from active threats this year.

The vulnerability — CVE-2026-20245 — marks the seventh actively exploited zero-day in Cisco SD-WANs this year.

Cisco said it first became aware of active exploitation of the latest defect in the network management software earlier this month. The company disclosed the vulnerability, which was first spotted by Mandiant, on Thursday and warned that a security patch is not yet available and there are no workarounds to mitigate the defect in the meantime.

“A patch for this vulnerability will be provided on a future date,” a company spokesperson said in a statement. 

Cisco did not attribute the attacks to any specific group, describe the objectives of those attacks or share how many organizations have already been impacted.

The validation error defect affecting the Cisco Catalyst SD-WAN Manager allows authenticated or local attackers to execute commands as root, resulting in command-injection attacks on an affected system, the company said.

Yet, the scope of potential impact may be limited because exploitation requires valid credentials or privileged access through other means. Cisco said exploitation of a pair of zero-days it disclosed earlier this year —  CVE-2026-20182 or CVE-2026-20127 — could allow attackers the access required to exploit the new vulnerability. 

The company said it is “not aware of successful exploitation by other means,” adding that it “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges “makes an attacker heavily reliant on previous vulnerabilities, or a net-new initial access vector, in order to be able to reach the privilege escalation path.”

Cisco advised customers to upgrade to fixed software released in May as part of its response to CVE-2026-20182 as a protective measure. 

Absent a patch that would provide organizations more protection against the new vulnerability, Cisco provided some indicators of compromise but noted that those same log entries may occur during standard operations. The company encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers.

Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. The Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog this year, not including CVE-2026-20245, which has yet to be added to the catalog.

The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop.

Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. 

The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft insisted it received no details about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk.

The public dispute between Microsoft and the researcher known as “Nightmare Eclipse,” who couldn’t be identified or reached for comment, sparked dismay among some security professionals. Microsoft’s forceful response and the resulting backlash revived a friction point between vendors and researchers who find and report flaws in the software they sell.

“The fight is being argued as coordinated disclosure, but the grievance underneath is personal and specific in a way disclosure shouldn’t be, especially with a vendor that has been at it for so long,” Katie Moussouris, founder and CEO at Luta Security, told CyberScoop.

“Microsoft seemed to get emotional and shouldn’t have publicly said anything, but somehow felt justified in calling out a researcher and involved law enforcement in the same breath,” she said. “That puts them right back in the first stages of vulnerability disclosure grief: denial and anger.”

The former longtime Microsoft employee who ran outreach with the security community, created the company’s first bounty program and has given conference talks on the subject as far back as 2013, said the company doubled down on its lack of responsibility in the whole saga.

Microsoft declined to answer questions in the wake of the fallout.

Nightmare Eclipse hinted at a breakdown and impending battle with the vendor in a series of blog posts leading up to Microsoft’s missive about the vulnerabilities RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.

Attackers exploited three of the six vulnerabilities Nightmare Eclipse released before they were patched by Microsoft.

The researcher claimed Microsoft refused to communicate, didn’t pay or credit them for discovering and reporting some of the vulnerabilities, deleted the Microsoft Security Response Center account they used to disclose vulnerabilities and flagged their GitHub account for removal. 

“You are proving to everyone that you are actively escalating this conflict,” they wrote, before threatening Microsoft with a release in mid-July that “will make sure your bones are shattered that day.”

Vulnerability disclosure is a two-way street

The characteristics of proper vulnerability disclosure processes are nuanced and often framed in the eyes of the beholder.

Any successful dance between bug hunters and vendors comes down to meeting each other halfway, said Andrew Morris, founder and chief architect of GreyNoise. 

While vendors must fix software defects and prioritize security, Morris noted that irresponsible vulnerability disclosure harms both incident responders and potential victims. 

“Personally, I feel like this researcher is being extremely petty. It seems like they have an ax to grind,” he said.

“You’re not allowed to give somebody something and say it’s out of the kindness of your heart, and then be pissed when they don’t pay you for it.” 

But Morris also made clear that vendors bear responsibility for building trust with researchers.  

“If you actually care about being the first one to know about bugs in your software, not learning about it once harm has happened, or once somebody’s gotten popped, then you want to cultivate that trust with the security community,” Morris said. 

Microsoft said it recognizes that the relationship between security researchers and vendors is critical and, at times, fragile. 

“We deeply value the security community, and will continue to take your feedback seriously,” the company said in its post on X. 

Yet, the company remains steadfast in opposing the circumstances of Nightmare Eclipse’s disclosures, describing their actions as illegal, unjustifiable and irresponsible. 

“When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate,” Microsoft said without naming the researcher by their moniker. “We continue to believe strongly in coordinated vulnerability disclosure as the foundation for protecting customers and improving our products. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

The cost of pushback

Security researchers seek out defects for various reasons: bounty payouts, recognition, industry credibility, or simply the thrill of the hunt that comes with finding vulnerabilities and getting them fixed.

At its best, this process happens behind the scenes, with patches released and customers warned before exploitation occurs.

This collaborative approach has taken root and improved considerably, but there are still cases where researchers feel slighted. 

“The public has no idea what went on behind the scenes to judge why a researcher that previously coordinated finally had enough and decided to drop a zero-day [vulnerability],” Moussouris said. As such, she’s less inclined to criticize Nightmare Eclipse’s actions, adding that “they come off as someone who needs help.” 

Yet, trust breaks down between vulnerability researchers and vendors often. Earlier this week, security researcher Ammar Askar claimed his last interaction with Microsoft’s security team was so poor that he decided to publicly disclose any bugs he finds in VS Code going forward. He made good on that threat by dropping a vulnerability and exploit code for a defect that allows attackers to steal GitHub tokens. 

While actions like this can sabotage trust and drive a wedge between vendors and vulnerability researchers, recourse to a large extent is limited. Moussouris said most of the time, the legal and ethical boundaries are clear to those involved. Researchers can report bugs, withhold them, sell them, or publish them. “The one red line is crime: using a flaw to extort or attack people,” Moussouris said. 

“Threatening to publish on a set date is a threat to disclose, and disclosure is lawful. You can find the tone ugly. [Nightmare Eclipse] still broke no rule and violated no duty.” 

The timing couldn’t be worse 

Both sides are partly responsible for what happened, but Microsoft made things worse, Morris said. Threatening legal action and taking an aggressive approach have never worked. Building a good relationship between researchers and vendors requires open communication and trust. 

“I thought we were past this. It turns out that we are not,” he said. 

The Nightmare Eclipse incident comes at a fraught time in this space. Vendors and their customers are confronting a deluge of more vulnerabilities, and the rise of artificial intelligence models that discover them is exacerbating this challenge, leaving security experts alarmed about what’s coming.

The prospects for where vulnerabilities will be discovered and exploited next, and to what impact, are unknown and wildly unsettling. 

These signals imply that the classic, CVE-based system with responsibly disclosed processes is probably broken, Morris said. “There’s just so many CVEs. It’s like, is this even working anymore?”

For now and despite all its faults, coordinated vulnerability disclosure programs are widely viewed as the most sensible and scalable approach to this dilemma.

“Coordinated disclosure is what happens when a vendor gets lucky. Someone they did not hire hands them a real bug instead of using it or selling it. That puts the whole burden of keeping coordination alive on the vendor,” Moussouris said. “Silent patching with no CVE and calling out researchers who don’t follow your timeline for disclosure squanders the vendor’s luck.”  

She stressed the stakes: “I hope Microsoft and all vendors learn that coordinated vulnerability disclosure is a gift and a grace from the security researcher community to them, and public disclosure is still better than non-disclosure or crime.”

The alternatives to a deteriorating relationship could wreak havoc and leave every vendor and customer more susceptible to attack. 

“If vendors unlearn how to receive free intellectual property and labor from the security community in the form of vulnerability reports with gratitude, we’re headed for a world where nobody bothers to give vendors any heads up, or they move to a timed disclosure model that gives no grace,” Moussouris said.

She concluded with a direct message: “Product vendors wrote the vulnerable code, own the risk, and they owe it to their users to do everything in their power to reduce that risk.” That includes “keeping their grievances to themselves and learning from introspection on coordinated vulnerability disclosure gone wrong.”

The post Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away appeared first on CyberScoop.

Authorities in Europe arrested 29 alleged cybercriminals and took down more than 27,000 illegal streaming URLs that pirated major sporting events, films and TV programming, Europol said Wednesday.

The continent-wide collaboration, led by Bulgaria and the European Union’s police agency, allowed authorities to dismantle nine organized crime groups supporting the illicit streaming networks, officials said. “Operation Kratos 2” focused on disrupting the networks’ underlying infrastructure and stretched for seven months before coming to a close in April. 

Officials did not name the suspects, groups or services targeted during the crackdown, but noted that investigators identified key players responsible for managing and operating the piracy platforms.

Europol said the streaming sites infringed on nearly 850,000 media across 169 domains. 

“What appears to consumers as cheap access to premium content is powered by complex criminal enterprises,” the agency said in a news release. Illegal streaming site operators host separate servers for customer-facing websites and illegal content, and distribute their services across multiple countries.

During the course of the operation, officials conducted 148 house searches, identified 86 suspects and referred 59 cases to courts for criminal proceedings. 

Investigators also worked with private-sector partners to identify nearly 4,400 new domains and more than 18,000 IP addresses linked to piracy and other illegal activity. Those efforts allowed authorities to report almost 400,000 additional URLs for suspension or removal. 

Live sports piracy networks are widespread and consistently tracked by antipiracy coalitions and authorities globally. Authorities in Egypt last year shut down Streameast, the most popular and largest illegal live sports streaming network at the time, with an operation that spanned 80 domains and logged more than 1.6 billion visits during the year prior.

Operation Kratos 2 was supported by anti-piracy associations, UEFA Europa League, La Liga, beIN Media Group and officials from Belgium, Bulgaria, Croatia, France, Greece, Ireland, Italy, the Netherlands, Poland, Romania, Spain, the United Kingdom and the United States.

The post European authorities crack down on illegal streaming networks appeared first on CyberScoop.

Researchers and threat hunters are scrambling to respond to an actively exploited authentication-bypass vulnerability affecting Palo Alto Networks customers’ firewalls. 

The company initially tagged CVE-2026-0257 with a medium-severity rating when it disclosed the defect May 13, but quickly reassessed it as critical after Rapid7 observed and confirmed active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency followed suit, and added the vulnerability to its known exploited vulnerabilities catalog Friday.

The escalated threat posed by the defect, which allows remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall, showcases how quickly a seemingly mild vulnerability can turn into an urgent warning. 

“Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied,” a company spokesperson said in a statement. The company on Friday urged all customers to immediately apply the patch or follow its recommended steps for mitigation. 

The vendor and Rapid7, which first observed exploitation May 17 in a customer environment, declined to say how many organizations are impacted thus far. Yet, Douglas McKee, director of vulnerability intelligence at Rapid7, warned: “We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity” on May 21. 

Jake Knott, security researcher at watchTowr, told CyberScoop the vulnerability and resulting exploits follows a recurring trend wherein attackers target exposed network edge devices and rapidly identify, develop and weaponize exploits for initial access. 

“This is yet another authentication bypass on a device whose sole job is to guard the front door to an organization’s network,” he said. “What stands out is how simple it is — an attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request.”

The vulnerability has a few requisites that limit exposure, specifically posing risk to some Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies. 

“The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate,” said Caitlin Condon, vice president of security research at VulnCheck.

“It’s difficult to say how many deployments meet those criteria for exploitability, but Palo Alto Networks firewalls have a very large footprint, which means even uncommon configurations can present significant attack surface area,” she added.

Rapid7 said the same attacker or group is likely responsible for both waves of exploitation last month, but in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network. 

The attackers are “highly opportunistic and clearly monitor the security research community,” McKee said. “Attackers are purposefully weaponizing medium-severity vulnerabilities, which are typically lower priority or blind spots for organizations.”

Multiple threat clusters are swarming to the opportunity and quickly adapting to published research.  Researchers have not attributed the malicious activity to any specific threat groups. 

“Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage,” McKee said. 

Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. Yet, within days of its public disclosure, initial assessments were proven inadequate.

“This is a pattern we continue to see — the urgency only arrives after exploitation is underway,” Knott said. “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”

The post Attackers are exploiting Palo Alto Networks defect that initially flew under the radar appeared first on CyberScoop.

A Tennessee man accused of abusing and sexually exploiting children while actively participating in 764, a sprawling online nihilistic violent extremist collective affiliated with The Com, pleaded not guilty Thursday to a series of charges that could keep him locked up for 50 years.

Zachary Sweeney has allegedly victimized multiple children, on numerous occasions grooming and coercing minors to produce child sexual abuse material that he distributed and sometimes sold, the Justice Department said. One of the 30-year-old’s alleged victims later died of an overdose.

Sweeney has been the subject of multiple FBI investigations, which uncovered extensive crimes against children dating back to at least 2022, prosecutors said. His alleged involvement in 764 and, by extension, The Com, underscores the growing, multi-faceted threat of physical violence, cybercrime, extortion and the pursuit of criminal underground notoriety posed by thousands of members typically between 11 and 25 years old.

Victims of these crimes are often young, vulnerable and degraded or traumatized for years with life-altering impact.

“Violent extremists who victimize vulnerable children online are among the worst predators in our community and across the country,” Braden Boucek, U.S. attorney for the Middle District of Tennessee, said in a statement.

Members of 764 and related groups commit crimes in the United States and engage with other extremists globally to foment social unrest and destroy civilized society through the corruption and exploitation of vulnerable people, the Justice Department said.

Police arrested Sweeney Thursday and charged him with three counts of sexual exploitation and attempted sexual exploitation of a minor and three counts of receiving visual depictions of CSAM. Prosecutors said they intend to request Sweeney remain detained at his next court appearance June 3. 

Sweeney allegedly traveled to New York, Indiana, Missouri and Georgia to meet numerous victims in person. Officials received reports from some of his alleged victims and online platforms, triggering FBI interviews with some of his alleged victims as early as 2023. 

One of his alleged victims, who began interacting with Sweeney when she was a teenager, told investigators she degraded herself and participated in virtual self-harm group video calls with a group of people she described as friends of his in The Com. Sweeney alleged raped her and streamed the crime online. 

She died of an overdose in 2024, approximately ten days after FBI agents interviewed her. 

Sweeney allegedly drugged and raped other victims and shared videos of those acts online, according to court records.

The FBI searched Sweeney’s residence in St. Louis in September 2023, more than two months after Meta sent a pair of tips to the National Center for Missing and Exploited Children that linked him to Instagram chats containing CSAM.

Agents seized devices containing evidence of 99 possible CSAM images and videos, but encryption and passwords prevented authorities from conducting further examination, according to court records.

Sweeney moved to Tennessee in the summer of 2024 and allegedly continued to travel out of state to meet victims in person and coerce other victims to produce CSAM through at least the summer of 2025.

Authorities accuse Sweeney of boasting about his crimes and sharing blackmail material, sexual assault and CSAM depicting underage female victims.

Authorities have arrested multiple members of 764 during the past year, reflecting heightened law enforcement activity targeting the violent extremist collective and other offshoots affiliated with The Com.

Two alleged leaders of 764, Leonidas Varagiannis and Prasan Nepal, were arrested and charged for directing and distributing CSAM in April. Alexis Aldair Chavez, of San Antonio, pleaded guilty in December to multiple crimes involving the sexual exploitation of children while acting as an administrator and leader of 8884, a splinter group of 764.

“This operation puts every child predator on notice: the FBI will hunt you down and bring you to justice,” Terence Reilly, special agent in charge of the FBI Nashville Field Office, said in a statement. “Removing violent extremists from our streets protects our most innocent and vulnerable members of society.”

You can read the indictment below.

The post Tennessee man linked to 764 accused of series of crimes against children dating back to 2022 appeared first on CyberScoop.

A Google security engineer was arrested in New York and charged with crimes related to bets he allegedly placed on Polymarket using confidential information he pulled from Google systems, the Justice Department said Wednesday. 

Michele Spagnuolo, a 36-year-old Italian citizen who lives in Switzerland, is accused of placing multiple trades on the prediction marketplace last year that netted him a profit of more than $1.2 million. He allegedly abused internal access to Google’s nonpublic Year in Search data and placed a series of bets on the most searched people on Google in 2025.

“Today’s charges reinforce a decades-old message: corporate insiders cannot use confidential information to turn a profit in our markets,” Jay Clayton, U.S. attorney for the Southern District of New York, said in a statement Wednesday. “Insider trading compromises the integrity of our markets, and the American people want this greed-driven conduct investigated and prosecuted.”

Spagnuolo was charged with violating the Commodity Exchange Act, wire fraud and money laundering, which carry a combined maximum sentence up to 50 years in prison. 

He was also served with a civil complaint by the Commodity Futures Trading Commission that accused him of insider trading. The government agency is seeking restitution, disgorgement, civil monetary penalties, trading and registration bans and a permanent injunction against further regulation violations. 

Spagnuolo has been employed as a security engineer at Google since 2014, where he built products, specifications and led multiple projects in the information security unit, according to his company bio, which has since been taken down. 

A Google spokesperson said the company is working with law enforcement on its investigation. “The employee accessed our marketing material using a tool available to all employees, but using such confidential information to place bets is a serious breach of our policies,” the spokesperson said in a statement. “We’ve placed the employee on leave and will take the appropriate action.”

Spagnuolo did not respond to a request for comment.

In a complaint unsealed Wednesday, a federal investigator said Spagnulo, who used the “AlphaRaccoon” user name on Polymarket, took deliberate steps to conceal his use of nonpublic information, including efforts to obscure the source and ownership of his proceeds. 

Prosecutors noted that Google’s internal software tool, which provided Spagnuolo access to search trends, bore a banner that stated “Google Confidential” in red text, adding that Spagnuolo confirmed he understood the company’s various confidentiality and ethics policies to access the data. 

Spagnuolo allegedly created his Polymarket account in May 2024 and placed a series of trades between later that year risking approximately $2.75 million on 25 outcomes that the market treated as unlikely.

The FBI said it traced Spagnuolo’s Polymarket account to a cryptocurrency wallet he allegedly used to fund the account and initiate multiple transfers. Spagnuolo is also accused of sending multiple transactions through a cryptocurrency swapping service that were received by an account in his name linked to his Italian government ID card. 

Spagnuolo allegedly changed his Polymarket username to an alphanumeric wallet address in early December, after Google released its Year in Search results and multiple users on Discord and X speculated the person between the account was a Google insider.

The post Google security engineer accused of turning confidential search trends into $1.2M win on Polymarket appeared first on CyberScoop.

Silent Ransom Group, a long-running data extortion operation, continues to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access to computers, the FBI said in an alert Tuesday.

The closed group, which likely operates from Russia and emerged in 2022 after Conti disbanded, has claimed responsibility for more than 100 attacks with activity surging during the past few months, according to researchers.

The FBI’s warning comes exactly one year after the agency released a previous alert about Silent Ransom Group consistently targeting law firms since mid-2023. The group doesn’t deploy encryption, but its dual use of social engineering and in-person visits for data theft is extremely rare with no known parallels across the vast cybercrime ecosystem, multiple experts told CyberScoop.

“There were probably a lot of times that this failed before it started succeeding because there’s a lot of trial-and-error involved,” said Allan Liska, field chief information security officer at Recorded Future. Whereas other ransomware groups would rather move on to other tactics or targets, “Silent Ransom Group has seen the value especially in going after law firms, and so they’re willing to put the extra effort into it,” he added. 

The data extortion group, which is also tracked as Chatty Spider, UNC3753 and Storm-0252, isn’t as prolific as more high-tempo ransomware groups. Yet, it’s having a noticeable impact due to its proven knack for attacking organizations in the legal sector.

Halcyon tracked 134 ransomware incidents against law firms and legal services during the first quarter of this year, making it the fourth-most targeted industry accounting for more than 6% of all ransomware attacks the company tracked during the period. 

Silent Ransom Group and Inc, a ransomware-as-a-service operation dating back to mid-2023, are largely responsible for that uptick, said Cynthia Kaiser, senior vice president at Halycon’s Ransomware Research Center.

“Silent was the first group to really just be targeting law firms, and they’ve targeted major law firms” with a clear understanding of what’s most problematic for organizations in that segment, she added. “The theft of data in and of itself is the biggest issue for the law firms, so they’re tailoring a lot of their operations around what they know about the sector.”

Law firms are a rich target because data theft creates huge privilege and reputational problems, which creates the perception they might be more willing to pay high extortion demands, Kaiser said.

Silent Ransom Group’s social engineering scheme involves phone calls or phishing emails that urge employees to call one of the group’s associates posing as IT support, the FBI said. If the group’s attempt to gain access to the employee’s computer via remote access tools fails, it sends an associate to the victim’s location to physically attach a storage device to the victim’s workstation. 

This extra step is unique and places Silent Ransom Group in a completely different mode of operation than its peers in ransomware and data theft extortion. Some aggressive data theft extortion groups have harassed and threatened executives and employees with physical violence, but in-person visits for data theft are extraordinary.

“While Flashpoint has observed threat actors soliciting or co-opting both witting and unwitting insiders, we have not observed them physically sending attackers to victim locations. This tactic carries significant risk, as threat actors are able to use technology to obscure their real-world identities,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. 

Joe Slowik, director of cybersecurity alerting strategy at Dataminr, said it’s easy to question why potential victims would fall for this tactic. “However, humans in the workplace need to implicitly trust others to get their jobs done,” he said. 

“Questioning everything, while seemingly desirable, introduces significant friction and distrust in workplace environments and limits productivity in arbitrary ways,” Slowik added. “Criminal entities will continue to prey on human weaknesses and dependencies for success, and placing the burden solely on employees to defend against this is unfair and unreasonable.”

The FBI did not provide details about the people Silent Ransom Group uses to initiate the fake IT support calls or visit victims in person. Yet, with the group’s operators based in Russia, researchers speculate gig workers or subcontractors are playing a critical role by placing voice-based phishing calls in a common language and visiting victims at their workplace. 

Liska said he’s under the impression the group is using freelance taskers that don’t necessarily know they are committing a crime. “They may be suspicious, but you know, they need the money,” he said. 

“It’s kind of like a Doordash person that delivers Arby’s,” Liska said. “You know you’re doing really bad things to people, but you know what, they’re paying you to deliver.”

The post FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person appeared first on CyberScoop.

The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. 

The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.

Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers. 

Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.

“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”

Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.

Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.

This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February. 

By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning. 

Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.

Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added. 

The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests. 

“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.

The post FBI warns about fast-growing phishing kit targeting Microsoft 365 users appeared first on CyberScoop.

Authorities arrested and unsealed charges against a Canadian man accused of running Kimwolf, one of the most far-reaching DDoS botnets on record, the Justice Department said Thursday.

Jacob Butler was arrested Wednesday in Ottawa, Canada, and awaits extradition to the United States where he is charged with aiding and abetting computer intrusions and, if convicted, faces up to 10 years in prison.

Investigators said the 23-year-old, also known as “Dort,” was a principal administrator of Kimwolf, a variant of the record-setting Aisuru DDoS botnet that spread like wildfire and eventually took over more than 2 million Android TV devices after its operators figured out how to abuse residential-proxy networks for local control.

Authorities in March seized infrastructure powering the Kimwolf, Aisuru, JackSkid and Mossad botnets, which hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively.

Kimwolf, which operated as a DDoS-for-hire service for other cybercriminals, initiated more than 25,000 attacks, resulting in network outages, disruptions and financial losses exceeding millions of dollars, officials said. Officials also said they found evidence linking Kimwolf to DDoS attacks targeting Department of Defense Information Network IP addresses.

“Kimwolf and the botnets associated with this operation have supported persistent corporate intrusion efforts and been used by a wide range of serious threat actors,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop.

Authorities searched Butler’s residence during the globally coordinated operation, but did not arrest him until Wednesday, roughly two months later. Officials filed a criminal complaint against Butler in the U.S. District Court for the District of Alaska in April, and unsealed the complaint following his arrest.

A special agent with the Defense Criminal Investigative Service confirmed Butler’s identity and involvement in the Kimwolf botnet after Butler used the same IP address to access multiple email accounts he controlled and Discord accounts linked to Kimwolf. 

“I have observed significant operational security lapses on Butler’s part resulting in patterns of overlapping IP usage among a Google account in Butler’s true name, other Google accounts that I believe to be controlled by Butler due to use of the same machine cookies, and Discord accounts which have been used in support of the KimWolf operation,” the special agent said in an affidavit. 

“The Discord accounts show patterns of overlapping IP usage with the KimWolf backend server. These IP addresses appear to be proxy or VPN IPs which were likely used by Butler in an unsuccessful attempt to evade law enforcement scrutiny. However, like many cybercriminals, Butler did not use proxy or VPN IP addresses exclusively,” the special agent added. 

Authorities described the botnet takedowns in March in nearly conclusive terms at the time, yet court records indicate the Kimwolf botnet is back in operation. 

“While today’s announcement is encouraging to see, there are still hundreds of millions of insecure IoT and network devices connected to sensitive government, corporate and home networks, and these remain a priority target for threat actors looking to build the next version of Kimwolf,” Edwards said.

“Until we find solutions to this underlying problem,” he added, “we’ll unfortunately continue to play Whac-A-Mole with botnet operators year after year.”

You can read the affidavit supporting the criminal complaint against Butler below.

The post Alleged leader of Kimwolf, a sweeping botnet for cybercriminals, arrested in Canada appeared first on CyberScoop.

European authorities took down a prominent virtual private network service and arrested the alleged administrator behind an operation that cybercriminals used to steal data, commit fraud and ransomware attacks, Europol said Thursday. 

First VPN, which was promoted on Russian-speaking cybercrime forums, gained popularity for providing services that allowed users to hide their infrastructure and identities. Officials said the service was entrenched in the cybercrime world and appeared in almost every major recent cybercrime investigation aided by Europol.

“For years, cybercriminals saw this VPN service as a gateway to anonymity,” Edvardas Šileris, head of Europol’s European Cybercrime Centre, said in a statement. 

“They believed it would keep them beyond the reach of law enforcement,” Šileris added. “This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”

The operation stretched over two days earlier this week, led by France and the Netherlands, with support from Europol, Eurojust and eight additional countries. 

Authorities said they arrested the alleged administrator and searched their residence in Ukraine, but declined to name the person. Officials also dismantled 33 servers linked to the service and seized multiple domains, including 1vpns.com, 1vpns.net and 1vpns.org.

Investigators obtained First VPN’s user database and identified VPN connections used by alleged cybercriminals. Intelligence gathered during the operation uncovered thousands of users linked to cybercrime and formed additional leads connected to ransomware attacks and fraud schemes, officials said. 

Europol said First VPN’s users were notified of the shutdown and warned that their identities are now known to authorities. 

French and Dutch authorities started investigating First VPN in earnest in November 2023 and shared evidence with 16 countries to coordinate data analysis and support other ongoing investigations. Officials across multiple jurisdictions are using intelligence gathered during the operation to aid 21 additional inquiries globally.

The post European authorities take down prolific cybercrime VPN service appeared first on CyberScoop.

Attackers couldn’t get enough of the vulnerabilities at their disposal last year, making exploits the top initial access vector across more than 22,000 breaches Verizon analyzed in its latest Data Breach Investigations Report released Tuesday.

The massive annual study uncovered a surge of exploited vulnerabilities during a one-year period ending in October 2025. Exploited defects accounted for 31% of all known initial access vectors, jumping from 20% the previous year. 

The uptick in exploited vulnerabilities is a reflection of the “sisyphean cause” of vulnerability management, researchers wrote in the report. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them.”

Organizations are struggling to keep up with the torrent of vulnerabilities affecting technology across their systems. This slide is especially worrisome, and declining, among defects in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.

Only 26% of the critical vulnerabilities in CISA’s catalog were fully remediated by more than 13,000 organizations Verizon studied in 2025, marking a drop from 38% the year prior. 

“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” researchers wrote in the report. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”

Verizon also noted that the median number of KEV vulnerabilities that organizations had to patch jumped from 11 in 2024 to 16 in 2025.

CISA’s KEV catalog contained more than 1,500 CVEs as of February, and 65% of those were exploited during the previous year, according to the report.

Verizon identified the five most common weaknesses of CISA KEV CVEs in its report as out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path and access of resource using incompatible type.

Attacker motivations remained relatively consistent last year, with financially-motivated cybercriminals accounting for 88% of all breaches. Espionage-driven attacks from state-affiliated groups made up the remainder.

“Ransomware continues to be among the most disruptive and impactful types of breaches we see. Not unlike the price of everything from fast food to adult beverages in ballparks, it continues to trend upward,” researchers wrote in the report.

Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. Yet, Verizon observed some positive trends in ransomware as well.

Ransom payments continued to decline, with 69% of victims reporting they didn’t pay, and the median payment slid from $150,000 in 2024 to almost $140,000 last year.

Tracking ransomware remains a challenge for researchers and authorities. 

“There is a growing disconnect between what is being reported and the reality of what has occurred, in no small part due to threat actors reusing old breaches, reposting breaches from other criminal partners and making up breaches out of whole cloth to help increase their notoriety in the criminal world,” Verizon wrote in the report. “We’re beginning to think that these cybercriminals might not be entirely trustworthy.”

Yet, despite the lack of indisputable data on ransomware activity, researchers concluded: “Ransomware is still the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you.”

The post Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches appeared first on CyberScoop.

Microsoft seized infrastructure and disrupted a cybercrime service that created and sold more than 1,000 code-signing certificates that other cybercriminals used to make malware-riddled software appear trusted and legitimate for follow-on cyberattacks, including ransomware, the company said Tuesday.

The financially-motivated threat group, which Microsoft tracks as Fox Tempest, provided the malware-signing-as-a-service to multiple ransomware groups, including Rhysida, Vanilla Tempest, Storm-0501, Storm-2561 and Storm-0249 for at least a year before Microsoft was granted a court order to dismantle the operation. 

Fox Tempest, which Microsoft has been tracking since September 2025, abused Microsoft’s Artifact Signing system by fabricating identities and impersonating legitimate organizations to access the code-signing services of Microsoft, Steven Masada, assistant general counsel at Microsoft Digital Crimes Unit, said during a media briefing Monday.  

Cybercriminals paid Fox Tempest up to $9,500 to get their malicious code signed, allowing them to slip software through defenses and bypass controls designed to confirm programs are authentic and linked to a trusted source. 

“This isn’t the obvious knockoff you might find on a street corner. It’s more like a counterfeit product that’s so precise that even the experts have trouble distinguishing it from the real thing,” Masada said. “It acts as a fake ID that lets cybercriminals get into systems by walking right through the front door.”

While attackers and defenders have historically focused on the entry points of attacks, Fox Tempest’s operation exemplifies a broader move upstream to how attacks are built in the first place, he added. 

“It’s no longer just about tricking users to click on a link, it’s about exploiting the very systems that we rely on to decide what is and what isn’t safe,” Masada said. 

Cybercriminals have been reselling code-signing certificates for a least a decade, but Fox Tempest’s operation was unique in providing a massively scalable service for extortion, phishing, SEO poisoning or malware-laced advertising, said Maurice Mason, who led the investigation into Fox Tempest as principal cybercrime investigator at Microsoft’s DCU. 

Mason said ransomware operators and other threat groups primarily deployed these fraudulent certificates in ads or SEO poisoning, which brought their malicious software and infostealers to the top of search rankings, ensnaring unsuspecting victims who thought they were downloading and running legitimate applications. 

Fox Tempest’s operation, which included an authenticated portal and a drag-and-drop feature that allowed customers to get their code signed, was directly linked to the deployment of dozens of malware families, including Oyster, Lumma Stealer, MuddyWater and Vidar, he added. 

Microsoft said the threat group is also linked to ransomware affiliates for INC, Qilin, Akira and others. The operation had a global impact, resulting in attacks on the healthcare, education, government and financial services sectors, and most heavily targeted organizations and people in the United States, France, India and China.

“Why wouldn’t you pay those thousands of dollars if you’re a threat actor and you’re getting it back in extortion and ransomware worth millions? This is like chump change to you,” Mason said. 

Microsoft said it evicted or deleted more than 1,000 accounts and subscriptions Fox Tempest used to provide its services. The company also seized the threat group’s website, took hundreds of virtual machines offline and blocked access to a site hosting the underlying code. 

“This disruption likely is going to raise the cost for attackers, and we’re hoping that they move off of using these services,” Mason said. “Obviously it’s just a disruption and there’s other things that they’ll probably move to, or someone might try to do this a different way next time.”

Fox Tempest is an example of the fully developed cybercrime economy defenders confront now, Masada said. 

“In many cases, an actor no longer needs to build an attack from scratch. They can simply assemble one by purchasing its components — a phish kit from one vendor, malware from another, infrastructure and optimization tools from yet others, and so on,” he said. 

“As we focus more of our recent disruptions on marketplaces and service providers, we’re getting a much clearer picture of how the economy actually functions, and what’s emerging is a stratified ecosystem,” Masada added. 

“At one end, you have commoditized tools that are mass produced and built for scale, things like turnkey phishing kits or credential harvesting services,” he said. “But above that, we’re seeing a more sophisticated tier of operators, highly specialized services focused on evasion, durability, and optimization. These are not just enabling attacks, they’re engineering them to succeed against modern defenses.”

The post Microsoft disrupts cybercrime service that abused software verification systems en masse appeared first on CyberScoop.