Research
-
MuddyWater linked to Microsoft Teams intrusion that used Chaos ransomware branding
A Rapid7 technical analysis says MuddyWater used Microsoft Teams, screen-sharing and remote access tools in an early 2026 intrusion that looked like Chaos ransomware but focused on data theft and persistence.
-
CloudZ malware used Phone Link to target Windows data, researchers say
Researchers said CloudZ malware used a Pheno plugin to abuse Windows Phone Link on Windows 10 and 11, aiming to steal credentials and one-time passwords in an intrusion active since at least January 2026.
-
Apache fixes critical HTTP/2 flaw that could enable remote code execution
Apache has patched CVE-2026-23918 in HTTP Server 2.4.67, a critical HTTP/2 double free that can cause denial-of-service and, in some setups, remote code execution.
-
DAEMON Tools installers trojanized in supply chain attack, Kaspersky says
DAEMON Tools installers were trojanized in a supply chain attack that affected versions released since April 8, 2026, Kaspersky said. The compromise reached users in more than 100 countries and delivered targeted malware to a small set of hosts.
-
China-linked UAT-8302 targets government networks in South America and Europe
Cisco Talos says China-nexus UAT-8302 targeted government networks in South America and southeastern Europe, using custom malware and tools linked to other China-aligned groups. The group’s initial access method remains unknown.
-
MetInfo CMS flaw under active exploitation after April patch
Threat actors are exploiting a critical MetInfo CMS flaw, CVE-2026-29014, that can enable remote code execution. VulnCheck said activity began on April 25 and intensified on May 1, after MetInfo released patches on April 7.
-
ScarCruft pushes Android BirdCall spyware through game platform
APT37 has been distributing an Android version of its BirdCall backdoor through a gaming platform supply chain attack, according to ESET. The spyware can gather contacts, messages, device data, screenshots and files.
-
Weaver E-cology flaw exploited in attacks since March
Hackers have exploited a critical Weaver E-cology vulnerability since mid-March to run discovery commands. The flaw affects E-cology 10.0 builds before March 12, and the vendor says upgrading is the only fix.
-
Amazon SES abuse rises in phishing campaigns, Kaspersky says
Kaspersky says Amazon Simple Email Service is being increasingly abused in phishing campaigns that can bypass standard email defenses. The report links the activity to exposed AWS credentials and notes that the messages can evade SPF, DKIM and DMARC checks.
-
Phishing campaign used RMM software to hit more than 80 organizations
A phishing campaign has targeted more than 80 organizations since at least April 2025, using legitimate remote monitoring tools to maintain access after victims opened fake Social Security Administration emails.
