{"id":871,"date":"2026-05-11T14:26:19","date_gmt":"2026-05-11T14:26:19","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=871"},"modified":"2026-05-11T14:26:19","modified_gmt":"2026-05-11T14:26:19","slug":"linux-rootkit-macos-crypto-stealer-websocket-skimmers-and-more","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=871","title":{"rendered":"Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 11, 2026<\/span><\/span><span class=\"p-tags\">Cybersecurity \/ Hacking<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiD4a3gzeAEAv4Bs5FqWbHG1cRyNqIOjygeSxxpNoChwyyMUWlbZHzkG0n8ysGpoAYuKqklfMtTKRct0OeYktaKLhdXpRH5pKH94tVaMX7iPeNDf7vZjFky3myBkFPJPl1xIdsWDlIYP30IeR7IZGhQZ5p82yHRdRO1OGkpAtTWgZcQSG3zXqh9tLbSSrgP\/s1700-e365\/cyber-recap.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Rough Monday.<\/p>\n<p>Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should\u2019ve died years ago \u2014 the same old holes, same lazy access paths, same \u201chow the hell is this still open\u201d feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.<\/p>\n<p>The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping stolen access while defenders burn another weekend chasing logs and praying the weird traffic is just monitoring noise. The Internet\u2019s held together with duct tape and bad sleep.<\/p>\n<p>Anyway, Monday recap time. Same fire. New smoke.<\/p>\n<h2 style=\"text-align: left;\"><strong>\u26a1 Threat of the Week<\/strong><\/h2>\n<p><strong>Ivanti EPMM and Palo Alto Networks PAN-OS Flaws Under Attack<\/strong>\u2014Ivanti warned customers that attackers have successfully weaponized CVE-2026-6973, an improper input validation defect in Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company did not say when the first instance of exploitation occurred, or precisely how many customers have been impacted. In a related development, attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks&#8217; customers&#8217; firewalls. As in the case of Ivanti, Palo Alto Networks did not say when or how it became aware of active exploitation, but said threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The memory corruption vulnerability, tracked as CVE-2026-0300, affects the authentication portal of PAN-OS and allows unauthenticated attackers to run code with root privileges on the PA-Series and VM-Series firewalls. Attack surface management platform Censys <a href=\"https:\/\/censys.com\/advisory\/cve-2026-0300\/\">said<\/a> it detected about 263,000 Internet-exposed hosts running PAN-OS. Patches are expected to be released starting May 13, 2026.\u00a0<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd14 Top News<\/strong><\/h2>\n<ul>\n<li><strong><a href=\"https:\/\/thehackernews.com\/2026\/05\/quasar-linux-rat-steals-developer.html\">New Quasar Linux RAT Spotted<\/strong>\u2014Attackers have found a new way to turn Linux systems into entry points for a supply chain or cloud infrastructure breach that are resilient to takedowns. The new malware framework, dubbed Quasar Linux or QLNX, is a modular Linux remote access trojan (RAT) that can harvest data from compromised systems. But what sets it apart is its use of a peer-to-peer (P2P) mesh capability that turns individual compromises into an interconnected infection network, making the campaign difficult to kill and allowing infected hosts to communicate with one another rather than relying entirely on centralized servers. QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling persistent access. It also hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine workflows. \u00abQuasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features,\u00bb Trend Micro said. \u00abThe malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary.\u00bb<\/li>\n<li><strong>PCPJack Replaces TeamPCP Malware to Steal Cloud Secrets<\/strong>\u2014An unknown threat actor has launched a campaign to systematically clean up environments infected by the infamous TeamPCP hacking group and drop its own malicious tools to steal credentials from cloud, container, developer, productivity, and financial services for financial gain. Active since late April, the campaign is also capable of propagating itself by moving laterally both inside of a network and to other targets by breaking into open and exploitable cloud infrastructure. The broad credential harvesting sweep allows the malware to hack into more cloud servers and propagate the infection in a worm-like manner, while also rooting out any processes and artifacts belonging to TeamPCP. The external propagation is achieved by downloading parquet files from Common Crawl for target discovery. While threat actors aiming for cloud environments have long built methods to delete competing malware, particularly in cryptojacking campaigns, the lack of a miner and its specific targeting of TeamPCP tooling has raised the possibility that it may be someone who was previously associated with the group, is part of a rival crew, or is an unrelated third-party mimicking TeamPCP&#8217;s tradecraft.<\/li>\n<li><strong>MuddyWater Uses Chaos Ransomware as Decoy in New Attack<\/strong>\u2014An Iranian state-sponsored espionage group pretended to be a regular ransomware gang in a new ransomware attack detected in early 2026. The Iranian hackers known as MuddyWater disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence within a victim environment. Although the attack involved reconnaissance, credential harvesting, and data exfiltration, no file-encrypting ransomware was deployed, which is inconsistent with Chaos attacks. The victim was also added to the Chaos ransomware data leak site, but infrastructure and code-signing certificate evidence indicate the activity was likely used as a cover to mask the threat actor&#8217;s true espionage goals and to complicate attribution. Rapid7 told The Hacker News that there is no evidence to suggest that MuddyWater is operating as an affiliate of Chaos.<\/li>\n<li><strong>DAEMON Tools Supply Chain Attack Leads to QUIC RAT<\/strong>\u2014Hackers compromised installers of DAEMON Tools in a supply chain attack that affected users in more than 100 countries. The malicious versions, first observed in early April, impacted multiple releases of the software that were installed on thousands of machines across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The operation appears to be targeted. Most victims received only a data miner designed to gather system data, while a second, more advanced shellcode loader was deployed to just a handful of targets, including organizations in retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. It&#8217;s suspected that the attackers likely used the initial data collection to profile infected systems before selectively deploying an implant codenamed QUIC RAT. The malware was deployed against only one known target, an unidentified educational institution in Russia. Kaspersky said the malicious code included Chinese-language elements, suggesting the attackers are familiar with the language, but stopped short of attributing the campaign to a specific group.\u00a0<\/li>\n<li><strong>Cybercrime Groups Use Vishing for Data Theft and Extortion<\/strong>\u2014An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, which targets organizations across multiple industries, highlights a growing trend where attackers weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. What makes the campaign noteworthy is its deliberate avoidance of traditional malware in favor of two commercially available remote monitoring and management (RMM) tools, SimpleHelp and ScreenConnect, for persistent control over victim machines. The abuse of RMM tools by bad actors has surged in recent years as they offer a low-friction way to gain access to and maintain persistence on a victim environment. Because of how ubiquitous they are in enterprise environments, the tools are flagged as malicious, allowing the attackers to blend in with normal operations.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd25 Trending CVEs<\/strong><\/h2>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first \u2014 CVE-2026-6973 (Ivanti Endpoint Manager Mobile), CVE-2026-0300 (Palo Alto Networks PAN-OS), CVE-2026-29014 (MetInfo), CVE-2026-22679 (Weaver E-cology), CVE-2026-4670, CVE-2026-5174 (Progress MOVEit Automation), CVE-2026-43284, CVE-2026-43500 (Linux Kernel), CVE-2026-7482 (Ollama), CVE-2026-42248, CVE-2026-42249 (Ollama for Windows), CVE-2026-29201, CVE-2026-29202, CVE-2026-29203 (cPanel and Web Host Manager), CVE-2026-23918 (Apache HTTP Server), <a href=\"https:\/\/lists.apache.org\/thread\/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0\">CVE-2026-42778, CVE-2026-42779<\/a> (Apache MINA), <a href=\"https:\/\/www.zeroday.cloud\/blog\/postgresql-cve-2026-2005-deep-dive\">CVE-2026-2005<\/a>, <a href=\"https:\/\/www.zeroday.cloud\/blog\/postgres-xint\">CVE-2026-2006<\/a> (PostgreSQL pgcrypto), <a href=\"https:\/\/www.zeroday.cloud\/blog\/mariadb-cve-2026-32710-deep-dive\">CVE-2026-32710<\/a> (MariaDB), <a href=\"https:\/\/www.whatsapp.com\/security\/advisories\/2026\/\">CVE-2026-23863, CVE-2026-23866<\/a> (Meta WhatsApp), <a href=\"https:\/\/www.striga.ai\/research\/tomcat-tribes-unauth-rce\">CVE-2026-29146<\/a> (Apache Tomcat), <a href=\"https:\/\/www.striga.ai\/research\/mattermost-desktop-ntlm-credential-theft\">CVE-2026-1046<\/a> (Mattermost Desktop), <a href=\"https:\/\/source.android.com\/docs\/security\/bulletin\/2026\/2026-05-01\">CVE-2026-0073<\/a> (Google Android), <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-nso-dos-7Egqyc\">CVE-2026-20188<\/a> (Cisco Crosswork Network Controller and Network Services Orchestrator), <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sg350-snmp-dos-GEFZr2Tj\">CVE-2026-20185<\/a> (Cisco SG350 and SG350X Series Managed Switches), <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-unity-rce-ssrf-hENhuASy\">CVE-2026-20034, CVE-2026-20035<\/a> (Cisco Unity Connection), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/05\/stable-channel-update-for-desktop.html\">CVE-2026-7896, CVE-2026-7897, CVE-2026-7898<\/a>, <a href=\"https:\/\/nebusec.ai\/research\/v8-maglev-incorrect-phis-untagging\/\">CVE-2026-5865<\/a> (Google Chrome), <a href=\"https:\/\/github.com\/neutrinolabs\/xrdp\/security\/advisories\/GHSA-rwvg-gp87-gh6f\">CVE-2025-68670<\/a> (<a href=\"https:\/\/securelist.com\/cve-2025-68670\/119742\/\">xrdp<\/a>), <a href=\"https:\/\/vercel.com\/changelog\/summary-of-cve-2026-23864\">CVE-2026-23864<\/a> (React Server Components), <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-8h8q-6873-q5fj\">CVE-2026-23870<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-267c-6grr-h53f\">CVE-2026-44575<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-26hh-7cqf-hhc6\">GHSA-26hh-7cqf-hhc6<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-mg66-mrh9-m8jx\">CVE-2026-44579<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-492v-c6pp-mqqv\">CVE-2026-44574<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-c4j6-fc7j-m34r\">CVE-2026-44578<\/a>, <a href=\"https:\/\/github.com\/vercel\/next.js\/security\/advisories\/GHSA-36qx-fr4f-26g5\">CVE-2026-44573<\/a> (<a href=\"https:\/\/vercel.com\/changelog\/next-js-may-2026-security-release\">Next.js<\/a>), <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-26129\">CVE-2026-26129<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-26164\">CVE-2026-26164<\/a> (Microsoft M365 Copilot), <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-33111\">CVE-2026-33111<\/a> (Microsoft Copilot Chat), <a href=\"https:\/\/medium.com\/@dewankpant\/cve-2026-44843-one-chat-message-steals-your-credentials-then-it-gets-worse-264146623aec\">CVE-2026-44843<\/a> (LangChain), and <a href=\"https:\/\/github.com\/langflow-ai\/langflow\/security\/advisories\/GHSA-g2j9-7rj2-gm6c\">CVE-2026-33309<\/a> (Langflow).<\/p>\n<h2 style=\"text-align: left;\"><strong>\ud83c\udfa5 Cybersecurity Webinars<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/top-attack-paths-appsec\">The Hidden Attack Paths Your AppSec Tools Completely Miss in 2026<\/a> \u2192 This webinar shows the real attack paths that most AppSec tools miss \u2014 from code and CI\/CD pipelines to cloud setups, dependencies, and secrets. See how attackers combine small weaknesses into big breaches, and learn simple ways to find and stop them. With Wiz experts Mike McGuire and Salman Ladha.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/ai-ddos-attacks\">AI-Powered DDoS Attacks Are Here \u2014 And They\u2019re Smarter, Faster &amp; Deadlier in 2026<\/a> \u2192 Attackers are now using AI to launch DDoS attacks that are faster, smarter, and much harder to stop. This webinar shows how they instantly spot weak spots, create new attack methods, and dramatically increase success rates \u2014 plus easy ways defenders can fight back using smarter AI tools and proactive protection. Perfect for security leaders who want to stay ahead.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udcf0 Around the Cyber World<\/strong><\/h2>\n<ul>\n<li><strong>JDownloader Website Compromised in Supply Chain Attack <\/strong>\u2014The website for JDownloader, an open-source download management tool, was <a href=\"https:\/\/www.reddit.com\/r\/jdownloader\/comments\/1t6goqe\/is_the_website_hacked\/\">compromised<\/a> last week to distribute malicious Windows and Linux installers. The compromise occurred on May 6, 2026, at 12:01 a.m. UTC. While the Linux version embeds malicious shell code, the Windows version has been found to serve a Python-based remote access trojan (RAT) that enlists the compromised device in a bot network and runs arbitrary Python code supplied by the operator, per researcher <a href=\"https:\/\/www.reddit.com\/r\/jdownloader\/comments\/1t6goqe\/is_the_website_hacked\/okmev4c\/\">Thomas Klemenc<\/a>. \u00abThe attack has modified alternative download pages and exchanged links and details,\u00bb the developer behind JDownloader said in a post on Reddit. \u00abThe bad ones are missing digital signatures and as such [Microsoft] SmartScreen will block\/warn the execution of it.\u00bb Further investigation uncovered that the attack vector was an \u00abunpatched security bug,\u00bb although it&#8217;s not clear which vulnerability was exploited by the threat actor to tamper with the site.<\/li>\n<li><strong>Operation HookedWing Targets Over 500 Organizations <\/strong>\u2014A long-running phishing campaign dating back to 2022 has stolen 2,000 credentials belonging to users from over 500 different organizations. According to SOCRadar, the campaign has mostly affected aviation, public administration, energy, and critical infrastructure. \u00abThe breadth of targeting, combined with the campaign\u2019s longevity, points to a resource-capable operation rather than opportunistic activity,\u00bb it <a href=\"https:\/\/socradar.io\/blog\/operation-hookedwing-4-year-phishing\/\">said<\/a>. The activity has been codenamed Operation HookedWing. The attack uses phishing emails with lures related to human resources, Microsoft, or Google to direct users to fake landing pages hosted on GitHub.io and Vercel, capture entered credentials via an injected form, and exfiltrate them to servers compromised or created by the threat actor. More than 20 distinct command-and-control (C2) domains and 100 distribution domains have been identified.<\/li>\n<li><strong>Uptick in Use of Vercel for Phishing Campaigns <\/strong>\u2014Threat actors are increasingly using Vercel to create large numbers of realistic phishing websites that impersonate well-known brands. \u00abThreat actors are able to redeploy phishing campaigns with ease if a web page is taken down,\u00bb Cofense <a href=\"https:\/\/cofense.com\/blog\/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing\">said<\/a>. \u00abVercel abuse has increased significantly over time and is likely to continue increasing as minimally skilled threat actors start using cheap or free force multipliers.\u00bb<\/li>\n<li><strong>New ConsentFix V3 Attack Automates Microsoft Account Hijacking <\/strong>\u2014Push Security said it identified a member of the XSS criminal forum advertising a new toolkit dubbed ConsentFix v3 that brings together ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. \u00abConsentFix v3 allows users to instrument the entire attack chain, enabling users to spin up ConsentFix infrastructure, create believable personas with which to interact with victims, craft and manage email campaigns, and automate the process of exchanging the captured OAuth token for session and refresh tokens to establish access to the compromised account,\u00bb Push Security <a href=\"https:\/\/pushsecurity.com\/blog\/consentfix-v3-analyzing-a-new-toolkit\/\">said<\/a>. The attack uses Cloudflare Workers for hosting the phishing pages, ZoomInfo for target identification, Dropbox for PDF hosting, and Pipedream as an exfiltration channel.<\/li>\n<li><strong>Workplace Fraud Trends in 2026 <\/strong>\u2014A new report from Cifas has <a href=\"https:\/\/www.cifas.org.uk\/newsroom\/workplace-fraud-trends-2026\">found<\/a> that 13% of employees said: \u00abthey have either sold their company login details to a former colleague, or know someone who has, in the past 12 months.\u00bb Another 13% of respondents believed selling access to company systems was justifiable. \u00abSelling login details might seem insignificant to those involved, but it can open the door to serious fraud and financial harm,\u00bb Cifas said. \u00abThese findings show how vital it is for organisations to build fraud\u2011aware cultures, where employees at all levels understand their responsibilities and the consequences of their actions.\u00bb<\/li>\n<li><strong>India Pushes for Sovereign Hosting of Anthropic&#8217;s Claude AI Models <\/strong>\u2014According to a <a href=\"https:\/\/www.moneycontrol.com\/technology\/india-pushes-for-sovereign-hosting-of-anthropic-s-ai-models-amid-claude-mythos-cybersecurity-concerns-article-13912968.html\">report<\/a> from MoneyControl, the Indian government is said to be pushing for sovereign hosting of Anthropic&#8217;s Claude artificial intelligence (AI) models within India. Officials have argued that advanced AI systems meant for sensitive sectors such as banking, telecom, and critical infrastructure cannot operate on foreign-hosted infrastructure due to jurisdictional, compliance, and national security risks.<\/li>\n<li><strong>OpenAI Rolls Out GPT-5.5-Cyber <\/strong>\u2014OpenAI began rolling out GPT-5.5-Cyber, a security-focused variant of the model, in a limited preview capacity to select cybersecurity teams, a month after Anthropic\u2019s Mythos debut. \u00abThe initial preview of cyber-permissive models like GPT\u20115.5\u2011Cyber is not intended to significantly increase cyber capability beyond GPT\u20115.5 \u2013 it\u2019s primarily trained to be more permissive on security-related tasks,\u00bb OpenAI <a href=\"https:\/\/openai.com\/index\/gpt-5-5-with-trusted-access-for-cyber\/\">said<\/a>. \u00abThe differences between model access levels are most pronounced when comparing prompts and responses.\u00bb<\/li>\n<li><strong>FIRESTARTER Backdoor Targets Cisco Devices <\/strong>\u2014Late last month, theU.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that an unnamed federal civilian agency&#8217;s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. The malware is noteworthy for its ability to survive reboots, firmware updates, and patches. In a new analysis, firmware security company Eclypsisum described the backdoor as a Linux ELF that hooks the LINA process and re-installs itself after receiving a termination signal. \u00abWhen lina_cs runs, it copies its own contents from \/usr\/bin\/lina_cs into memory and registers a signal handler, allowing the malware to take action in response to signals (e.g., when the system or user tells the process to restart),\u00bb security researcher Paul Asadoorian <a href=\"https:\/\/eclypsium.com\/blog\/firestarter-cisco-firewall-backdoor-survives-patches\/\">said<\/a>. \u00abIt also triggers on runlevel 6, which is the system reboot runlevel on Linux. Which means every time the device shuts down or reboots, FIRESTARTER\u2019s persistence routine fires.\u00bb<\/li>\n<li><strong>Google Rolls Out Ways for Developers to Push Safer Android Apps <\/strong>\u2014Google said it has expanded Play Policy Insights in Android Studio to catch common policy issues, like missing login credentials, and detect security threats and abuse using its Play Integrity API. \u00abWith significantly shorter warm-up latency, you can use these real-time checks in your most speed-critical user journeys, like logins or payments, to catch unauthorized access and risky interactions,\u00bb Google <a href=\"https:\/\/android-developers.googleblog.com\/2026\/05\/making-it-easier-to-build-publish-safer-apps.html\">said<\/a>. \u00abWe&#8217;re adding support for post-quantum cryptography in Play App Signing this year, which will protect your apps and app updates from potential threats with the emergence of quantum computing.\u00bb<\/li>\n<li><strong>Poland Says Hackers Breached its Water Treatment Plants <\/strong>\u2014Poland&#8217;s Internal Security Agency (ABW) <a href=\"https:\/\/www.abw.gov.pl\/pl\/aktualnosci\/2815,Agencja-Bezpieczenstwa-Wewnetrznego-2024-2025-Wybrane-aktywnosci.html\">disclosed<\/a> that it detected attacks on five water treatment plants in 2025, potentially allowing bad actors to take control of industrial equipment and, in the worst case, tamper with the safety of the water supply. The intelligence agency did not attribute the attacks to a specific threat actor or group, but Russian government hackers were attributed to a failed attempt to bring down the country&#8217;s energy grid towards the end of 2025.<\/li>\n<li><strong>Claude Leans More on Russian and Iranian Propaganda Sources <\/strong>\u2014A new audit of Anthropic Claude has revealed that the AI chatbot \u00abrepeated false claims 15% of the time when it was asked about pro-Kremlin falsehoods in the voice of typical users, citing Russian state-affiliated media every time,\u00bb NewsGuard <a href=\"https:\/\/www.newsguardtech.com\/special-reports\/anthropic-ai-chatbot-claude-russia-iran-propaganda\/\">said<\/a>. The figure represents a jump from only 4%. What&#8217;s more, since the start of the U.S.-Iran war, Claude cited Iranian state-affiliated media in one case when prompted on pro-Iran false claims, when previously it had never cited Iranian state-affiliated media. \u00abThis increase in citations to Kremlin propaganda sources, including when they spread false claims, suggests that Claude in recent months has become more vulnerable to state disinformation campaigns,\u00bb NewsGuard said.<\/li>\n<li><strong>WebSocket Backdoor Campaign Injects Skimmers <\/strong>\u2014Palo Alto Networks Unit 42 said obfuscated WebSocket backdoors are being used to inject credit card skimmers into hundreds of compromised websites with the goal of sending stolen card information back to the attacker&#8217;s C2 domains. \u00abObfuscated JavaScript creates a WebSocket backdoor using dynamically executed JavaScript,\u00bb Unit 42 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-05-01-WebSocket-Backdoor-Campaign-Injecting-Credit-Card-Skimmers.txt\">said<\/a>. \u00abThe WebSocket sends an obfuscated JavaScript payload to inject a credit card skimmer into the web page.\u00bb<\/li>\n<li><strong>How Backdoored Electron Applications Evade Defenses <\/strong>\u2014Cybersecurity researchers have detailed a technique that hijacks trusted Electron applications to enable persistence and bypass application safe listing controls. \u00abIn advanced variations of the attack, minimal changes are made to the components of the Electron application,\u00bb LevelBlue <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/threat-analysis-backdoored-electron-apps-evading-defenses\">said<\/a>. \u00abThis allows the application to function normally while at the same time loading the malicious command-and-control (C2) functionality in the background, hiding under the umbrella of the trusted process.\u00bb<\/li>\n<li><strong>New Attacks Distribute Vidar Stealer, PlugX, and Beagle Malware <\/strong>\u2014In an attack chain detailed by LevelBlue, threat actors have been found to leverage \u00abMicrosoftToolkit.exe\u00bb as a starting point to launch an AutoIt script that drops the Vidar Stealer payload. \u00abThis intrusion highlights the continued effectiveness of script-based, multi-stage loaders in delivering commodity information stealers such as Vidar,\u00bb LevelBlue <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication\">said<\/a>. \u00abA sophisticated multi-stage loader infection leveraging Windows-native tools and file-masquerading techniques. The attacker avoids dropping a single identifiable malware binary and instead reconstructs and executes payloads dynamically through staged file manipulation.\u00bb The development follows the <a href=\"https:\/\/www.malwarebytes.com\/blog\/scams\/2026\/04\/fake-claude-site-installs-malware-that-gives-attackers-access-to-your-computer\">discovery<\/a> of a fake Claude website (\u00abclaude-pro[.]com\u00bb) that serves as a conduit for a <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/donuts-and-beagles-fake-claude-site-spreads-backdoor\">fake MSI installer<\/a> responsible for deploying a DonutLoader payload that drops a simple backdoor dubbed Beagle, which is capable of running commands and performing file uploads\/downloads.<\/li>\n<li><strong>Critical Flaw in Cline&#8217;s Kanban Server <\/strong>\u2014A critical vulnerability in Cline&#8217;s local Kanban server (CVSS score: 9.7) could have been exploited by an attacker to facilitate information disclosure through the runtime state stream, remote code execution through the terminal I\/O endpoint, and denial-of-service through the terminal control endpoint. Oasis Security, which discovered the vulnerability, said the AI coding agent&#8217;s localhost WebSocket lacks origin validation and authentication. Because web browsers don&#8217;t enforce the same-origin policy on WebSocket connections, any website the developer visits can connect to these endpoints to achieve full compromise. \u00abAny website a developer visited while running an affected version could silently connect to their machine, exfiltrate workspace data in real time, and inject commands into the developer&#8217;s AI agent,\u00bb Oasis Security <a href=\"https:\/\/www.oasis.security\/blog\/cline-kanban-websocket-hijack\">said<\/a>. \u00abThe developer would see nothing unusual. They were just browsing the web.\u00bb Following responsible disclosure, the issue was addressed in <a href=\"https:\/\/github.com\/cline\/kanban\/blob\/main\/CHANGELOG.md#0166\">Cline Kanban version 0.1.66<\/a>.<\/li>\n<li><strong>Mozilla Uses AI to Detect 423 Flaws in Firefox <\/strong>\u2014Mozilla revealed Anthropic&#8217;s Mythos Preview and other AI models helped it identify and ship 423 Firefox security bug fixes in April 2026, compared to 31 a year earlier. This includes a 20-year-old use-after-free bug that could be triggered using the XSLTProcessor DOM API without any user interaction, as well as various flaws in its sandbox system. \u00abThis was due to a combination of two main factors,\u00bb Mozilla <a href=\"https:\/\/hacks.mozilla.org\/2026\/05\/behind-the-scenes-hardening-firefox\/\">said<\/a>. \u00abFirst, the models got a lot more capable. Second, we dramatically improved our techniques for harnessing these models \u2013 steering them, scaling them, and stacking them to generate large amounts of signal and filter out the noise.\u00bb The development comes as AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws.<\/li>\n<li><strong>60% of MD5 Password Hashes Can Be Cracked in Under an Hour <\/strong>\u2014An analysis of 231 million unique passwords from dark web leaks between 2023 and 2026 has revealed that nearly 60% of them can be cracked in less than an hour. To make matters worse, nearly half of all passwords (48%) can be cracked within a minute. \u00abAttackers owe this boost in speed to graphics processors, which grow more powerful every year,\u00bb Kaspersky <a href=\"https:\/\/www.kaspersky.com\/blog\/passwords-hacking-research-2026\/55743\/\">said<\/a>. \u00abWhile an RTX 4090 in 2024 could brute-force MD5 hashes at a rate of 164 gigahashes (billion hashes) per second, the new RTX 5090 has increased that speed by 34% \u2013 reaching 220 gigahashes per second.\u00bb<\/li>\n<li><strong>New JobStealer Targets Windows and macOS <\/strong>\u2014Threat actors are luring potential victims to malicious websites and asking them to download a video conferencing app under the pretext of an online interview, only to drop a stealer that can harvest data from cryptocurrency wallets. \u00abThe malicious program JobStealer, disguised as an online conferencing app, is downloaded from them,\u00bb Doctor Web <a href=\"https:\/\/news.drweb.com\/show\/?i=15253&amp;lng=en&amp;c=5\">said<\/a>. Some of the fake brands used by the threat actors include MeetLab, Juseo, Meetix, and Carolla. \u00abTo convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts \u2013 for example, on X.\u00bb The attack leverages a ClickFix-like instruction to copy and paste a command that drops the stealer malware.<\/li>\n<li><strong>More ClickFix Attacks <\/strong>\u2014ClickFix attacks seem to show no signs of stopping anytime soon. The Australian Cyber Security Center (ACSC) <a href=\"https:\/\/www.cyber.gov.au\/about-us\/view-all-content\/alerts-and-advisories\/clickfix-distributing-vidar-stealer-via-wordpress-targeting-australian-infrastructure\">warned<\/a> that the ClickFix social engineering tactic is being used to deliver Vidar Stealer. \u00abThe ClickFix attack typically begins with an adversary injecting a malicious payload delivery domain into the compromised website,\u00bb ACSC said. \u00abThe injected payload domain loads JavaScript code from an external API server. This code overwrites the content of the legitimate page, presenting a fraudulent Cloudflare verification prompt.\u00bb In recent months, ClickFix has evolved to abuse native Windows utilities like <a href=\"https:\/\/www.cyberproof.com\/blog\/beyond-powershell-analyzing-the-multi-action-clickfix-variant\/\">cmdkey and regsvr32<\/a>, as well as drop <a href=\"https:\/\/www.netskope.com\/blog\/from-clickfix-to-maas-exposing-a-modular-windows-rat-and-its-admin-panel\">Node.js-based infostealer<\/a> to Windows users via malicious MSI installers and an <a href=\"https:\/\/www.netskope.com\/blog\/macos-clickfix-campaign-applescript-stealers-new-terminal-protections\">AppleScript-based infostealer<\/a> to macOS. ClickFix-related attacks have also been found to leverage shareable chat features on ChatGPT and Grok, or blog sites and other user-driven content platforms, to trick users into <a href=\"https:\/\/moonlock.com\/macsync-amos-stealer-biggest-threats\">running<\/a> AMOS Stealer, MacSync, and Shub Stealer. \u00abPrior iterations of this campaign delivered the infostealers through disk image (.dmg) files that required users to manually install an application,\u00bb Microsoft <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/06\/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers\/\">said<\/a>. \u00abThis recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script\u2011based loader execution.\u00bb Another campaign targeting Vietnam, Taiwan, and Spain has spread through fake Google documents containing a ClickFix command and malicious DMG files to deploy a new macOS stealer called <a href=\"https:\/\/moonlock.com\/notorious-hacker-returns-notnullosx-stealer\">NotnullOSX<\/a> that exclusively targets victims holding over $10,000 in cryptocurrency holdings. ClickFix has also been used by a traffic distribution system (TDS) called ErrTraffic. \u00abErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites,\u00bb LevelBlue <a href=\"https:\/\/www.levelblue.com\/blogs\/spiderlabs-blog\/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign\">said<\/a>. \u00abErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures [via EtherHiding].<\/li>\n<li><strong>ShinyHunters Extortion Campaign Targets Instructure <\/strong>\u2014The ShinyHunters group targeted Instructure, the supplier of the Canvas learning management system (LMS), defacing the login portals for <a href=\"https:\/\/www.halcyon.ai\/ransomware-alerts\/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure\">330 colleges and universities<\/a>. According to <a href=\"https:\/\/www.dataminr.com\/resources\/intel-brief\/shinyhunters-claims-instructure-canvas-breach\/\">Dataminr<\/a>, ShinyHunters has claimed to have exfiltrated 3.65TB of data across approximately 275 million records from nearly 9,000 affected organizations listed publicly, including Harvard, Stanford, Columbia, and Apple. Exposed data includes usernames, email addresses, course names, enrollment information, and messages. Instructure has <a href=\"https:\/\/www.instructure.com\/incident_update\">said<\/a> no passwords, government IDs, birth dates, financial data, or course content were compromised. The threat actors exploited a \u00abvulnerability regarding support tickets in our Free for Teacher environment,\u00bb the company added. Access to Free for Teacher has been disabled pending a full security review. As of writing, Canvas is fully back online and available for use. The message <a href=\"https:\/\/krebsonsecurity.com\/2026\/05\/canvas-breach-disrupts-schools-colleges-nationwide\/\">shared<\/a> by the notorious cybercrime group showed that the group has threatened to leak the trove of data, giving a deadline of May 12. The <a href=\"https:\/\/status.instructure.com\/\">May 7, 2026, incident<\/a> is a continuation of prior unauthorized activity detected in Canvas on April 29, 2026. Following the hack, the U.S. Federal Bureau of Investigation (FBI) <a href=\"https:\/\/x.com\/FBICyberDiv\/status\/2052910397196292460\">cautioned<\/a> individuals to be on the lookout for \u00abunsolicited emails, calls, or texts claiming to be from your school, the LMS provider, or law enforcement and to verify the contact through known channels before responding.\u00bb<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><strong>\ud83d\udd27 Cybersecurity Tools<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/beenuar\/AiSOC\">AiSOC<\/a> \u2192 It is an open-source, self-hostable AI-powered Security Operations Center. It brings together security alerts, uses AI agents to investigate them, maps findings to MITRE ATT&amp;CK, and supports purple team exercises and incident triage \u2014 all within a single stack that you can run on your own infrastructure.<\/li>\n<li><a href=\"https:\/\/github.com\/thalesgroup-cert\/Watcher\">Watcher<\/a> \u2192 is an open-source platform that helps security teams monitor and detect emerging cyber threats. It uses AI to analyze threat data, track suspicious domains, watch for information leaks, and follow cybersecurity news from official sources \u2014 all in one dashboard. Built with Django and React, it runs easily with Docker.<\/li>\n<\/ul>\n<p><em>Disclaimer: This is strictly for research and learning. It hasn&#8217;t been through a formal security audit, so don&#8217;t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you\u2019re doing stays on the right side of the law.<\/em><\/p>\n<h2 style=\"text-align: left;\"><strong>Conclusion<\/strong><\/h2>\n<p>That\u2019s the week: poisoned downloads, cloud messes, old bugs refusing to die, and attackers putting in barely more effort than a guy restarting a frozen router. Everybody\u2019s tired, nobody trusts installers anymore, and the internet somehow keeps getting worse in very predictable ways.<\/p>\n<p>See you next Monday, assuming nothing catches fire before then.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 11, 2026Cybersecurity \/ Hacking Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into&hellip;<\/p>\n","protected":false},"author":1,"featured_media":872,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[143,181,421,1197,132,478,336],"class_list":["post-871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-crypto","tag-linux","tag-macos","tag-rootkit","tag-skimmers","tag-stealer","tag-websocket"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=871"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/871\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/872"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}