The Iran-linked CyberAv3ngers group, formally connected to the IRGC-CEC, has evolved into a significant threat targeting U.S. critical infrastructure, including water and wastewater systems and energy facilities. They have exploited vulnerabilities in programmable logic controllers (PLCs) and deployed custom malware like IOCONTROL, causing operational disruption and financial losses.
The silent “Storm”: New infostealer hijacks sessions, decrypts server-side
The new Storm infostealer operates by hijacking browser sessions and decrypting data server-side, a shift from traditional methods that evaded endpoint security. For a monthly fee, it harvests credentials, session cookies, and crypto wallets, enabling attackers to gain authenticated access to SaaS platforms and cloud environments without triggering alerts.
The cybercrime group ShinyHunters claims to have breached Rockstar Games systems through a cloud analytics platform, threatening to release stolen data if a ransom is not paid. Rockstar Games confirmed a limited data breach but stated it has no impact on the company or its players.
Apache Tomcat Vulnerabilities Enables Bypass of EncryptInterceptor
Multiple Apache Tomcat vulnerabilities have been disclosed, including a critical EncryptInterceptor bypass (CVE-2026-34486) resulting from a flawed security patch, and issues related to padding oracle attacks and certificate authentication (CVE-2026-34500). Administrators are urged to update to the latest secure releases to mitigate these risks.
Marimo RCE Vulnerability Exploited in the Within 10 Hours of Disclosure
A critical pre-authentication RCE vulnerability (CVE-2026-39987) in the Marimo Python notebook platform was exploited within 10 hours of its disclosure, allowing attackers to steal cloud credentials. The flaw affects the /terminal/ws endpoint, and users are advised to update to version 0.23.0 or later immediately.
APT41 Delivers ‘Undetectable’ Backdoor to Steal Cloud Credentials
The China-backed threat group APT41 is utilizing a ‘zero-detection’ backdoor to target cloud environments like AWS, Google, Azure, and Alibaba, aiming to harvest credentials. This sophisticated malware, written in ELF format, employs typosquatting and uses SMTP port 25 for covert command-and-control (C2), making its activity exceptionally difficult to detect.
BITTER APT Uses Signal, Google, and Zoom Lures to Spread ProSpy Spyware
The BITTER APT group is using Signal, Google, and Zoom lures in spearphishing attacks to spread ProSpy and ToSpy spyware, targeting journalists and activists in the Middle East. These attacks trick victims into downloading malware that can steal photos, messages, and files by impersonating legitimate login pages and using malicious QR codes.
Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw
Adobe has released an emergency fix for a zero-day vulnerability (CVE-2026-34621) in Acrobat and Reader that allowed malicious PDFs to bypass sandbox restrictions and execute arbitrary code. The flaw, exploited since December, enabled attackers to read and steal local files, and was discovered by Haifei Li after a suspicious PDF sample was submitted for analysis.
Hackers Abuse GitHub and Jira Notifications to Deliver Phishing Through Trusted SaaS Channels
Cybercriminals are exploiting GitHub and Jira notification systems to deliver phishing emails, bypassing traditional security measures by using the platforms' own verified infrastructure. This tactic, termed Platform-as-a-Proxy (PaaP), leverages automated notifications for fake invoices or alerts to harvest user credentials.
FBI, Indonesia take down W3LL phishing tool | The Record from Recorded Future News
The FBI and Indonesian law enforcement have dismantled the W3LL phishing tool, a platform that enabled hackers to create fake login portals for $500, leading to the arrest of its alleged developer and seizure of critical domains. This sophisticated cybercrime service facilitated the theft of over 25,000 compromised accounts and was used in attacks targeting more than 56,000 corporate Microsoft 365 accounts globally.
Claude AI Reportedly Down for Hundreds of Users With Intermittent 500 Errors - Cyber Security News
Hundreds of users reported Claude AI experiencing intermittent 500 errors on April 13, 2026, affecting its website, API, and Claude Code, despite the official status page indicating all systems are operational. This incident adds to a pattern of recurring disruptions for Anthropic’s AI services throughout March and April.
PwC: Cybersecurity Risk Outpaces Corporate Ability to Manage
A recent PwC survey reveals that cybersecurity is a top three risk for 60% of American corporations, yet only 6% feel capable of addressing it. Despite increased investments in technology and AI, companies often operate defensively, with attackers leveraging AI to exploit vulnerabilities at an unprecedented speed and scale.
Rockstar confirms it was hacked as attackers threaten to leak data | KitGuru
Rockstar Games has confirmed it was the victim of a recent cyber-attack, where a hacking group called ShinyHunters gained access to a limited amount of non-material company information from cloud-based servers. The attackers are threatening to leak the stolen data, which includes financial information and player habit studies, after their ransom demand went unpaid.
Booking.com warns customers of hack that exposed their data | Hacking | The Guardian
Booking.com has alerted customers to a data breach where unauthorised parties accessed booking details, including names, emails, addresses, and phone numbers, but not financial information. This incident is the latest in a series of cybercrime attempts targeting the platform.
FBI Recovers Deleted Signal Messages Through iPhone Notifications
The FBI has discovered a method to recover deleted Signal messages from iPhones by accessing notification data, even after the app is deleted. This loophole, which affects other messaging apps like WhatsApp and Telegram as well, can be mitigated by disabling message previews in both iPhone and app notification settings.
GlassWorm evolves with Zig dropper to infect multiple developer tools
The GlassWorm campaign has evolved to use a Zig-compiled dropper hidden within a fake IDE extension to infect multiple developer tools, including VS Code, Cursor, and VSCodium. This sophisticated attack chain allows threat actors to stealthily compromise developer environments at scale by installing a second-stage dropper that steals data and deploys a persistent RAT.
OpenAI Warns macOS Users to Update ChatGPT and Codex Immediately
OpenAI is warning macOS users to update ChatGPT and other applications immediately due to a software supply chain attack that compromised a third-party library, potentially exposing code-signing certificates. While no user data or systems were compromised, updating is crucial as older versions will become non-functional after May 8, 2026.
Over 20,000 crypto fraud victims identified in international crackdown
An international law enforcement operation named Operation Atlantic has identified over 20,000 victims of cryptocurrency fraud across Canada, the UK, and the US, freezing over $12 million in criminal proceeds and identifying over $45 million in stolen crypto. This operation highlights the success of public-private partnerships in combating fraud, a model that will be central to the UK’s new Fraud Strategy.
Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S.
Censys has identified 5,219 internet-exposed Rockwell Automation PLCs, with the majority located in the U.S., that are vulnerable to attacks by Iranian APTs. These devices are being targeted to disrupt critical infrastructure sectors, prompting urgent calls for defenders to secure or disconnect them.
A practical guide to the “gray man” approach to travel—how to blend in, stay aware, and reduce risk without paranoia. Learn how behaviour, mindset, and digital hygiene can make you less of a target and more in control wherever you go.
Critical Marimo Flaw Exploited Hours After Public Disclosure - SecurityWeek
A critical remote code execution (RCE) vulnerability in the Marimo notebook, CVE-2026-39987, was exploited by a threat actor just nine hours after its public disclosure. The unauthenticated flaw allows arbitrary system command execution, and the attacker successfully used it to steal credentials and exfiltrate files.
MITRE Releases Fight Fraud Framework - SecurityWeek
The non-profit MITRE Corporation has released the Fight Fraud Framework (MITRE F3), a knowledge base detailing fraudster tactics, techniques, and procedures (TTPs) to aid organizations in combating fraud. This free, open framework provides a common structure for understanding cyber fraud incidents, including unique tactics like positioning and monetization, to improve collaboration on fraud detection, prevention, and response.
Zephyr Energy hackers swiped £700,000 after redirecting a contractor payment | IT Pro
Oil and gas firm Zephyr Energy reported a cyber intrusion where hackers diverted a contractor payment, resulting in a loss of approximately £700,000. The company has contained the incident, implemented additional security measures, and is working with authorities and banks to recover the funds, stating it will not impact ongoing operations.
UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions
The LucidRook malware, a Lua-based stager, is being used in phishing attacks targeting Taiwan-based NGOs and universities, and is linked to the threat group UAT-10362. These attacks employ password-protected email attachments and leverage sophisticated techniques like DLL sideloading and geo-targeting to maintain stealth and deliver payloads.
Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes | CSO Online
A 13-year-old ActiveMQ RCE bug (CVE-2026-34197) was discovered and weaponized in minutes by researchers using AI, specifically Claude, highlighting the potential of AI in exploit-building. The vulnerability, which allowed arbitrary system command execution through the Jolokia API, has been fixed in newer versions of ActiveMQ Classic.