Chinese APTs share Linux backdoor in Central Asia telco attacks — China-aligned threat clusters are using the Showboat/kworker Linux post-exploitation framework against telecom providers, with related reporting linking activity to Red Lamassu/Calypso and JFMBackdoor.
Related: Lumen Black Lotus Labs, PwC
Webworm: New burrowing techniques — ESET reports that China-aligned Webworm has expanded its toolkit with EchoCreep and GraphWorm, using Discord and Microsoft Graph API for command-and-control while staging malware through GitHub.
Related: The Hacker News
Netherlands seizes 800 servers of hosting firm enabling cyberattacks — Dutch FIOD arrested two suspects and seized more than 800 servers tied to alleged sanctions evasion and infrastructure used to support cyberattacks, interference operations and disinformation campaigns linked to Russian interests.
Related: FIOD
Underminr vulnerability lets attackers hide malicious connections behind trusted domains — Underminr abuses shared CDN and hosting infrastructure to make malicious traffic appear as trusted-domain traffic, potentially bypassing DNS filtering and hiding command-and-control, VPN or proxy connections.
Related: ADAMnetworks, Underminr
Kali365 phishing-as-a-service kit hijacks Microsoft 365 access tokens — The FBI warns that Kali365 uses device-code phishing to capture OAuth tokens, bypass MFA and give attackers persistent access to Microsoft 365 services such as Outlook, Teams and OneDrive.
Related: Help Net Security
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign — Attackers are exploiting CVE-2026-26980 in Ghost CMS to steal admin API keys, inject malicious JavaScript and redirect visitors into fake Cloudflare ClickFix malware flows.
Related: The Hacker News
Lazarus deploys RemotePE memory-only RAT against financial and crypto firms — Researchers report that North Korea-linked Lazarus is using the RemotePE cross-platform malware in a multi-stage attack chain targeting financial and cryptocurrency organizations.
TrapDoor supply chain attack spreads credential-stealing malware via npm, PyPI and Crates.io — A coordinated cross-ecosystem supply chain campaign is targeting npm, PyPI and Crates.io to distribute credential-stealing malware aimed at developer secrets, crypto wallets, SSH keys and cloud credentials.
Laravel-Lang packages poisoned for malware delivery — Attackers rewrote Git tags across Laravel-Lang Composer packages, causing affected builds to pull credential-stealing malware capable of exfiltrating CI secrets and developer credentials.
Related: StepSecurity
266,000 affected by Radiology Associates of Richmond data breach — Radiology Associates of Richmond disclosed a breach affecting protected health information after attackers accessed internal systems and acquired files tied to affected individuals.
Verizon DBIR 2026 reinforces fundamentals, patching and third-party risk — Help Net Security’s DBIR analysis highlights low remediation rates, rising supply chain breach involvement and continued exposure from basic control failures, including missing MFA, weak credential management and excessive cloud privileges.
OpenHack brings open-source AI-powered vulnerability research to security teams — Hadrian released OpenHack, an MIT-licensed project that uses AI coding harnesses, file-based workflows and human approvals to support structured vulnerability research.
Related: GitHub
Shadow AI use is heaviest among senior decision-makers — TrustedTech research reported by Help Net Security says 65 per cent of decision-makers use unapproved AI tools, compared with 31 per cent of employees below decision-maker level.
