Apple Patches Critical iOS Privacy Flaw; New Kyber Ransomware Emerges with Post-Quantum Encryption

Apple Patches Critical iOS Privacy Vulnerability (CVE-2026-28950) After FBI Recovers Deleted Signal Notifications

Apple has issued an emergency security update for iOS and iPadOS to address a significant privacy vulnerability, CVE-2026-28950. The flaw caused the operating system to improperly retain notifications from secure messaging apps like Signal, even after the messages and the app itself were deleted. The issue came to light following court documents revealing the FBI had successfully used forensic methods to recover supposedly deleted Signal message content from a defendant's iPhone. The vulnerability was not in Signal's encryption but in Apple's notification handling. The patch, included in iOS 26.4.2 and 18.7.8, resolves the issue by improving data redaction and ensures that previously retained notifications are deleted upon update.

iOSiPadOSPrivacySignalForensics +2 more

Apple Rushes Fix for iOS Flaw That Let FBI Recover Deleted Signal Messages

Kyber Ransomware Debuts with Post-Quantum Encryption, Targeting Windows and ESXi

New Kyber Ransomware Gang Employs Post-Quantum Cryptography in Windows Attacks, Falsely Claims it for ESXi Variant

A new ransomware operation named 'Kyber' is targeting both Windows and VMware ESXi environments, but with a notable difference in its encryption schemes. Security firm Rapid7 discovered that the Rust-based Windows variant uses a hybrid encryption method employing Kyber1024, a post-quantum cryptography (PQC) algorithm, to protect the AES symmetric keys used for file encryption. This marks a significant, albeit currently tactical, evolution in ransomware development. In contrast, the Linux-based ESXi variant, despite claiming PQC usage in its ransom note, was found to use the traditional ChaCha8 cipher with RSA-4096 for key protection. The move is seen as a psychological tactic to intimidate victims, as current quantum computing capabilities do not threaten existing encryption standards. The group is already active, listing a U.S. defense contractor as a victim.

RansomwareKyberPQCPost-Quantum CryptographyVMware ESXi +2 more

6 min read

Kyber Ransomware Debuts with Post-Quantum Encryption, Targeting Windows and ESXi

Ten Nations Warn of China-Linked Threat Actors Using Covert SOHO Botnets for Espionage

Joint Advisory: NSA, CISA, and Global Partners Warn of China-Nexus Actors Using Large-Scale Covert Networks for Cyber Operations

An international coalition of cybersecurity agencies from ten nations, including the U.S. NSA, CISA, and FBI, has issued a joint advisory on the evolving tactics of China-nexus threat actors. The advisory warns that these groups are increasingly leveraging large-scale 'covert networks' composed of compromised small office/home office (SOHO) routers, firewalls, and IoT devices. This tactic allows multiple state-sponsored groups to obfuscate their origins, making attribution difficult while conducting espionage and cyberattacks. The advisory specifically links the 'KV Botnet' to the Volt Typhoon group's attacks on U.S. critical infrastructure and notes that these botnets are dynamically managed, rendering static IP blocklists ineffective. The agencies urge organizations to harden edge devices, use strong credentials, and improve network traffic monitoring.

APTChinaVolt TyphoonFlax TyphoonBotnet +4 more

6 min read

Ten Nations Warn of China-Linked Threat Actors Using Covert SOHO Botnets for Espionage

Tropic Trooper APT Targets Chinese Speakers with Trojanized PDF Reader, Uses GitHub for C2

Tropic Trooper (APT23) Deploys Custom Beacon via Trojanized SumatraPDF, Abuses GitHub and VS Code Tunnels for Espionage

The cyber-espionage group Tropic Trooper (also known as APT23 or Pirate Panda) has been linked to a new campaign targeting Chinese-speaking individuals in Taiwan, South Korea, and Japan. According to Zscaler's ThreatLabz, the attack, first seen in March 2026, uses a military-themed ZIP archive containing a trojanized version of the SumatraPDF reader. Upon execution, the malware displays a decoy document while deploying a multi-stage payload. This payload includes the TOSHIS loader and the AdaptixC2 Beacon, which uses GitHub issues and repository APIs for command and control. For high-value targets, the threat actors also leverage Microsoft Visual Studio Code tunnels to establish persistent remote access, showcasing a sophisticated approach to blending in with legitimate developer traffic.

Tropic TrooperAPT23Cyber EspionageGitHubSumatraPDF +2 more

Tropic Trooper APT Targets Chinese Speakers with Trojanized PDF Reader, Uses GitHub for C2

NATO's Locked Shields 2026 Cyber Exercise Tests 4,000 Defenders Against 8,000 Live-Fire Attacks

INFORMATIONAL

Locked Shields 2026 Concludes in Estonia, Pitting 41 Nations Against Simulated Attacks on Critical Infrastructure and Electronic Voting Systems

The world's largest and most complex live-fire cyber defense exercise, Locked Shields 2026, has concluded in Tallinn, Estonia. Organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the exercise involved over 4,000 participants from 41 NATO and partner nations. The multinational teams were tasked with defending the critical infrastructure of a fictional country against a barrage of approximately 8,000 real-time cyberattacks over several days. This year's scenario was expanded to include the defense of an electronic voting system for the first time, alongside traditional targets like power grids, 5G networks, and military systems. The exercise tests not only technical skills but also strategic decision-making, legal considerations, and crisis communication.

NATOLocked ShieldsCyber DefenseExerciseCritical Infrastructure +2 more

4 min read

NATO's Locked Shields 2026 Cyber Exercise Tests 4,000 Defenders Against 8,000 Live-Fire Attacks

Celerium Launches 'DIB CyberDome' to Automate CMMC Compliance for Defense SMBs

INFORMATIONAL

Celerium's New 'DIB CyberDome' Platform Aims to Secure the Defense Industrial Base with Automated Threat Blocking and CMMC Compliance

Celerium has launched the DIB CyberDome, a cybersecurity platform tailored for the thousands of small and mid-sized businesses (SMBs) in the U.S. Defense Industrial Base (DIB). The platform is designed to help these contractors meet the complex requirements of the Cybersecurity Maturity Model Certification (CMMC) Level 2 and defend against advanced threats without the need for a large security team. Its core 'Cyber Interceptor' component provides continuous network boundary monitoring and automated threat blocking, re-optimizing every 15 minutes. This automates compliance with difficult CMMC controls that typically require expensive SIEM and SOAR solutions. The platform also features a collective defense system to share threat intelligence across the DIB ecosystem.

CMMCDIBDefense Industrial BaseComplianceNIST 800-171 +2 more

4 min read

Celerium Launches 'DIB CyberDome' to Automate CMMC Compliance for Defense SMBs

OpenAI Launches GPT-5.4-Cyber, a Specialized AI Model for Defensive Cybersecurity

INFORMATIONAL

OpenAI Unveils GPT-5.4-Cyber, Offering Vetted Security Teams Advanced Capabilities like Binary Analysis

OpenAI has introduced GPT-5.4-Cyber, a specialized version of its latest large language model fine-tuned for defensive cybersecurity tasks. The model features fewer restrictions than its public counterpart, enabling security professionals to perform complex operations like binary reverse engineering. This capability allows analysts to examine compiled code for malware and vulnerabilities without access to the source. Access to GPT-5.4-Cyber is being granted through an expanded 'Trusted Access for Cyber' (TAC) program to a select group of vetted organizations, including major financial institutions and cybersecurity firms like CrowdStrike and Palo Alto Networks. The initiative aims to empower cyber defenders and scale security capabilities in response to the growing use of AI by adversaries.

AIArtificial IntelligenceOpenAIGPT-5Cybersecurity +2 more

4 min read

OpenAI Launches GPT-5.4-Cyber, a Specialized AI Model for Defensive Cybersecurity

New 'GopherWhisper' APT Group Linked to China Targets Mongolian Government

Undocumented GopherWhisper APT Abuses Slack and Discord for C2 in Espionage Campaign Against Mongolian Government

ESET researchers have uncovered a previously unknown, China-aligned APT group named 'GopherWhisper.' Active since at least November 2023, the group was discovered targeting a Mongolian governmental institution with a sophisticated, Go-based malware toolkit. This toolset includes multiple backdoors like LaxGopher, RatGopher, and BoxOfFriends. A key characteristic of GopherWhisper is its extensive use of legitimate commercial services for command and control (C2) to evade detection. The LaxGopher backdoor uses a private Slack workspace, RatGopher uses Discord, and BoxOfFriends uses Microsoft Graph API to communicate via Outlook draft emails. This 'living off the trusted service' approach makes their C2 traffic extremely difficult to distinguish from legitimate user activity.

APTGopherWhisperChinaCyber EspionageGo +4 more

New 'GopherWhisper' APT Group Linked to China Targets Mongolian Government

Mirai Botnet Exploits Critical Flaw in Discontinued D-Link Routers for DDoS Attacks

New Mirai Botnet Campaign Actively Exploiting High-Severity RCE Flaw (CVE-2025-29635) in End-of-Life D-Link Routers

A new variant of the Mirai botnet is actively exploiting a year-old, high-severity command injection vulnerability (CVE-2025-29635, CVSS 8.8) affecting discontinued D-Link DIR-823X routers. According to Akamai, attackers are using the flaw to achieve remote code execution, download a shell script, and install a Mirai variant named 'tuxnokill.' This enlists the vulnerable, end-of-life devices into a botnet for launching DDoS attacks. The affected routers reached their end-of-life in November 2024 and no longer receive security patches from D-Link, leaving them permanently vulnerable. The campaign highlights the significant risk posed by unpatched IoT devices, as threat actors continuously scan for and exploit them to build their botnet armies.