Critical Flaws Exploited: Red Hat Supply Chain Hit, PAN-OS &amp; Netlogon Under Siege, Android Zero-Day Patched

Google Patches Actively Exploited Android Zero-Day (CVE-2025-48595) in June Security Update

Google's June 2026 Android security update addresses 124 vulnerabilities, including a high-severity zero-day flaw (CVE-2025-48595) that is confirmed to be under limited, targeted exploitation. The vulnerability, an elevation of privilege issue in the Android Framework, could allow a local attacker to gain elevated system privileges. The patch is part of a larger update that also fixes 18 critical flaws affecting the Framework, System, and Qualcomm components. While details of the attacks are scarce, such vulnerabilities are often used by spyware vendors. All Android users are urged to install the update as soon as it becomes available for their devices.

AndroidZero-DayCVE-2025-48595GooglePrivilege Escalation +2 more

5 min read

Android Zero-Day Under Attack: Google Issues Urgent Patch for Privilege Escalation Flaw

SideCopy APT Targets Afghanistan's Finance Ministry in 'XENOFISCAL' Espionage Campaign

Pakistan-Linked SideCopy APT Deploys XenoRAT in Spear-Phishing Campaign Against Afghanistan's Ministry of Finance

The Pakistan-aligned threat group SideCopy, part of the Transparent Tribe (APT36) umbrella, is conducting a targeted cyber-espionage campaign dubbed 'Operation XENOFISCAL' against Afghanistan's Ministry of Finance. The campaign uses spear-phishing emails with Pashto-language lures to trick government officials into executing a malicious LNK file. This initiates a multi-stage infection chain that ultimately deploys the open-source XenoRAT trojan. The malware establishes persistence and provides the attackers with full remote access for data theft and surveillance, highlighting the group's continued focus on government and military targets in South Asia.

SideCopyAPT36Transparent TribeXenoRATAPT +4 more

SideCopy APT Targets Afghanistan's Finance Ministry in 'XENOFISCAL' Espionage Campaign

Sophos Uncovers AI-Powered Malware Lab Built to Evade EDR Solutions

Threat Actor Utilizes AI-Powered Framework to Automate EDR Evasion and Malware Development

Security researchers at Sophos have discovered a sophisticated malware development framework that uses AI agents, including Claude Opus, to automate the creation and testing of evasive malware. The threat actor, linked to an active ransomware group, built a virtualized lab to test custom payloads against EDR products from Sophos, CrowdStrike, and Microsoft Defender. The framework leverages AI to analyze security research, extract attack techniques, and systematically refine malware to bypass modern endpoint defenses. This 'human-in-the-loop' approach shows attackers are using AI as a force multiplier to accelerate their development cycles and improve the efficacy of their tools.

Artificial IntelligenceAIMalwareEDR EvasionSophos +3 more

Sophos Uncovers AI-Powered Malware Lab Built to Evade EDR Solutions

Gartner Warns of Four Critical Threats Where Attackers Have the Upper Hand

INFORMATIONAL

Gartner Highlights AI, Deepfakes, and Supply Chain Attacks as Top Cybersecurity Threats for 2026-2027

At its Security & Risk Management Summit, research firm Gartner identified four critical and unpredictable threat areas where attackers hold a significant advantage: AI application compromise, identity impersonation via deepfakes, prompt injection, and software supply chain attacks. Gartner's 2026-2027 ThreatScape report urges cybersecurity leaders to move beyond traditional defenses and adapt their strategies to address these emerging challenges. The firm advises CISOs to focus on mapping new AI-related attack surfaces, hardening CI/CD pipelines, and preparing for a surge in sophisticated, AI-driven social engineering and fraud.

GartnerThreat IntelligenceAIDeepfakeSupply Chain +2 more

Gartner Warns of Four Critical Threats Where Attackers Have the Upper Hand

EU Cyber Resilience Act: 24-Hour Breach Reporting Mandate Begins Sept 2026

INFORMATIONAL

EU Cyber Resilience Act's Strict Reporting Obligations for Connected Products to Begin in September 2026

The European Union's landmark Cyber Resilience Act (CRA) will begin enforcing its stringent reporting obligations on September 11, 2026. Manufacturers of all products with digital elements sold in the EU will be required to report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them. This initial warning must be followed by a more detailed notification within 72 hours. The regulation aims to bolster cybersecurity across the single market by mandating 'security by design' and robust vulnerability management for the entire lifecycle of connected products, from smart TVs to industrial control systems.

Cyber Resilience ActCRAEUENISACompliance +3 more

EU Cyber Resilience Act: 24-Hour Breach Reporting Mandate Begins Sept 2026

Samsung Rolls Out June 2026 Security Patch, Fixing 45 Vulnerabilities

MEDIUM

Samsung Details June 2026 Security Patch, Delivering 45 Fixes for Galaxy Devices

Samsung has released the details for its June 2026 Security Maintenance Release (SMR) for Galaxy devices. The update includes patches for 45 vulnerabilities, combining fixes from Google's Android Security Bulletin with 11 Samsung-specific fixes (SVEs). The update aims to improve system stability and protect against various security threats. The rollout will be staggered, with flagship models expected to receive the update first. One additional fix is included for devices running Samsung's own Exynos processors. Users are advised to install the update as soon as it becomes available.

SamsungGalaxyAndroidSecurity PatchSMR +2 more

Samsung Rolls Out June 2026 Security Patch, Fixing 45 Vulnerabilities

Hackers Abuse ChatGPT and Claude 'Share' Features to Host Malware

MEDIUM

Attackers Abusing ChatGPT and Claude Content-Sharing Features for Malware Delivery and Phishing

Threat actors are exploiting legitimate features in popular AI chatbots like OpenAI's ChatGPT and Anthropic's Claude to host and deliver malware. Researchers have observed campaigns where attackers abuse the 'shared conversations' feature to create unique URLs on trusted AI domains. These pages are crafted to look like legitimate guides or support pages, which then trick users into running malicious 'curl' or 'InstallFix' commands to download infostealer malware. By hosting their lures on trusted domains like chat.openai.com, attackers bypass user suspicion and some security filters, highlighting a new vector for social engineering.

ChatGPTClaudePhishingMalwareSocial Engineering +2 more

5 min read

Hackers Abuse ChatGPT and Claude 'Share' Features to Host Malware

Critical Ghost CMS Flaw (CVE-2026-26980) Exploited to Inject Malware on 700+ Sites

CRITICAL

Ghost CMS Vulnerability (CVE-2026-26980) Actively Exploited to Steal API Keys and Inject Malware

A critical SQL injection vulnerability in the Ghost content management system, CVE-2026-26980, is being actively exploited in the wild. At least two distinct threat groups are targeting unpatched websites, with over 700 sites already compromised. The vulnerability allows unauthenticated attackers to steal administrative API keys, which they then use to inject malicious JavaScript loaders into the websites. This injected code facilitates 'ClickFix' social engineering attacks, using fake Cloudflare prompts to trick visitors into downloading and executing data-stealing malware. All administrators of Ghost CMS sites are urged to update to a patched version immediately.

Ghost CMSCVE-2026-26980SQL InjectionMalwareData Theft +2 more

5 min read

Critical Ghost CMS Flaw (CVE-2026-26980) Exploited to Inject Malware on 700+ Sites

New 'FlutterShell' Backdoor Targets macOS Users via Widespread Google Ads Campaign

Unit 42 Uncovers Operation FlutterBridge: A Malvertising Campaign Deploying the FlutterShell Backdoor on macOS

Palo Alto Networks' Unit 42 has identified a large-scale malvertising campaign named 'Operation FlutterBridge' targeting macOS users. This campaign, an evolution of the earlier JSCoreRunner attacks, distributes a new backdoor called FlutterShell. Built with the Flutter framework to complicate analysis, FlutterShell is disguised as legitimate applications like podcast players and PDF viewers. While its primary observed function is adware, it possesses full backdoor capabilities, including remote shell execution, file system manipulation, and a novel data exfiltration method using AI summarization services. The attackers, tracked as CL-CRI-1089, leverage a network of shell companies to push malicious ads through Google's advertising platform, successfully bypassing Apple's notarization process to appear legitimate.

macOSmalvertisingbackdoorFlutteradware +5 more

17 min read

New 'FlutterShell' Backdoor Targets macOS Users via Widespread Google Ads Campaign

Updated Articles (4)

Carnival Data Breach Exposed Nearly 6 Million After Social Engineering Attack

Carnival Corporation Confirms Data Breach Affecting 6 Million Customers and Staff

The notorious extortion group ShinyHunters has officially claimed responsibility for the Carnival data breach. They allege to have stolen 8.7 million records, specifically targeting the Mariner Society loyalty program of Holland America, a Carnival brand. This new information provides concrete attribution for the attack, which previously only had a 'possible link' to the group. While Carnival's confirmed number of affected individuals remains around 6 million, ShinyHunters' claim suggests a potentially larger scope of compromised data, particularly within a specific loyalty program, and confirms their involvement in the extortion attempt.

Data BreachSocial EngineeringCarnivalPIIHospitality +1 more

Carnival Data Breach Exposed Nearly 6 Million After Social Engineering Attack

CRITICAL: Unauthenticated RCE Flaw in Windows Netlogon (CVE-2026-41089) Actively Exploited

CRITICAL

Actively Exploited Windows Netlogon RCE Flaw (CVE-2026-41089) Puts Domain Controllers at Risk

This update provides new technical details, including specific MITRE ATT&CK techniques (T1210, T1068, T1021.002, T1482) associated with the active exploitation of CVE-2026-41089. A more comprehensive impact assessment highlights the catastrophic potential for complete domain takeover, widespread ransomware deployment, data exfiltration, and persistent access. Additionally, Event ID 4625 (failed logon attempts) is noted as a new cyber observable, and Privileged Access Management (PAM) is suggested as an additional mitigation strategy to limit post-exploitation impact.

CVE-2026-41089Windows ServerNetlogonRCEDomain Controller +2 more

CRITICAL: Unauthenticated RCE Flaw in Windows Netlogon (CVE-2026-41089) Actively Exploited

ShinyHunters Leaks Data of 4.9M Charter Customers After Vishing Attack

Charter Communications (Spectrum) Data of 4.9 Million Leaked by ShinyHunters After Failed Extortion

This update provides a more detailed technical analysis of the Charter Communications breach, including specific MITRE ATT&CK IDs (T1654, T1078.004, T1530, T1041) for the vishing, cloud account compromise, and data exfiltration phases. It also offers refined detection and mitigation strategies, emphasizing phishing-resistant MFA (like number matching) and monitoring for MFA fatigue attacks and session token replay in Microsoft Entra ID and Salesforce logs. The core incident details remain consistent.

ShinyHuntersCharter CommunicationsSpectrumData BreachVishing +2 more

ShinyHunters Leaks Data of 4.9M Charter Customers After Vishing Attack

CISA Warns of Active Exploitation of Palo Alto GlobalProtect Auth Bypass Flaw (CVE-2026-0257)

CRITICAL

Palo Alto GlobalProtect Vulnerability (CVE-2026-0257) Under Active Attack, CISA Issues Directive

The severity of CVE-2026-0257, affecting Palo Alto GlobalProtect, has been officially escalated from medium to critical due to ongoing active exploitation. This update includes new technical details, specifically mapping the observed exploitation to MITRE ATT&CK techniques such as 'Exploit Public-Facing Application' (T1190), 'External Remote Services' (T1133), and 'Valid Accounts' (T1078). Enhanced detection methods and hunting hints, incorporating D3FEND references like Authentication Event Thresholding and Network Traffic Analysis, are now provided to assist organizations in identifying vulnerable systems and detecting compromise. The CISA KEV status and June 1 deadline for federal agencies are reiterated, with a strong recommendation for all organizations to apply patches or mitigations immediately.