
This week’s security news is mostly about weak spots.
Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through.
This is not one big break. It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs through the stories below.
A phishing campaign is targeting small businesses across Europe, Asia, the Middle East, and the U.S. with fake investigation emails impersonating law enforcement officials. «The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive,» Bitdefender said. «Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware. The ransomware appears to be a custom-built payload rather than a known ransomware family.»
New research from Armadin has discovered an attack chain affecting Claude Cowork on Windows. The attack allows an attacker with local code execution to plant a malicious file in Claude Desktop’s application directory, hijacking a trusted process to communicate with Cowork’s underlying VM service. «An attacker with local code execution could run arbitrary commands as root in Claude Cowork’s sandbox without network egress restrictions,» the company said. The exploit takes advantage of two unvalidated parameters in the service’s interface that allow the attacker to run commands as root and bypass network filtering entirely, thereby allowing sensitive data to be exfiltrated to attacker-controlled infrastructure. Following responsible disclosure on May 29, 2026, Anthropic said it does not consider it to be a security issue because exploitation requires pre-existing local code execution on the host.
A vulnerability has been disclosed in Apple’s Hide My Email service that allows users’ real email addresses to be unmasked. Tyler Murphy, the researcher who found the bug, said that he reported the issue to Apple over a year ago and that it continues to remain unpatched. «We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,» Murphy told 404 Media. Exact details surrounding the vulnerability have been withheld to avoid potential exploitation concerns.
A customized version of the open-source DCRat framework dubbed BeepRAT has been identified as distributed via a Chinese phone number management utility packaged within a ZIP archive, per Rubrik Zero Labs. «The archive contained a .NET application named HFY.exe alongside several third-party libraries commonly associated with database-driven applications,» Rubrik said. «Although the application appeared to function as a telephone number management tool, further analysis revealed a sophisticated multi-stage infection chain that ultimately deployed the customized BeepRAT payload.» The malware establishes persistence on the host via scheduled tasks, and resolves the command-and-control infrastructure using DNS-over-HTTPS (DoH) requests. It then beacons a packet containing information about the compromised host, after which a persistent communication channel is opened to receive incoming commands that allow the malware to transfer files between the host and the server, launch interactive command prompt sessions, issue commands to it, launch PowerShell sessions, enumerate running processes and available storage drives, terminate a specified process, perform file system operations, record through webcam, log keystrokes, take screenshots, list active network connections, download and run .NET assemblies in memory, and launch a proxy. It’s assessed that BeepRAT operates within the China-nexus espionage ecosystem.
An evaluation of OpenAI’s GPT-5.6 Sol on real-world offensive security benchmarks by AI security lab Irregular has found the model to perform slightly better than GPT-5.5, while continuing to struggle with well-defended targets and complete end-to-end attacks. «GPT-5.6 Sol demonstrated capabilities relevant to offensive cyber misuse, including finding and exploiting high-impact zero-day vulnerabilities across multiple real systems,» it said. «These capabilities were demonstrated on sensitive, widely used classes of systems, including mobile operating systems and database systems. Despite these capabilities, GPT-5.6 Sol continued to show clear limitations against hardened targets and in orchestration, operationalization, and operational security. Performance also degrades when tasks require sustained logical coherence over long horizons or quick, time-sensitive decision-making.»
Cofense said it’s observing a «clear shift in phishing operations» where threat actors are moving beyond broad, one-size-fits-all campaigns to adopt platform-aware delivery that adapts to the victim’s device, browser, and environment. Phishing campaigns have been found to deliver Itarian RAT or the ConnectWise tool via Ninite Loader on Windows, while serving credential harvesting phishing pages when URLs are visited from macOS or Android. The operating system-specific payloads are delivered by fingerprinting victims through User-Agent data. «What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android,» it said. «This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment.»
The U.S. State Department is offering a reward of up to $10 million for information leading to the identification or location of threat actors associated with UNC5792, a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services. UNC5792 has been linked to widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S. government officials, military leadership, and allied personnel with an aim to gain unauthorized access. «Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,» the State Department said.
New research from a group of academics has revealed that machine learning models cannot reliably distinguish between authorized and unauthorized input, leaving them susceptible to a persistent problem called prompt injection. «LLMs see the world as a single stream of text, partitioned into roles like or ,» the researchers said. «We trace prompt injection to role confusion: models perceive the source of text from how it sounds, not its labeled role. A command hidden in a web page hijacks an agent simply because it sounds like text, despite its label.» The attack, dubbed CoT Forgery, involves injecting fabricated reasoning into user prompts and tool outputs, causing the models to mistake the forgery for their own thoughts and act on them, yielding 60% attack success against frontier models. The attack essentially exploits the trust a model places in its own thinking.

Anthropic said it plans to remove the hidden code it added to Claude Code several months ago to detect unauthorized distillation efforts. The relevant code checks Claude Code’s base URL environment variable that’s used to route API requests to a proxy or gateway. If the base URL has been overridden, the code snippet checks the system time zone and whether the hostname matches any entry in a list of known Chinese companies, account resellers, and gateway domains. «This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,» Anthropic’s Thariq Shihipar said. «The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.»
Opera has introduced Paste Protect, a new security feature designed to block ClickFix-style attacks that deceive users into executing malicious commands through social engineering techniques. «Paste Protect helps identify situations where malicious websites attempt to either replace something you copied with a malicious version or place potentially harmful commands on your clipboard and later trick you into pasting them onto a terminal,» the browser maker said. «When any kind of suspicious clipboard activity is detected, Opera’s Paste Protect warns users before dangerous content can be executed.» The development comes as ClickFix continues to be a popular initial access vector for threat actors. According to Huntress, ClickFix was responsible for over 53% of all malware loader activity in 2025. Data from ReliaQuest for the period between March 1 and May 31, 2026, ClickFix remained the dominant delivery method during this period and targeted both Windows and macOS systems. One notable trend observed during the period was that ClickFix activity appeared to shift from delivery via compromised websites to emailed links. «ClickFix demonstrates that the human element remains one of the most effective attack vectors, especially when combined with legitimate system functionality and trusted binaries,» security researcher Bert-Jan Pals said.
A spear-phishing attack orchestrated by UNC1151 (aka Ghostwriter) targeting Belarusian pro-democracy politician Yury Hubarevich has been assessed to be part of a much broader credential phishing operation. The activity involved sending emails from Gmail accounts claiming to have detected suspicious activity on targets’ Google accounts, urging them to click on a link to verify their account. The catch here was that entering the credentials on the phishing page harvested the victim’s login information and exfiltrated it to the attacker-controlled infrastructure. Attack surface management platform Censys has since uncovered additional domains impersonating the I.UA email portal, suggesting the activity also likely targeted Ukrainians.
The U.S. Federal Trade Commission has fined Amazon $2.25 million to settle claims that the company failed to help customers who fell victim to identity theft. Consumers who contacted Amazon to report fraud were told by its customer service agents that they could not provide the application and business transaction records about fraudulent transactions made in their names for «security» or «privacy» reasons. «Amazon often puts identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to – records that could help victims protect themselves and recover from the fraudulent conduct,» said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection.
A remote access trojan (RAT) named Millennium RAT has undergone an architectural shift from .NET to native C++, while still relying on the Telegram Bot API for command-and-control (C2). The malware is attributed to a developer named ShinyEnigma, who is also behind DotStealer and was first seen in September 2023. It is offered as malware-as-a-service (MaaS) for $50 for the first month, $10 for subsequent months, or a one-time $90 lifetime purchase. «As a full-featured remote access trojan, Millenium RAT 4.* is designed to compromise Windows machines,» Group-IB said. «It enables threat actors to exfiltrate sensitive browser and system data, capture screenshots and audio, perform keylogging, and download and run arbitrary executables.» Exploitation campaigns involving the malware are carried out by a threat actor cluster codenamed Y2K Operators. The threat actor has been active since May 2025, using social engineering as a way to trick users into executing malicious payloads by masquerading them as legitimate software or cracked applications. As of writing, 62,289 devices have been infected with the Millenium RAT 4.* versions, with more than 16,000 infections reported in the month of March 2026 alone. In an interesting twist, the attackers even target other cybercriminals. «They take popular RATs, builders, and exploit kits, add a backdoor, and redistribute them — so the would-be attacker downloads a working tool and gets infected at the same time,» Group-IB said.
Microsoft said it discovered a malicious Chromium-based extension that impersonates the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it. The extension, named «Search for Perplexity ai» (ID: flkebkiofojicogddingbdmcmkpbplcd), has since been taken down by Google, but not before it attracted 10,000 installs. «We assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent,» the tech giant said. «However, unlike traditional search hijackers that rely primarily on aggressive monetization or visible redirection, this extension combines Manifest Version 3 (MV3) capabilities with intermediary infrastructure and declarativeNetRequest (DNR) rules to transparently intercept Omnibox queries while preserving the appearance of legitimate search results.» The attacks illustrate how threat actors continue to capitalize on the popularity of AI tools to abuse them as a social engineering vector.
Microsoft said it’s introducing «smarter bot protection» features to tackle scenarios where bots connected to a third-party service attend meetings as AI tools become more common in enterprise setups. «Unexpected participants in a meeting can create security and privacy risks, particularly when sensitive information is being discussed,» it said. «That’s why we’re introducing a new Teams admin policy designed to give organizations more visibility and control over external bots in their meetings. This new experience helps organizers identify bots, and adds safeguards before they’re admitted, giving organizations greater confidence that only the intended participants and tools will be present.» As part of this effort, Microsoft intends to clearly distinguish between bots and human participants, give organizers more visibility when bots join a meeting, and issue warnings when organizers choose Admit all and bots are included. With these new safeguards rolling out, Microsoft plans to retire the existing CAPTCHA verification experience.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the now-patched Microsoft Defender vulnerability known as BlueHammer (aka CVE-2026-33825) was exploited in ransomware attacks. BlueHammer was first disclosed as a zero-day by an anonymous researcher named Chaotic Eclipse (aka Nightmare-Eclipse) in April 2026. It’s unclear which ransomware group has exploited the flaw.
Threat actors have been observed using a misconfigured Ollama model server as the reasoning engine for an automated, multi-stage offensive security tool called the VAPT framework, according to findings from Sysdig. The development marks a new evolution of LLMjacking, which refers to a form of resource hijacking attack in which malicious actors steal API keys, cloud credentials, or non-human identities to hijack an organization’s Large Language Model (LLM) resources. The unauthorized access is then abused to run heavy AI workloads or sell access to third-parties, leaving the legitimate account holder to pay the usage bills. «The actor was not chatting with the model or reselling access,» Sysdig’s Michael Clark said. «Instead, they wired access to the AI tool into a software pipeline that scans a target, matches it to known vulnerabilities, writes proof-of-concept exploits, and attempts to break into a victim’s environment — with the model making the decisions at every step.»
The lesson this week is simple: attackers do not need the front door when the side door is already open. A copied command, an exposed server, a trusted bot, a weak check. Small things become entry points when nobody treats them like one.
So read the list with that in mind. The loud part is the breach. The useful part is the quiet mistake that made it possible. Until next ThreatsDay.
Source link
