Microsoft has released a July batch of security updates that fix over 500 security flaws across its various products and services, including two actively exploited zero-day vulnerabilities. The first exploited flaw is CVE-2026-56155, an insufficient granularity of access control issue that allows a local user to escalate privileges on the system. The second exploited vulnerability is CVE-2026-56164, a missing authentication for critical function issue that permits unauthorized access to the application.
Separately, SonicWall has warned that threat actors are actively exploiting two vulnerabilities (CVE-2026-15409 and CVE-2026-15410) affecting its SMA1000 secure access appliances in zero-day attacks.
Progress Software confirmed that a high-severity zero-day vulnerability caused the emergency shutdown of ShareFile Storage Zone Controllers. The company temporarily disabled access after detecting a security threat and has now released updates (versions 5.12.5 and 6.0.2) to fix the issue. Customers are advised to install the updates as soon as possible to protect their systems.
CERT-UA warns that the Russian Sandworm hacking group is using Signal messages and compromised websites to trick users into installing malware. Victims are lured into downloading fake antivirus software or executing malicious terminal commands disguised as CAPTCHA verification. The attacks deploy malware, including KALAMBUR, SUMBUR, TAMBUR, GHETTOVIBE, SCOUTCURL, and FREAKYPOLL, to steal passwords, files, and other sensitive information.
Russian state-backed hackers used internet-connected security cameras to spy on NATO military bases and transport routes in the Netherlands. The General Intelligence and Security Service (AIVD) said hackers gained access to a small number of IP cameras along military logistics routes. The cameras were used to monitor the movement of military equipment being sent to Ukraine.
Separately, cybersecurity agencies from the US and eight partner countries have issued a joint advisory warning that Russian state-backed hackers are targeting vulnerable routers to gain access to critical infrastructure networks. The advisory attributes the activity to the Russian Federal Security Service (FSB) Center 16.
Also, the European Union and the United Kingdom imposed new joint sanctions against Russia, accusing Moscow’s intelligence services of carrying out cyberattacks and attempts to disrupt countries across Europe. The new measures target 24 individuals and organizations accused of supporting Russia’s cyber and hybrid operations. The list includes cybercriminal networks linked to Russian intelligence services and people involved in spreading false anti-Ukraine messages.
A Russian cybercrime group known as UAT-11795 has been observed targeting users with fake versions of popular software to steal passwords, cryptocurrency, and other sensitive information. The attackers disguise malware as installers for trusted tools such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Once installed, the malware deploys a new backdoor called Starland RAT, which gives attackers remote access to infected computers.
Another Russian-speaking threat actor called ‘bandcampro’ has been observed using Google's open-source Gemini CLI AI tool to help carry out cyberattacks. The AI assisted with troubleshooting, managing a small botnet of eight computers at a dental clinic, accessing a patient database, cracking passwords, attacking WordPress sites, and planning a cryptocurrency scam targeting older adults in the US and Canada. The AI also suggested improvements to the threat actor's operations 59 times without being asked.
A new ransomware group, tracked as ‘Spirals,’ targeted an IT services company in South Asia, completing the attack in less than 24 hours. The attackers gained access through a public IIS server, spread to multiple systems, disabled security tools, created several remote access methods, and stole and encrypted the company's data.
A separate report from Symantec analyzes Daxin, a China-linked kernel-mode rootkit first uncovered in 2022. The malware has been observed on a compromised host in Taiwan this year along with a novel backdoor called Stupig. The latter uses a never-before-seen technique allowing an attacker to run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.
Elastic Security released a technical report on a new modular MaaS malware called TELEPUZ that has been spreading via compromised websites using ClickFix lures since late April 2026. Researchers said it is lightweight, full-featured, modular and fast evolving.
Blackpoint researchers discovered a Rust-based remote access tool (RAT) called LabubaRAT, which disguises itself as NVIDIA software to avoid detection, establishes persistent access on infected Windows systems, and allows attackers to execute commands, transfer files, capture screenshots, and proxy network traffic. It also supports multiple communication methods, including HTTPS, WebView2, and DNS tunneling, to help maintain remote access.
ESET researchers found 11 Microsoft-signed UEFI shim bootloaders that allow threat actors to bypass UEFI Secure Boot by exploiting decade-old vulnerabilities. Attackers could run unauthorized code during startup and install bootkits like Bootkitty, HybridPetya, or BlackLotus. Microsoft revoked the affected shims in its June 9, 2026 security update. The issues were assigned CVE-2026-8863 and CVE-2026-10797.
Security researchers at KU Leuven have found that many popular browser-based cryptocurrency wallets leak enough information to let websites and blockchain services track users across the web and connect wallet addresses that were meant to stay separate.
US authorities have charged three Russian nationals with running hosting services that allegedly helped ransomware groups carry out cyberattacks causing more than $62 million in global damages. The US has also offered a reward of up to $10 million for information about the suspects, while the EU has sanctioned the hosting services and several people linked to Russian military intelligence and state-backed hacking groups. Separately, the US sanctioned VPN provider 1VPNS and two individuals for allegedly supporting ransomware attacks by helping cybercriminals hide their activities.
Two members of the Scattered Spider hacking group, Owen Flowers (18) and Thalha Jubair (20), were each sentenced to 5.5 years in prison for the 2024 cyberattack on Transport for London (TfL). The hack disrupted 148 systems, forced 27,000 employees to reset their passwords in person, and cost TfL £29 million. Both pleaded guilty to a serious Computer Misuse Act offence before their trial.
Separately, UK authorities have charged five people in connection to Russian Coms, a caller ID spoofing platform that criminals used to make more than 1.8 million scam calls.
Finnish police have reportedly issued a wanted notice for convicted hacker Aleksanteri Kivimäki after the Supreme Court refused to hear his appeal. The decision leaves in place a Court of Appeal sentence of six years and 11 months in prison. Authorities are seeking to arrest him and return him to prison to serve the rest of his sentence. Kivimäki's lawyer told Finnish media that he doesn’t know where his client is and that Kivimäki is believed to be abroad.
The Dutch Police arrested several people suspected of running a large international investment fraud scheme that targeted tens of thousands of victims. The group allegedly operated 20 call centers with over 700 fake financial advisers and is believed to have made more than €100 million per month. The main suspect, an Israeli-Polish national, was arrested in Poland and extradited to the Netherlands, while other Dutch and Belgian suspects were arrested in Cyprus, Greece, and Belgium.
In an unrelated operation, the Spanish National Police has dismantled an international criminal organization accused of laundering approximately €140 million through sophisticated cyber fraud schemes targeting victims across Europe. Four suspects were arrested in a coordinated operation spanning Spain, Portugal, and Panama. The suspects allegedly orchestrated a range of online financial crimes, including fake investment platform scams, CEO fraud, fake invoice schemes, and man-in-the-middle attacks.
A Welsh man, Callum Dare, was sentenced to prison for helping organize swatting attacks in the UK, US, and Canada. Although he did not make the fake emergency calls himself, he encouraged and helped others through the Doxbin dark web site he administered.