Reading view

Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix

Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start. Attacks against the bug, tracked as CVE-2026-50751, began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June. The security software vendor spotted suspicious activity and began investigating the zero-day on June 4, Finkelstein said in a Monday blog. “We have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days,” Finkelstein wrote, adding that, in at least one case, investigators observed post-compromise activity associated with a Qilin ransomware affiliate. This same ransomware scum is also likely exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products, Finkelstein said. CVE-2026-50751 is due to a logic-flow weakness in the Remote Access and Mobile Access certificate validation process, and it allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password. It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol. While investigating CVE-2026-50751 and affected VPN components, Check Point found another vulnerability, CVE-2026-50752, in its Security Gateways and Spark Firewall products. It’s due to a bug in the certificate validation logic of the deprecated IKEv1 key exchange method, and can lead to man-in-the-middle attacks on the VPN site-to-site configuration. Check Point says that it hasn’t received any reports of in-the-wild exploitation of CVE-2026-50752. Check Point urges customers running vulnerable gateways and firewalls to apply the hotfixes, and the vendor also provided alternative mitigation options with instructions in the security advisories. The software provider also published a list of indicators of compromise, including attacker IPs, and recommends customers search Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with observed attacker infrastructure and certificate subject names for at least May 7 through June 5. ®

  •  

Ransomware sends Illinois high school on an early summer vacation

An Illinois high school won't reopen until Wednesday at the earliest after suffering a ransomware attack on Sunday, June 7. Evanston Township High School (ETHS), located 14 miles north of Chicago, said it would be closed today and tomorrow, and that the closure also affected summer school, sports camps, and on-campus activities, which are all canceled. "Upon discovering the incident, we immediately activated our incident response procedures and engaged external cyber breach attorneys and cybersecurity forensic experts to assist with the investigation and recovery process," ETHS said in a statement issued via a dedicated information page. "We are working with these specialists to determine precisely what information may have been accessed or acquired and to restore normal systems operations as quickly as possible. The district is cooperating with the Federal Bureau of Investigation (FBI) as part of the ongoing investigation." It said that phone systems are down and staff have limited access to emails. Children and their families may also not be able to access certain online resources, all of which suggests the institution may still be in the containment phase of remediation. Among the online resources currently offline is Home Access Center, which is powered by PowerSchool. PowerSchool itself was was at the center of a cybersecurity disaster in late 2024. However, ETHS has not linked the platform to the ransomware attack. All staff other than safety and operations workers were told to work from home, although their work will be limited since, for the time being, they're locked out of the district's Google accounts and "other network systems, including eSchool." "We understand this situation is disruptive and appreciate your patience and flexibility," ETHS went on to say. "Additional updates and instructions will be provided as they become available." No major ransomware group has claimed responsibility for the intrusion at the high school yet. Education under attack The ETHS incident follows a separate attack on the education sector disclosed on June 4 that affected 13 schools in Powys, Wales. Powys Council set up its own information page about the attack, although it has not revealed much, saying it is awaiting the outcome of investigations by external specialists. However, it said the attack has affected "some school systems" and personal data belonging to both staff and pupils was accessed. The council identified 13 affected schools, although the compromised data only appears to have been taken from one of these, according to current information. Its information page repeatedly uses the phrase "because of the sensitive nature of the data." The council cites this as the reason for not revealing information such as which schools were affected, how many individuals are affected, what types of data have been accessed, and whether this included sensitive or safeguarding-related data. It also refused to say whether the attack involved ransomware or who was responsible for it. However, it said the risk of identity fraud would vary by individual, hinting that different types of personal data may have been accessed. Powys Council confirmed that all schools across the region remain open, and the cyberattack does not affect their day-to-day safety or operations. Education remains a strong target for cybercriminals. Given the sensitivity of the data these organizations store, it makes the sector one of the most attractive for financially motivated criminals looking for an extortion payment. In the UK, the Information Commissioner's Office said that between 2022 and 2024, pupils were responsible for 57 percent of 214 school data breaches, often using stolen login details. ®

  •  

If you don't fall for these extortionists' calls, they'll show up with USB sticks

If they don't get you online, they'll try in person. A data-theft and extortion gang has targeted “dozens” of banks, law firms, and other professional services companies in the US from January through May, using fake help desk calls and other social-engineering techniques to gain access to corporate IT environments, according to Google’s Mandiant incident response team. And when those remote-deception methods don’t work, the criminals sometimes show up at victims’ physical offices, posing as IT technicians, and attempt to steal sensitive files using thumb drives. Google’s threat hunters track the extortion threat group as UNC3753, while other analysts call it Luna Moth, Chatty Spider, and Silent Ransom Group. The crew has been around since 2022, originally using fake software renewal emails and other billing lures, typically with PDF attachments containing phone numbers for attacker-controlled call centers, as their means of gaining initial access to corporate networks. Beginning around March 2025, the crims shifted tactics and started posing as IT help desk staff. “While UNC3753 primarily relies on digital vectors, GTIG assesses that associated threat actors have also attempted direct data theft using physical, in person access,” Google incident responders and researchers Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, and Tyler McLellan said in a Friday blog. The authors also pointed to a May FBI alert to corroborate this in-person tactic. According to the feds, Silent Ransom Group crooks have been walking into law firms’ physical offices as recently as this spring. Once they are on-site, they claim to be IT support staff needing to image a device or create local backups for security reasons. If that line works, they plug a thumb drive into the victim’s computer and steal data the old-fashioned way. “Although limited forensic evidence and the absence of a subsequent extortion attempt prevent formal attribution, GTIG assesses that these physical intrusions are likely associated with UNC3753 based on structural, timeline, and targeting overlaps,” the blog said. Google won’t say how many dozens of firms have been targeted in these attacks, or how many ended in the data thieves paying a visit to the victims’ locations. “While we can’t share additional details regarding specific investigations, Mandiant CTO Charles Carmakal notes that this tactic has been observed over the years,” a spokesperson told The Register. “Mandiant has investigated various matters where adversaries planted insiders, bribed employees, or physically entered buildings to facilitate cyberattacks.” Another noteworthy thing about UNC3753’s attacks: they are very fast. In many of Mandiant’s investigated incidents, the entire operation from initial contact to data extortion occurred in just one day. “Recently, Mandiant observed data searches, staging, and theft initiated in under an hour,” the threat analysts warned. These intrusions typically begin with an invoice-themed email - but these don’t usually contain any malicious links or attachments. The email’s sole purpose is to give the miscreants a plausible reason to follow up via phone, so that the recipient is more likely to believe the call is legitimate. Most of the crew’s entry mechanisms involve voice-phishing, using a method that has worked so well for other groups like ShinyHunters and Scattered Spider over the past few years. UNC3753 calls organizations’ employees directly and purports to be a help desk worker or member of the security team. The criminals say they need the target’s help addressing a security issue or aiding with a corporate data migration project, and convince the individual to join a screen-sharing session via Zoom, Microsoft Terminal Services, Microsoft Teams, or Quick Assist. In one such intrusion, using Teams to gain access to the victim’s computer, the attacker jumped on five separate calls with the same target over a three-day period, we’re told. And in more than one incident that Mandiant responded to, UNC3753 established Zoom sessions directly on targets' personal laptops, using these machines to access corporate virtual desktop infrastructure (VDI) using native client platforms, such as Windows 365 or Citrix clients. Once they’re in the corporate systems, the intruders map local directories and network drives, and target specific legal and document storage repositories. The crooks also use very-specific keyword searches to find sensitive folders containing tax logs (Forms W-2, W-9, and 1099), audit files, corporate client agreements, and Social Security numbers, before staging this data for exfiltration. UNC3753 uses several methods to sneak the data out of the corporate IT environment without setting off any security alarm bells, including using portable versions of free Windows file manager WinSCP or another open source filesystem like Rclone. The crew has also been known to log into a file-sharing account from the victim’s browser and upload the stolen files that way - or even instruct the victims to send the files to an attacker-controlled email address. After stealing the data, they send the extortion email, usually within 30 minutes of exiting the victim’s environment, and set a three-day deadline to respond and begin the negotiation process. “We hope to find a financial solution that will be acceptable for both parties,” reads one such extortion email. It continues: In case of ignorance or no agreement, We will notify your employees, partners and customers, after which We will publish your data. You will receive claims from individuals, and legal entities for information leakage and breach of contracts, your current deals will be terminated. Journalists and others will dig into your documents, finding inconsistencies or violations in them. Your organization will lose its reputation, shares will fall in price, and your organization will be forced to close. Stay safe, friends In the Friday report, Google’s threat hunters list IP addresses and other indicators of compromise, including these phishing domains that UNC3753 uses in its social-engineering attacks, all designed to look like the target organization’s help desk: -itdesk[.]com, -it[.]com, and -helpdesk[.]com. The security shop also suggests a range of things companies can do to avoid falling victim to this group and other voice-phishing scams or physical office intrusions. Some of the physical controls include requiring visitors to display official credentials and photo identification, and mandating front-desk staff log all visitor IDs before granting access. Also, check pre-scheduled work orders to ensure the “technician” at the front desk is who they say they are, and make sure any visiting technical service workers are always accompanied by a corporate, in-office supervisor. Because the bulk of these intrusions occur without any physical entry into the office, however, companies should also implement remote access conditional access policies to ensure only corporate-owned devices can authenticate to any VDIs or VPNs. Plus, block the installation and execution of unauthorized remote monitoring and support utilities. ®

  •  

Pink is the latest goon squad to use fake helpdesk calls to steal creds

UPDATED A new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand. Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post. Google Threat Intelligence is not so sure it's a new gang, however. "After retiring the BlackFile brand in May 2026, we assess the group launched the 'Redact' brand and has now potentially surfaced as 'Pink,," Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, told us. "This new operation exhibits hallmarks of UNC6671, including similar credential-harvesting infrastructure, data leak site (DLS), and recurring messaging that claims to 'improve the security' of victims who pay. Additionally, we attribute the Pink (CL-CRI-1147) domains recently published by Unit42 to UNC6671." Regardless whether it's brand new or just a new coat of paint, the tactics are very familiar. Pink is one of many goon squads to use these social-engineering tactics to steal employees’ credentials and bypass multi-factor authentication, using this access to burgle companies’ cloud storage and databases. Chaotic crime crew Lapsus$, during its 2021 and 2022 extortion spree that hit Nvidia, Microsoft, and Okta, among others, popularized this style of phone-based intrusions before Scattered Spider picked up the mantle. Scattered Spider is perhaps best known for its 2023 Las Vegas casino digital heists, and reportedly bragged that all it took to break into MGM's networks was a 10-minute call with the help desk. Over the last few years, ShinyHunters has used this same playbook to steal sensitive data from Ticketmaster, AT&T, and other Salesforce customers, and thousands of schools and universities that use Canvas’ digital learning platform. Despite multiple arrests across all three gangs, they keep coming back to victimize more organizations. Most incident responders, including Google’s Mandiant and Unit 42, link many of these criminal collectives to The Com, a loosely knit group of primarily English speakers made up of several interconnected networks of hackers, SIM swappers, and extortionists, with some of its subgroups offering real-life violent crime for hire. According to Unit 42, this latest cluster of extortion activity is also “likely a Com-affiliated actor.” And after investigating “multiple” of these extortion attacks over the past few months, on Monday, they spotted something that led them to Pink’s name-and-shame website. “On June 1, 2026, an existing extortion negotiation that had never received a response, attributed to a likely Com-related cluster, received new communication from a threat actor via a free webmail account,” Unit 42 analysts Richard Emerson and Cuong Dinh said in a Wednesday threat-intel post. “The actor provided a new qTox ID and a leak site associated with the Pink brand, but referenced exfiltrating almost identical information from the original extortion notice.” Pink data thieves set a 72-hour deadline for the victim to respond before leaking the stolen goods. After gaining access to the victim’s account, the criminals snoop around for valuable corporate and customer data from platforms like SharePoint and OneDrive. After exfiltrating the stolen files, Pink attackers use compromised victim accounts and internal Teams messages to extort the company. “The actor reuses second-level domains to target multiple organizations, and the third-level domain typically thematically represents the target,” Emerson and Dinh wrote. They also listed the following phishing domains as indicators of compromise: passkeyadd[.]com passkeydeploy[.]com deploypasskey[.]com Along with these three IP addresses: 185[.]178.208[.]153 (hosted phishing domains) 172[.]93.100[.]252 (accessed compromised accounts) 96[.]232.20[.]66 (residential proxy IP responsible for extortion email creation) Plus, these user-agent strings were observed during data exfiltration: Microsoft.Graph.Client/5.62.0 python-requests/2.28.1 python-requests/2.33.1 Network defenders can use these to assist in threat-hunting efforts. And be very wary of help desk calls, both from people claiming to be employees locked out of corporate accounts and from those purporting to be support staff rolling out a mandatory MFA update or other emergency. ®

  •  

Duo who sold car crash victims' data must repay £118k

Two former RAC workers in the UK have three months to pay more than £118,000 ($158,500) collectively after being convicted of selling crash victims’ data, according to the Information Commissioner’s Office (ICO). Debbie Okparavero and Maliha Islam, of Salford and Manchester respectively, were sentenced to six-month prison stints, suspended for 18 months, and 150 hours’ unpaid work in 2024, after being found guilty of offenses under the Computer Misuse Act 1990 and the Data Protection Act 2018. The pair, who worked for roadside accident biz RAC, were caught selling the personal data of car crash victims – just shy of 30,000 lines of data to an unknown buyer, the ICO revealed following an investigation. Okparavero and Islam were in a WhatsApp chat together, where they discussed the data and its sale to the unknown third party. RAC clocked on to the activity after deploying unspecified monitoring software, which detected Okparavero copying the data from RAC systems. A resulting investigation showed that around 29,500 lines of data were shared with Islam via WhatsApp. Islam was ordered to repay £39,522.50 ($48,274.45) for her part in the scheme in November, and the ICO noted in a Thursday announcement that she paid this in full. Reflecting more serious offending, at Manchester Crown Court on May 29, Okparavero was ordered to repay £89,277.32 ($119,962.38) within three months. Failure to do so will result in her serving 18 months in prison. Andy Curry, head of investigations at the ICO, said: “This outcome demonstrates justice did not end at sentencing. Our powers enabled us to continue to pursue these two individuals in order to strip them of assets gained through their serious criminal activity. Through the Proceeds of Crime Act, we are ensuring people do not financially benefit from their criminal activity. “I would like to once again thank the RAC for informing us about this breach and fully supporting the ICO’s investigation, which enabled us to hold these two individuals to account.” ®

  •  

'Dumbass' criminal breaks the 'first rule of ransomware club'

Even ransomware cartels make mistakes, and in this case, it was a biggie that could have landed the responsible crim in a Russian gulag: accidentally infecting a company located in a Commonwealth of Independent States country. In what threat-hunter Dominic Alvieri deemed the ransom “dumbass of the day,” Nova, the affiliate program for ransomware crew RAlord, on Tuesday issued an apology to Eriell Group, a major oilfield services company with headquarters in Uzbekistan and a corporate office in Moscow. Apparently, Eriell contacted Nova and notified the ransomware operators about an affiliate's mess-up. The affiliate has since been banned from the criminal operation, we’re told. In addition to issuing a “formal apology,” the ransomware gang promised to assist Eriell with the recovery process “free of charge.” The malware slingers claimed they didn’t encrypt any files, and pledged not to leak any of the stolen data. “Apparently, the first rule of ransomware club, you don't attack organizations in the Commonwealth of Independent States (CIS), is still very much in effect in 2026,” Recorded Future threat intelligence analyst Allan Liska told The Register. While cybercrime is technically illegal in Russia and other CIS countries, their governments often provide safe harbor for extortionists and other financially motivated crims - especially if they also happen to work day jobs as state-sponsored hackers - and local police look the other way unless the gangs infect any in-country organizations. Some crews, like the DragonForce cartel, VanHelsing ransomware-as-a-service group, and notorious LockBit operators, expressly prohibit their gang members and affiliates from hitting Russian and other CIS targets. We’re guessing that the Nova affiliate will be high up on all of these gangs’ do-not-hire lists for quite a while. Still, they aren’t the first cybercriminal, Russian-speaking or otherwise, to make seriously dumb mistakes. Earlier this year, notorious data-leak-and-extortion crew Scattered Lapsus$ Hunters claimed they had gained "full access" to Resecurity's systems and stolen "everything." Resecurity later offered its "congratulations" to the cybercrime crew, which had fallen into the threat intel team's honeypot – resulting in a subpoena being issued for one of the data thieves. Pro-Russian hacktivist crew CyberVolk got sloppy when they debuted a ransomware service late last year. They hardcoded the master keys - this same key encrypted all files on a victim's system - into the executable files, thus allowing victims to recover encrypted data without paying any extortion fees. While that mess-up worked in the victim orgs’ favor, another coding error committed by Sicarii malware developers makes it nearly impossible for companies to recover their files: the Sicarii encryptor generates a new cryptographic key pair during every execution - but then discards the private key, meaning there's no recoverable master key. Similarly, a programming mistake in Nitrogen ransomware prevents the gang's decryptor from recovering victims' files, again making paying up futile. Trellix VP of threat intel strategy John Fokker recently told us that he got so sick of seeing the security industry "glorifying threat actors,” that he and his team decided to troll the baddies, and started publishing the Dark Web Roast. “These are just individuals, they just use computers, and they just want to steal your data and make money,” Fokker told The Register. “They're not mythical. They don't have superpowers." And just like any other individual - or superhero - they sometimes slip up, and give the rest of us a moment of snarky joy. ®

  •  

Fake virus alerts are invading mobile games

Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:

“Your device is infected!”

“Your iCloud is full!”

“Your account is restricted for watching porn!”

Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.

Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.

Let’s look at some examples.

The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

Restricted account

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;

2:You will be redirected to App Store;

3:Install and open the app, then run the cleanup program.”

This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.

Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

 Fake Apple security alert

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”

This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.

What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.

In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.

How to stay safe

The best response to these messages is simply to ignore them.

Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.

Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.


Scam or legit? Scam Guard knows.


You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.

Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.

Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.


Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

  •  

Fake virus alerts are invading mobile games

Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:

“Your device is infected!”

“Your iCloud is full!”

“Your account is restricted for watching porn!”

Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.

Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.

Let’s look at some examples.

The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

Restricted account

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;

2:You will be redirected to App Store;

3:Install and open the app, then run the cleanup program.”

This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.

Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

 Fake Apple security alert

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”

This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.

What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.

In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.

How to stay safe

The best response to these messages is simply to ignore them.

Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.

Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.


Scam or legit? Scam Guard knows.


You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.

Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.

Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.


Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

  •  

Palo Alto VPN bug graduates from advisory to active exploitation

Palo Alto customers are being been told to patch yet another internet-facing security flaw after researchers caught attackers bypassing GlobalProtect authentication and gaining unauthorized VPN access. The flaw, tracked as CVE-2026-0257, affects PAN-OS deployments using GlobalProtect authentication override cookies under specific configurations. Palo Alto disclosed the bug on May 13 and initially assigned it a medium-severity rating, saying it was aware of attempts to exploit it but had not observed any malicious exploitation. That assessment has not aged well. Security boffins at Rapid7 said they observed successful exploitation across multiple customer environments dating back to at least May 17 and validated the attack technique using its own proof-of-concept testing. Attackers established unauthorized VPN sessions on vulnerable systems, potentially granting access to internal corporate networks without legitimate credentials, it added. Rapid7's analysis suggests the flaw comes down to how PAN-OS trusts authentication override cookies. In certain deployments, hackers can create their own cookies and have the firewall accept them as legitimate. The risk is highest where the same certificate is used for both HTTPS services and authentication override cookies, giving the baddies access to the information needed to generate convincing fakes. Rapid7 said it observed multiple waves of activity targeting vulnerable devices. In some cases, cybercrims successfully obtained VPN IP addresses and network access, but the company said it didn’t observe evidence of successful lateral movement following initial access in the incidents it investigated. The flaw has now landed in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until June 1 to patch or otherwise secure affected systems. Palo Alto has also revised its advisory, elevating the severity rating and attaching its highest urgency label. Fixes are available for supported releases. "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the firm said in an update. The latest PAN-OS headache arrives less than a month after another Palo Alto emergency. In May, state-backed attackers were found exploiting CVE-2026-0300, a critical remote code execution flaw in the PAN-OS User-ID Authentication Portal, before patches became widely available. Organizations running vulnerable GlobalProtect gateways now face a familiar choice: patch quickly or find out whether someone else gets there first.®

  •  

How fake Android IPTV apps are stealing users’ money and data | Kaspersky official blog

Threat actors are already gearing up for this year’s biggest football (soccer) event, the World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. It’s no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.

In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.

What are IPTV apps?

IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.

However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptions — most notably broadcasts of various sporting events; football matches in particular.

As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isn’t tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platforms — both official and pirated.

Massiv banking Trojan disguised as IPTV apps

For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasn’t the only malware leveraging this tactic — several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and Türkiye.

In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didn’t get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.

Of course, the most interesting activity happened out of the user’s sight. These are some of the features the malware did have:

  • Displaying fake windows on top of legitimate ones: fake forms for entering bank details or signing in to official services, as shown in the screenshot below.
  • Activating a keylogger: recording and transmitting screen keyboard taps to the attackers.
  • Hijacking control of the compromised device.
Massiv Trojan steals Chave Móvel Digital data

The Massiv banking Trojan mimics the interface of the Portuguese government app Chave Móvel Digital in a fake pop-up window, looking even more convincing than the official version from Google Play. Source

Perseus steals valuable information from users’ notes

In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.

Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.

Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices — a topic we’ve covered in detail across several of our posts.

Fake IPTV app used for distributing Perseus

An example of a malicious APK disguised as Roja Directa TV, another IPTV app. Source

By abusing Accessibility Services, Perseus gains remote control over the victim’s device. Here’s what it can do:

  • Continuously capture and exfiltrate screenshots.
  • Send a structured map of the device’s UI for remote manipulation.
  • Mimic taps, swipes, text input, long presses, and other UI interactions.
  • Turn on the screen, launch apps, and block them from running.
  • Trigger a pitch-black screen overlay to hide its activities.
  • Log keystrokes.

On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.

All of these capabilities help criminals drain football fans’ money not just from various banking services, but from cryptocurrency apps as well.

How not to let cybercrooks ruin your World Cup

The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this year’s premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch the  matches safely?

  • Don’t download apps from unofficial stores.
  • Even when downloading an app from an official store — since malware occasionally slips through the cracks there, too— read the reviews carefully. Users who have been burned by fakes and malware often leave comments to warn others.
  • Install a robust security app to keep all your devices safe from malware.
  • Avoid storing passwords or other sensitive information in note-taking apps. To ensure your data and finances stay secure, use a reliable password manager. By the way, Kaspersky Password Manager includes an encrypted note-taking feature, allowing you to store your valuable information safely.

You can’t even watch TV safely anymore these days! Check out other threats facing TV lovers:

  •  

ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak

ShinyHunters claims it has dumped the personal details of millions of Charter Communications customers after the US telecom giant apparently declined to play along with the gang's latest extortion demands. According to Have I Been Pwned, the breach exposed the personal details of 4.9 million customers, including names, email addresses, phone numbers, and physical addresses. It says a smaller subset of roughly 85,000 records originating from an internal staff directory also contained job titles. Charter appeared on the ShinyHunters leak site earlier this month, with the extortion crew claiming to have stolen more than 42 million records belonging to consumer and business customers. The listing, seen by The Register, warned: "Over 42M records containing PII have been compromised. This is a final warning to reach out by 27 May 2026 before we leak along with several annoying (digital) problems that'll come your way." After the alleged deadline passed, the criminals updated the post with a familiar message for organizations that decline to pay. "Over 42M records containing PII have been compromised. The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care." Charter, one of the largest broadband providers in the US through its Spectrum brand, confirmed it is investigating the incident but disputed the sensitivity of the data exposed. "We are aware of the situation, following our security protocols and are working with appropriate authorities," the company said in a statement provided to multiple outlets. "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity." That may be technically true, but millions of names, addresses, phone numbers, and email addresses still represent a useful haul for scammers, phishers, and identity thieves. The incident is also not Charter's first brush with high-profile intrusions. The telecom provider was among the organizations reportedly caught up in China's Salt Typhoon espionage campaign last year, alongside a growing list of US telcos. The leak lands hours after Carnival Corporation, the world's largest cruise operator, admitted that ShinyHunters had also made off with the personal data of nearly six million people, suggesting the gang has been enjoying an unusually busy week. For companies weighing whether data theft is less disruptive than ransomware, ShinyHunters keeps providing fresh case studies in why that difference may not matter much to the people whose information ends up online. ®

  •  

Carnival confirms ShinyHunters cruised off with 6M customer records after April breach

Carnival Corporation - the world's largest cruise operator - has confirmed a digital heist, a month after hacking crew ShinyHunters claimed to have stolen millions of customers' records. The breach, Carnival confirmed, stemmed from an April 14 social engineering attack on an employee, though the company declined to comment on the scale or name ShinyHunters. However, a company filing with the Maine attorney general's office puts the number of affected individuals at just under six million, down from the 8.7 million records previously listed by Have I Been Pwned. Carnival previously acknowledged the phishing attack at the time, but it did not say whether any data had been accessed or stolen. ShinyHunters claimed it lifted terabytes' worth of Carnival records and hinted at a breakdown in negotiations, likely related to the criminal outfit's extortion demands. "The company failed to reach an agreement with us despite our incredible patience," ShinyHunters wrote on its data leak site, adding: "They don't care." Following a "thorough and time-consuming analysis of the impacted data," Carnival confirmed that names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers were all included in the breach. As is often the case in data theft incidents, individuals will be affected to different degrees, depending on what information they shared with the company. Carnival began sending notifications directly to affected individuals on Wednesday. Those communications include details about how recipients can redeem two years of free credit monitoring services, as is common in US breach notifications, via TransUnion. It closed its message with a promise to improve: "In addition to the comprehensive security measures the company had in place prior to the incident, it has taken steps to further safeguard its systems, including enhancing its security and monitoring controls. "The company will continue to advance its IT security and data privacy controls to stay ahead of an ever-evolving threat landscape." ®

  •  

2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface

The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here.

The post 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface appeared first on Unit 42.

  •  

Out of the Crypt: The Evolving Cyber Extortion Economy

Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance.

The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42.

  •  

CrowdStrike, Google shatter Glassworm botnet

CrowdStrike, working with Google and the Shadowserver Foundation, said it has taken down the Glassworm botnet, a self-propagating, credential-stealing worm that has targeted developers and spread through poisoned software packages since early 2025. The endpoint security giant’s Counter Adversary Operations team and partners hit all four Glassworm command-and-control channels simultaneously at 1400 UTC on Tuesday, “severing the operators from their infected machines and their ability to deliver new malicious payloads,” according to CrowdStrike’s blog. Google Threat Intelligence Group chief analyst John Hultquist confirmed his company’s involvement in a social media post. “As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users,” Hultquist wrote. A spokesperson declined to provide additional details to The Register about Google’s role in the takedown. The disruption comes as another self-replicating worm, Mini Shai-Hulud, rips through open source code and miscreants poison GitHub repositories and npm packages in similar supply-chain attacks also targeting developers’ environments. “Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software,” CrowdStrike wrote. “Adversaries are no longer just targeting products, they're targeting the developers who build them.” First spotted by endpoint security shop Koi in October 2025, Glassworm used invisible Unicode-based code injection, blockchain-based C2 infrastructure, and Google Calendar as a backup command server to turn infected developers’ machines into criminal proxy nodes. This self-replicating worm initially targeted VS Code extensions on the OpenVSX marketplace before moving on to npm and Python packages, and later poisoned more than 300 GitHub repos using stolen credentials harvested in earlier Glassworm infections. This worm appeared about a month after another self-propagating malware strain, Shai Hulud, first wormed through npm packages including those maintained by CrowdStrike. Glassworm infected all platforms - including Windows, macOS, and Linux systems - stealing credentials and other sensitive information, and also spawning its own Node.js remote access tool called GlasswormRAT. C2 architecture designed to withstand takedowns Glassworm’s C2 infrastructure used four distinct channels to complicate takedown efforts. These included the Solana blockchain, with C2 server addresses encoded in the memo fields of blockchain transactions, ensuring the C2 couldn’t be taken offline through conventional means. It also used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths. The GlasswormRAT used a decentralized BitTorrent Distributed Hash Table (DHT) for configuration data stored against hardcoded public keys. And finally, Glassworm relied on traditional C2 servers, hosted on commercial VPS providers, as the final payload delivery mechanism. Disrupting all four channels “required precision and timing,” according to CrowdStrike. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute.” All Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88[.]210. The security shop urges organizations to review network logs and endpoint telemetry for connections to this address, which indicate a Glassworm infection. ®

  •  
❌