Daemon Tools Was Trojanized for a Month — and the Installer Was Properly Signed

Kaspersky disclosed on May 5, 2026 that Daemon Tools — disk-imaging software with millions of users worldwide — has been distributing trojanized installers from its official website since April 8, 2026. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across approximately 100 countries received a

Ivanti EPMM Has a Third Zero-Day This Year — and CISA Just Gave Federal Agencies Three Days to Patch

Ivanti disclosed CVE-2026-6973 on May 7 — a CVSS 7.2 EPMM flaw under active exploitation. CISA gave federal agencies just three days to patch (May 10 deadline). It's the third EPMM zero-day of 2026, and Ivanti hints attackers are using credentials stolen during January's campaign. On

$250M Crypto Gang's Burglar Just Got 6.5 Years — Hardware Wallets Aren't Safe

Marlon Ferro, a 20-year-old Santa Ana, California man also known online as "GothFerrari" and "Marlo," was sentenced to 78 months in federal prison on May 7, 2026 for serving as the home-invader and money-launderer for a 14-person "Social Engineering Enterprise" that stole more than

Claude and GPT Helped Hackers Reach the Edge of a Mexican Water Utility's OT Network

Dragos published an intelligence brief on May 6, 2026, documenting a cyber-attack against Servicios de Agua y Drenaje de Monterrey — a municipal water utility in northern Mexico — between December 2025 and February 2026 in which attackers used Anthropic's Claude and OpenAI's GPT to plan the operation,

Poland's Spy Agency Just Broke a 12-Year Silence to Warn That Hackers Reached Five Water Plants

Poland's Internal Security Agency (ABW) published a public report on May 7, 2026 — its first activity summary in 12 years — warning that hackers targeted water treatment stations in five Polish municipalities, gaining access in some cases to industrial control systems and developing the ability to alter technical parameters

Palo Alto Firewall Zero-Day Has Been Exploited Since April 9. Patches Don't Land Until May 13.

Palo Alto Networks disclosed CVE-2026-0300 on May 5, 2026 — a CVSS 9.3 buffer overflow zero-day in PAN-OS that lets unauthenticated attackers execute code as root on internet-exposed PA-Series and VM-Series firewalls. Unit 42 has tracked exploitation by a likely state-sponsored cluster (CL-STA-1132) since April 9. CISA added the CVE

Two More Americans Just Got 18 Months Each for Running North Korean Laptop Farms — That's Eight This Year

Federal prosecutors sentenced two U.S. nationals — Matthew Isaac Knoot of Nashville and Erick Ntekereze Prince of Naples, Florida — to 18 months each for running "laptop farms" that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. They are the seventh and eighth

Australia Just Built the Cyber Review Board the U.S. Disbanded — and Gave It a Power the U.S. Version Never Had

On Friday, May 1, 2026, Australian Home Affairs and Cyber Security Minister Tony Burke announced the establishment of the Cyber Incident Review Board, a seven-member statutory body modeled on the U.S. Cyber Safety Review Board the Trump administration disbanded mid-investigation in January 2025. Australia's version is chaired

First U.S. Karakurt Sentencing: 8.5 Years for the Negotiator Who Mailed Kids' Records

The DOJ sentenced Latvian national Deniss Zolotarjovs to 102 months in prison on May 4, 2026 — the first U.S. prosecution of a Karakurt member ever. Court documents tie the Conti-affiliated negotiator to extortion of more than 54 organizations, $56 million in losses across 13 victims alone, and a deliberate

ScarCruft Compromised a Yanbian Gaming Site to Hunt North Korean Defectors

ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the China-North Korea border. Trojanized Android APKs deploy a new BirdCall backdoor port. The APKs are still live.

Patch MOVEit Now Before It Becomes 2023 All Over Again

A 9.8 unauthenticated authentication bypass and a 7.7 privilege escalation flaw in MOVEit Automation chain to full administrative control. Patch this week. Upgrading via the full installer is the only fix — there is no workaround. The product family is the same one Cl0p exploited to breach 2,100

DOJ's Scam Center Strike Force Restrained $701M and Seized Its First Telegram Channel — The Precedent That Will Outlast the Headline

Six days before the 276-arrest takedown, the DOJ's Scam Center Strike Force restrained $701.96 million in cryptocurrency, seized 503 fake investment websites, and pulled off the first-ever federal seizure of a Telegram channel — the recruitment funnel that lured trafficking victims into Cambodian scam compounds. The arrests got