North Korean Hackers Use AppleScript and ClickFix on macOS

An update on the macOS ClickFix threat: North Korean actors Sapphire Sleet and UNC1069 are now deploying AppleScript-based delivery chains and "Terminal-paste" lures to steal crypto-wallets and credentials from enterprise targets. SEOUL, SOUTH KOREA — The "ClickFix" social engineering phenomenon has officially evolved into a targeted nation-state

10k+ Zimbra XSS – CISA-Flagged, 10k+ Exposed Servers, Active Exploitation

A stored cross-site scripting flaw in Zimbra Collaboration Suite (CVE-2025-48700) is now being exploited in the wild against more than 10,000 exposed servers worldwide, prompting CISA to add the bug to its Known Exploited Vulnerabilities catalog and order U.S. federal agencies to patch within three days. GLOBAL — For

LMDeploy LLM Engine SSRF (CVE-2026-33626) Exploited Within 12 Hours

A newly-disclosed Server-Side Request Forgery flaw in the LMDeploy LLM inference-serving toolkit is already under active exploitation, with attackers using a vision-language-module endpoint as an SSRF primitive to probe AWS IMDS, internal databases, and admin planes within minutes of patch availability. SHANGHAI, CHINA — The window between a vulnerability disclosure and

Germany Blames Russia for Signal Phishing Attacks on MPs

German authorities say a wave of phishing attacks targeting lawmakers and senior officials via Signal was “presumably run from Russia,” marking a major escalation in a broader campaign against European political figures. BERLIN, GERMANY — What began as a targeted intrusion has evolved into a full-scale diplomatic and espionage crisis. German

PhantomRPC: A New Windows RPC Privilege Escalation Technique

Security researchers at Kaspersky have uncovered PhantomRPC, an architectural-level vulnerability in Windows Remote Procedure Call that lets attackers deploy a fake RPC server and escalate privileges from low-privileged contexts to SYSTEM or Administrator — without requiring a classic memory-corruption bug. SINGAPORE — In the world of Windows exploitation, attackers usually hunt for

Trigona Ransomware Adopts Custom Tool to Steal Data and Evade Detection

The Trigona ransomware-as-a-service (RaaS) group, linked to the Rhantus cybercrime umbrella, has begun using a privately-built exfiltration tool instead of common utilities like Rclone and MegaSync. The new “uploader_client.exe” client helps Trigona move data quickly, rotate connections to hide from network monitoring, and maintain a lower profile during

Morpheus Android Spyware: Fake Updates and WhatsApp Hijacking

Italian-linked surveillance firm IPS Intelligence is tied to a new Android spyware, “Morpheus,” that tricks targets into installing a fake “update” app and then hijacks WhatsApp accounts using biometric-spoofing overlays. The case highlights how commercial spyware vendors are turning to mobile-phishing tactics to deploy powerful snooping tools. MILAN, ITALY — Another

Mobile SMS Blasters Prowled Canadian Streets, Blocking 911 Calls and Stealing Phone Data

A “mobile SMS blaster” deployed from vehicles in Toronto mimicked cell towers, hijacked tens of thousands of phones, and caused 13 million network disruptions—temporarily blocking 911 access while sending massive volumes of fraudulent texts under Project Lighthouse. TORONTO, ONTARIO — In a first-of-its-kind cybercrime investigation in Canada, the Toronto Police

American Utility Firm Itron Discloses Breach of Internal IT Network

Itron Inc. (NASDAQ: ITRI), a leading smart-meter and utility-technology provider, has disclosed a limited-scope cyberattack on its internal systems, confirming unauthorized access but saying operations and customer systems show no material disruption. LIBERTY LAKE, WASHINGTON — Itron Inc., a global heavyweight in the smart-metering and grid-management sector, has formally disclosed a

UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy Snow Malware

A newly-tracked threat cluster, UNC6692, is using social-engineering-driven Teams-chats to pose as IT support, tricking employees into installing a custom modular malware toolkit called SNOW. The attack signals a shift from pure-email-phishing to "chat-based intrusion." MOUNTAIN VIEW, CALIFORNIA — A sophisticated new threat cluster, identified by the Google Threat

Hackers Exploit Critical Breeze Cache Flaw in WordPress Sites

A file-upload bug in the Breeze Cache plugin is under active exploitation, but only sites with the optional “Host Files Locally – Gravatars” feature enabled appear exposed. The issue highlights how a niche plugin setting can create outsized risk across a large WordPress install base. VALENCIA, SPAIN — Threat actors have begun

Pack2TheRoot (CVE-2026-41651): Cross-Distro Linux LPE in PackageKit

A 12-year-old TOCTOU bug in the Linux PackageKit daemon, now dubbed Pack2TheRoot (CVE-2026-41651), allows local users to silently install system packages and escalate to full root on many default-install Linux desktops and servers. BONN, GERMANY — Security researchers from Deutsche Telekom’s Red Team have disclosed a high-severity local privilege escalation