Kimsuky's PebbleDash Now Hits Defense Sectors in Three Countries — And Its New Backdoor Was Coded With AI

Kaspersky found something unusual in a North Korean backdoor: comments that look written by an LLM, not a human. Combined with Kimsuky's expansion into defense targets across three countries, it is documented evidence that state malware development is borrowing AI.

Microsoft's Kazuar Analysis Shows Russia's Secret Blizzard Wants Your Signal Desktop Files

Microsoft's new Kazuar analysis names one capability that ties it to the other Russian Signal operation in the news: Kazuar steals Signal Desktop message files. Encryption protects the conversation in transit — not the database on a compromised laptop.

An AI Found an 18-Year-Old NGINX RCE in Six Hours — CVE-2026-42945 'NGINX Rift'

An autonomous AI was pointed at the NGINX source code and found a critical RCE that survived 18 years of human review — plus three more CVEs in the same six-hour session. NGINX runs a third of the internet's top sites. The discovery method is the bigger story.

Ghostwriter Now Geofences Its Phishing Lures — Only Ukrainian IPs Get the Malware

Ghostwriter built operational security into its phishing lure. Send the campaign's malicious PDF to a Ukrainian IP and it triggers the attack chain. Send it anywhere else — including to the analysts investigating it — and they get a harmless document.

Salt Typhoon Just Pivoted to Azerbaijani Oil and Gas — Chinese APT Targeting Now Follows Energy Geopolitics

Salt Typhoon spent three months inside an Azerbaijani oil and gas company — a target type it normally ignores. Bitdefender's assessment of why is the part that matters: Chinese APT targeting now follows energy geopolitics in real time.

A Spyware Investigator Turned a Signal Hijack Attempt Into a 13,500-Target Russian Campaign Map

Russian government hackers tried to hijack the Signal account of the wrong person. Donncha Ó Cearbhaill investigates spyware for a living — so he reverse-engineered the campaign and found himself one of 13,500+ targets. The 'snowball' methodology is the lesson.

RubyGems Just Shut Down New Signups After 'Hundreds' of Malicious Packages Hit the Registry

RubyGems temporarily turned off new signups after what its security partner called a major malicious attack — hundreds of packages, DDoS, spam, and exploits hitting at once. The halt is the response model defenders should remember.

Germany Warns China Is Close to an AI 'Superhacker' — and Building It in Secret

Germany's top cybersecurity official told lawmakers that China is close to building an AI model with superhacking capabilities — developed in secret. The warning lands a month after Anthropic gated Mythos. AI cyber capability is now great-power competition.

Iranian Spies Are Pretending to Be Ransomware Operators — Inside MuddyWater's Chaos False Flag

An Iranian state-sponsored APT spent early 2026 conducting espionage while wearing the Chaos ransomware brand as a costume. Rapid7 pulled back the curtain. The Microsoft Teams screen-sharing tradecraft is why IR triage needs updating.

Three Unrelated Threat Actors Just Arrived at the Same Conclusion — Your Developers Are the Beachhead

Three unrelated threat actors arrived at the same conclusion in March and April: the developer workstation is the best ROI beachhead. CSO Online's framing — the Developer Credential Economy — is the editorial line CISOs should adopt this quarter.

Cerner Discovered the Breach in February 2025. Atrium Health Patients Found Out 15 Months Later

Cerner discovered the breach in February 2025. Atrium Health patients only learned this week. The 15-month gap — across 16 health systems through one Oracle-owned vendor — is the year's clearest HIPAA business-associate accountability test.

Comcast's $117.5M Xfinity Settlement Puts a Price Tag on Citrix Bleed — $10K Per Customer

Comcast just agreed to write a $117.5 million check over a vulnerability it didn't write. The Xfinity settlement is the first major Citrix Bleed bill to come due — the precedent it sets for shared customer-vendor liability is the part defenders should read twice.