Nation-State Cyber Threats

Line-art wireframe airplane silhouette above a stylized software installer window with a small download arrow; a red dot sits on the installer button.

Nimbus Manticore Returns With MiniFast, an AI-Assisted Backdoor Hitting Aviation and Aerospace

Nimbus Manticore — the Iran-nexus APT The CyberSignal covered as Screening Serpens — has returned with a new backdoor codenamed MiniFast that Check Point Research assesses was developed with AI assistance, and a target set that now spans aviation, aerospace, defense, software, and telecom.

26 May 2026

Line-art Lithuanian government building beside a tall filing cabinet, a small key drawn between them carrying a red dot at the cabinet's lock.

Data Breaches

Lithuania Says 600,000 Register Records Pulled Through a Migration Department Login

Lithuania's Prosecutor General's Office says more than 600,000 records were pulled from the Centre of Registers using valid Migration Department login credentials issued queries from abroad. The registry itself was not breached — an authorized third party's login was.

26 May 2026

Line-art desktop computer with a large RAM memory chip drawn inside the monitor's screen; the memory chip carries a single flat red dot at its center.

Nation-State Cyber Threats

Lazarus's RemotePE RAT Runs Only in Memory and Is Built to Survive the Investigation

Fox-IT disclosed RemotePE, a RAT the North Korea-linked Lazarus Group runs entirely in memory and never writes to disk. It is the final stage of a multi-stage chain, deployed only after the noisier RATs are deliberately cleaned up.

25 May 2026

Line-art app window with a shield and an OFF toggle switch, a gear-marked config file feeding in, three rat silhouettes below; the toggle holds a red dot.

Nation-State Cyber Threats

Iran-Nexus APT Screening Serpens Hijacks .NET Apps to Disable Their Own Defenses

Palo Alto Networks' Unit 42 is tracking Screening Serpens, an Iran-nexus APT that fuses DLL sideloading with AppDomainManager hijacking to make .NET applications switch off their own security mechanisms, then deploys six new RATs across the U.S., Israel, and the UAE.

22 May 2026

Line-art illustration of a tall signal tower set off-center on a deep aubergine background, with one flat red dot accent.

Nation-State Cyber Threats

Showboat: A China-Affiliated Espionage Backdoor Has Been Inside Middle East and Central Asia Telcos Since 2022

Lumen's Black Lotus Labs disclosed Showboat, a modular Linux backdoor a China-affiliated espionage operation has used to sit inside Middle East and Central Asia telecom networks for roughly four years. A SOCKS5-proxy foothold inside a carrier is a persistent window into a region's traffic.

21 May 2026

Line-art illustration of a single cloud shape on a deep moss-green background, with one flat red dot accent.

Nation-State Cyber Threats

Webworm's New Backdoors Run on Discord and Microsoft OneDrive — and the China-Aligned APT Has Pivoted to Five European Governments

ESET documented Webworm, a China-aligned APT that pivoted from Asia to European governments. Its two new backdoors — EchoCreep and GraphWorm — run command-and-control entirely on Discord and Microsoft OneDrive, hiding inside the trusted cloud traffic every enterprise allowlists.

20 May 2026

White line-art of a wireframe sphere compressed by inward arrows with a 30 g/cm cubed label, on a jade background with one red dot accent.

Nation-State Cyber Threats

Symantec Confirms Fast16: The 2005-Era Sabotage Tool That Quietly Poisoned Nuclear Weapon Simulations

Symantec independently confirmed Fast16, a 2005-era pre-Stuxnet sabotage framework first disclosed by SentinelOne. It silently corrupted LS-DYNA and AUTODYN finite-element solver outputs for nuclear weapons design, acting only when material density crossed 30 g/cm cubed.

18 May 2026

Two server racks linked by a shared cable through a central hexagonal node, with a bracket-handshake symbol above and a red-orange accent dot.

Threat Intelligence

Two Pro-Ukraine Hacktivist Groups Are Now Sharing Infrastructure — and It Looks Quasi-State-Sponsored

Kaspersky researchers reported on May 7-8 that pro-Ukraine hacktivist groups BO Team (also known as Black Owl) and Head Mare appear to be coordinating their cyber operations against Russian organizations — sharing infrastructure including command-and-control systems on the same compromised host. BO Team had previously operated more

08 May 2026

Minimalist white line art on bright cyan-teal: a wax-sealed envelope with a small backdoor cut into one side, beside three stacked file icons on a shelf.

Malware

Daemon Tools Was Trojanized for a Month — and the Installer Was Properly Signed

Kaspersky disclosed on May 5, 2026 that Daemon Tools — disk-imaging software with millions of users worldwide — has been distributing trojanized installers from its official website since April 8, 2026. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across approximately 100 countries received

07 May 2026

Minimalist white line art on vibrant teal: a water treatment tank with five droplet icons above it, a half-open document with a closed-eye on the cover, and a red dotted turning valve.

Policy & Government

Poland's Spy Agency Just Broke a 12-Year Silence to Warn That Hackers Reached Five Water Plants

Poland's Internal Security Agency (ABW) published a public report on May 7, 2026 — its first activity summary in 12 years — warning that hackers targeted water treatment stations in five Polish municipalities, gaining access in some cases to industrial control systems and developing the ability to alter technical parameters

07 May 2026

Minimalist white line art on deep purple: a person at a laptop with two speech bubbles merging into a dotted cloud that extends as a dotted line toward a SCADA red panel button.

Vulnerabilities

Palo Alto Firewall Zero-Day Has Been Exploited Since April 9. Patches Don't Land Until May 13.

Palo Alto Networks disclosed CVE-2026-0300 on May 5, 2026 — a CVSS 9.3 buffer overflow zero-day in PAN-OS that lets unauthenticated attackers execute code as root on internet-exposed PA-Series and VM-Series firewalls. Unit 42 has tracked exploitation by a likely state-sponsored cluster

07 May 2026

Minimalist white line art on burnt red-orange: eight laptops on a shelf rack, each emitting a dotted line that converges off-frame; a residential mailbox sits below with one red accent dot.

North Korean Threat Actors

Two More Americans Just Got 18 Months Each for Running North Korean Laptop Farms — That's Eight This Year

Federal prosecutors sentenced two U.S. nationals — Matthew Isaac Knoot of Nashville and Erick Ntekereze Prince of Naples, Florida — to 18 months each for running "laptop farms" that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. They are the seventh and eighth

07 May 2026

See all