Threat Intelligence

Minimalist white line art on deep purple: a person at a laptop with two speech bubbles merging into a dotted cloud that extends as a dotted line toward a SCADA panel.

Threat Intelligence

Claude and GPT Helped Hackers Reach the Edge of a Mexican Water Utility's OT Network

Dragos published an intelligence brief on May 6, 2026, documenting a cyber-attack against Servicios de Agua y Drenaje de Monterrey — a municipal water utility in northern Mexico — between December 2025 and February 2026 in which attackers used Anthropic's Claude and OpenAI's GPT to plan the operation,

07 May 2026

Minimalist white line art on vibrant teal: a water treatment tank with five droplet icons above it, a half-open document with a closed-eye on the cover, and a red dotted turning valve.

Policy & Government

Poland's Spy Agency Just Broke a 12-Year Silence to Warn That Hackers Reached Five Water Plants

Poland's Internal Security Agency (ABW) published a public report on May 7, 2026 — its first activity summary in 12 years — warning that hackers targeted water treatment stations in five Polish municipalities, gaining access in some cases to industrial control systems and developing the ability to alter technical parameters

07 May 2026

Vulnerabilities

Palo Alto Firewall Zero-Day Has Been Exploited Since April 9. Patches Don't Land Until May 13.

Palo Alto Networks disclosed CVE-2026-0300 on May 5, 2026 — a CVSS 9.3 buffer overflow zero-day in PAN-OS that lets unauthenticated attackers execute code as root on internet-exposed PA-Series and VM-Series firewalls. Unit 42 has tracked exploitation by a likely state-sponsored cluster (CL-STA-1132) since April 9. CISA added the CVE

07 May 2026

White line art on vivid emerald showing two facing tribunal-bench shapes — one intact with a folded scroll, one broken in half — connected by a faint Australian continent outline.

Policy & Government

Australia Just Built the Cyber Review Board the U.S. Disbanded — and Gave It a Power the U.S. Version Never Had

On Friday, May 1, 2026, Australian Home Affairs and Cyber Security Minister Tony Burke announced the establishment of the Cyber Incident Review Board, a seven-member statutory body modeled on the U.S. Cyber Safety Review Board the Trump administration disbanded mid-investigation in January 2025. Australia's version is chaired

06 May 2026

Minimalist white line art on rich gold showing six skeletal masks linked by a dotted chain, all converging on a single gavel; a closed padlock sits on the gavel head with a red accent dot.

Ransomware

First U.S. Karakurt Sentencing: 8.5 Years for the Negotiator Who Mailed Kids' Records

The DOJ sentenced Latvian national Deniss Zolotarjovs to 102 months in prison on May 4, 2026 — the first U.S. prosecution of a Karakurt member ever. Court documents tie the Conti-affiliated negotiator to extortion of more than 54 organizations, $56 million in losses across 13 victims alone, and a deliberate

06 May 2026

Minimalist white line art on deep electric blue showing a handheld card-game device, dotted arc across a wavy river to a cloud-storage glyph, watching eye, and a red accent dot.

Threat Intelligence

ScarCruft Compromised a Yanbian Gaming Site to Hunt North Korean Defectors

ESET disclosed a North Korea-aligned APT37/ScarCruft supply-chain compromise of sqgame.net, a Yanbian-themed gaming platform serving the ethnic-Korean community on the China-North Korea border. Trojanized Android APKs deploy a new BirdCall backdoor port. The APKs are still live.

06 May 2026

Minimalist white line art on olive green showing a server rack with two file folders escaping through a broken padlock, joined to two linked hexagon icons above, marked with a red accent dot.

Vulnerabilities

Patch MOVEit Now Before It Becomes 2023 All Over Again

A 9.8 unauthenticated authentication bypass and a 7.7 privilege escalation flaw in MOVEit Automation chain to full administrative control. Patch this week. Upgrading via the full installer is the only fix — there is no workaround. The product family is the same one Cl0p exploited to breach 2,100

05 May 2026

Minimalist white line art on deep burgundy showing a chained paper-airplane icon linked by a dotted funnel to three stacked coin discs captured inside a brackets-frame, with a red accent dot.

Cyber Crime

DOJ's Scam Center Strike Force Restrained $701M and Seized Its First Telegram Channel — The Precedent That Will Outlast the Headline

Six days before the 276-arrest takedown, the DOJ's Scam Center Strike Force restrained $701.96 million in cryptocurrency, seized 503 fake investment websites, and pulled off the first-ever federal seizure of a Telegram channel — the recruitment funnel that lured trafficking victims into Cambodian scam compounds. The arrests got

05 May 2026

Minimalist white line art on muted blue showing a medical clipboard with three data tags flying through a dashed network arc into two generic app-tile silhouettes.

Data Breaches

State Health Exchanges Sent Citizenship and Race Data to TikTok and Meta

A Bloomberg investigation found that nearly all 20 U.S. state-run health insurance exchanges plus D.C. were sending applicant data — citizenship, race, ZIP codes, prescriptions, even disclosures about incarcerated family members — to TikTok, Meta, Google, Snap, and LinkedIn via misconfigured tracking pixels. More than 7 million Americans bought insurance

05 May 2026

phishing

VENOMOUS#HELPER: SSA Phishing Drops Dual-RMM on 80+ Orgs by Living off Trusted Vendors

Securonix tracked a phishing campaign that has compromised more than 80 organizations — mostly U.S.-based — by abusing legitimate SimpleHelp and ConnectWise ScreenConnect remote-monitoring tools. The lure impersonates the U.S. Social Security Administration. The architecture is dual-RMM redundancy: when defenders detect one channel, the other persists. Securonix Threat Research

05 May 2026

Minimalist white line art on dark forest green showing a newspaper-fold being unzipped along its spine, releasing a cascade of document pages into an open archive box, with a red accent dot.

Ransomware

World Leaks Breaches Pro-Orbán Mediaworks: 15 Million Files Published, Hungarian Outlets Defy Reporting Threat

World Leaks — the rebrand of Hunters International — published 8.5 terabytes and roughly 15 million files from Mediaworks, Hungary's pro-Orbán media giant. Mediaworks asked journalists not to report on the leak, citing criminal data-handling law. At least one Hungarian outlet refused. The data-extortion group World Leaks claimed responsibility

05 May 2026

Minimalist white line art on deep plum showing two sign-in windows linked by a central proxy hourglass, a key intercepted mid-flight between them, and a tiny CAPTCHA glyph

phishing

Microsoft: AiTM Phishing Hit 35,000 Users at 13,000 Orgs in Three Days — Tycoon 2FA Takedown Did Not Kill the Technique

Microsoft Defender Research disclosed a sophisticated AiTM phishing campaign that hit 35,000+ users at 13,000+ organizations across 26 countries in just three days. 92% of targets were in the U.S. The lure was a fake employee disciplinary case. The reverse proxy stole session tokens — bypassing MFA in

05 May 2026

See all