Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Intelligence Briefing 05 June 2026
Black Arrow Cyber Threat Intelligence Briefing 05 June 2026:
-Why Your Board Is Still Not Ready for Cyber Risk - And What Actually Needs To Change
-Execs Must Treat Cyber Threats as Statecraft, ISACA Expert Says
-UK Firms Prioritise AI Threat Preparedness as Cyber Risks Evolve
-Nation State Attacks: The Risk to UK Firms
-The Gentlemen Are Coming for Your Files, and Then Your Network
-Ransomware Groups Grow Revenue by Almost 40% in Q1 2026
-'The Com' Cyberattacks Support Violence & Sexploitation
-What Is Configuration Drift - And Why It’s Your Biggest M365 Security Risk
-Supply Chain Risk Is Now a Cyber Resilience Problem
-82% of IT Pros Report a Web-Based Security Incident in Past Year – BYOD, SaaS Tools, and Remote Work Policies All Play a Part in Security Resilience
-M&S Chief’s Pay Slashed by £3M After Cyberattack Turmoil
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
This week’s review of cyber security in the specialist and general media highlights how business leaders can better understand and manage cyber risks, with insights into actions that boards can take to improve security and resilience.
AI remains a prominent theme, continuing a trend we have observed over recent months. Alongside this, we see cyber risks becoming more complex, spanning geopolitical threats, the evolution of ransomware, and security weaknesses that can emerge through routine business and technology changes. We also highlight the recently announced impact of last year’s M&S cyber attack on executive remuneration, illustrating how the consequences of a cyber incident can extend well beyond the initial disruption.
Our advice for business leaders remains consistent: focus on cyber security to reduce the likelihood of an incident, and on cyber resilience to withstand and recover from one. This requires boards to understand cyber risks in business terms, govern them through proportionate controls, and rehearse the leadership response before an incident occurs. Contact us to discuss how these themes can be addressed in your leadership meetings.
Top Cyber Stories of the Last Week
Why Your Board Is Still Not Ready for Cyber Risk - And What Actually Needs To Change
Cyber incidents have ranked as the top global risk for the fifth year running, according to the Allianz Commercial Risk Barometer, yet many boards still overestimate their organisation’s readiness. A key challenge is proving the return on cyber security investment, particularly where risks involve reputation, customer trust and business disruption. Stronger cyber resilience can reduce downtime, support customer retention and strengthen competitive positioning. Boards should treat cyber risk as a core business issue, with clear ownership, measurable reporting, independent assurance and consideration in strategy, mergers and acquisitions.
Execs Must Treat Cyber Threats as Statecraft, ISACA Expert Says
Information Security professional body ISACA has warned that cyber security risk can no longer be treated as a purely technical issue, as cyber, artificial intelligence and geopolitics are now increasingly connected. High profile attacks against commercial organisations have shown that private companies can become targets for state linked groups, sometimes for political rather than financial reasons. Emerging risks include covert foreign IT worker schemes, which can create trusted insider access. Boards should understand where they are exposed, test their crisis response, strengthen HR and supplier checks, and rehearse longer running scenarios involving nation state threats.
https://www.infosecurity-magazine.com/news/execs-cisos-must-treat-cyber/
UK Firms Prioritise AI Threat Preparedness as Cyber Risks Evolve
ManageEngine reports that AI-powered attacks are now the top concern for UK organisations, cited by 43% of respondents, with 41% prioritising investment in AI and advanced threat preparedness. More than three quarters of UK businesses experienced a cyber incident in the past year, above the European average, while 46% pointed to skills shortages as their main operational challenge. Although 94% of incidents are detected within 24 hours, recovery remains slower, with over a quarter taking more than 10 days, highlighting the need to strengthen resilience as threats become more complex.
https://www.infosecurity-magazine.com/news/uk-firms-prioritize-ai-threat/
Nation State Attacks: The Risk to UK Firms
The UK’s National Cyber Security Centre has warned that nation states, particularly China, Iran and Russia, are now behind most significant cyber incidents affecting the UK. These attacks are often focused on disruption, espionage or gaining long-term access, rather than financial gain, meaning ransom payments are unlikely to resolve the issue. Critical sectors such as finance, healthcare, technology, telecoms, energy, water and defence face heightened risk, as do suppliers that provide access to larger organisations. Strong basic controls, regular recovery testing and clear oversight remain essential as geopolitical tensions continue to shape cyber activity.
https://insight.scmagazineuk.com/nation-state-attacks-the-risk-to-uk-firms
The Gentlemen Are Coming for Your Files, and Then Your Network
Microsoft has warned that ransomware called ‘Gentlemen’, developed by a group with the same name, is actively targeting organisations across education, transport, healthcare and financial services worldwide. First seen in mid 2025 and still active in 2026, the ransomware can spread from one compromised machine to others across a network before encrypting files. This means a single breach can quickly become a wider business disruption. ‘Gentlemen’ now operates as ransomware-as-a-service, where criminal affiliates can pay to use the software to carry out attacks. Early detection of unusual access, stolen password use and remote system activity is critical to limiting impact.
Ransomware Groups Grow Revenue by Almost 40% in Q1 2026
Rapid7 has reported that ransomware revenue rose by almost 40% year on year in the first quarter of 2026, reaching an estimated $529.2 million. The growth reflects a more mature criminal market, where ransomware groups can buy ready-made access to organisations through dark web brokers rather than breaking in themselves. Leading groups generated significant revenue, with Qilin estimated at $193 million and Gentlemen at $52 million between July 2025 and March 2026. The findings show how resilient and commercialised cyber crime operations have become.
'The Com' Cyberattacks Support Violence & Sexploitation
Researchers report that ‘The Com’, a loose criminal network linked to groups such as Scattered Spider, combines cyber crime with wider criminal activity, blurring the boundaries between its hacking groups and other criminal networks. The group is largely North American, often young, and recruits through gaming and social media communities. Its activity shows how weak cloud security can create harm beyond the breached organisation, with stolen access and extortion funding further criminal operations. Recent activity may have quietened, but researchers warn the group remains active and continues to evolve its tactics.
https://www.darkreading.com/threat-intelligence/the-com-cyberattacks-violence-sexploitation
What Is Configuration Drift - And Why It’s Your Biggest M365 Security Risk
Configuration drift is a growing Microsoft 365 security risk, particularly for managed service providers overseeing many client environments. It occurs when security settings gradually move away from an agreed baseline through routine changes, such as temporary access exceptions, relaxed sharing controls or admin permissions that are not later removed. These changes can weaken defences without triggering obvious alerts. Continuous monitoring and automated remediation can help identify and correct drift quickly, reducing the risk of incidents and supporting stronger governance across multiple Microsoft 365 tenants.
Supply Chain Risk Is Now a Cyber Resilience Problem
AI demand is putting pressure on the supply of DRAM and NAND, the memory and storage components that underpin backup and recovery infrastructure. As availability tightens and costs rise, cyber resilience strategies that rely on continually adding more hardware may become harder to sustain. More efficient architectures, which reduce the amount of data stored, moved and managed, can lower dependency on scarce components, reduce the number of systems needing protection, and support faster recovery. This makes infrastructure efficiency not just a cost issue, but a strategic cyber security consideration.
https://www.dell.com/en-us/blog/supply-chain-risk-is-now-a-cyber-resilience-problem/
82% of IT Pros Report a Web-Based Security Incident in Past Year – BYOD, SaaS Tools, and Remote Work Policies All Play a Part in Security Resilience
NordLayer reports a clear gap between confidence and reality in web-based security. While 73% of organisations believe they are prepared for attacks through browsers and web applications, 82% experienced an incident in the past year. The risk is growing as businesses rely more heavily on online software, remote working and personal devices. Malware designed to steal login details harvested 1.8 million credentials and 68.8 billion cookies last year, giving attackers a way to access systems by appearing to log in legitimately rather than forcing their way in.
M&S Chief’s Pay Slashed by £3M After Cyberattack Turmoil
The chief executive of UK retailer Marks & Spencer saw his pay fall by more than 40% after a major cyber attack disrupted the retailer’s operations and M&S cancelled its executive bonus scheme. The attack halted online services for weeks, affected card payments in some stores, and contributed to weaker financial performance, resulting in lower bonus and share-based awards for executives. M&S put the total cost at £133.3 million, although more than £100 million has been recovered through insurance.
https://www.cityam.com/ms-pay-slashed-after-cyberattack-turmoil/
Governance, Risk and Compliance
Why Your Board Is Still Not Ready for Cyber Risk
EU organizations buckle under rising compliance pressure - Help Net Security
UK Firms Prioritize AI Threat Preparedness as Cyber Risks Evolve - Infosecurity Magazine
NCSC Urges Immediate Action to Boost Resilience as Uncertainty Persist - Infosecurity Magazine
Building Cyber Resilience For Mission-critical Operations In 2026
6 critical security gaps every CISO must address | CSO Online
Business Leaders Lack Understanding of Threat Intelligence - Infosecurity Magazine
How to Get Boards to Prioritize Cyber Risk Quantification - Infosecurity Magazine
Cybersecurity Staff Prefer CISOs With Real Attack Response Experience - Infosecurity Magazine
CISO burnout: How to prevent contagion across the team | Computer Weekly
Two New Reports Offer Competing Explanations for Cybersecurity's Growing Crisis - SecurityWeek
Lost in translation: Cybersecurity board reporting for CISOs | TechTarget
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware groups grow revenue by almost 40% in Q1 2026 | TechRadar
'The Com' Cyberattacks Support Violence & Sexploitation
The Gentlemen are coming for your files, and then your network | CSO Online
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Pink is the latest goon squad to use fake helpdesk calls to steal creds
'Dumbass' criminal breaks the 'first rule of ransomware club'
Ransomware and Destructive Attack Victims
Inside the Charter data breach: hackers leak 13M+ customer data | Cybernews
Charter Communications data breach affects 4.9 million accounts
M&S chief's pay slashed by £3m after cyberattack turmoil
IKEA faces data leak threat after hackers claim theft of internal code | Cybernews
Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers
Phishing & Email Based Attacks
Attackers Abuse Shared Content for ChatGPT Phishing Campaign - Infosecurity Magazine
Infostealers are becoming the go-to phishing payload | Malwarebytes
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
ChatGPT prompt injection turns web pages into phishing lures
BTMOB Android malware service generates custom phishing payloads
Threat Actors Deploy Tiflux RMM For Persistent Remote Access
LinkedIn-themed phishing abuses Adobe's A/B testing platform - Help Net Security
There’s a new phishing scam: fake invitations | The Seattle Times
PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network
Europe's hotel data breach hits 100+ properties | Cybernews
Chinese Cybercrime Group in Spotlight for Record Campaign Pace - SecurityWeek
China's TA4922 Expands Cybercrime Attacks Globally
Signal users targeted in backup-stealing phishing attacks | Malwarebytes
Social Security numbers exposed in Rich Products cyberattack | Cybernews
Other Social Engineering
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
Pink is the latest goon squad to use fake helpdesk calls to steal creds
There’s a new phishing scam: fake invitations | The Seattle Times
Chinese Cybercrime Group in Spotlight for Record Campaign Pace - SecurityWeek
Cyber espionage campaign targeted stock exchange executive’s Outlook account
As the 2026 World Cup Looms, a Shadow Tournament of Cyber Fraud Begins | OCCRP
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins
Five Eyes: China expanding state secret recruitment campaign
5K+ election domains registered ahead of US midterms
2FA/MFA
Microsoft fixes outage affecting MFA setup, MySignIn service
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
Artificial Intelligence
Attackers Abuse Shared Content for ChatGPT Phishing Campaign - Infosecurity Magazine
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
UK Firms Prioritize AI Threat Preparedness as Cyber Risks Evolve - Infosecurity Magazine
145 AI laws passed in 2025 and privacy teams aren't catching a break - Help Net Security
Only 11% of production agents pass the AI agent security bar - Help Net Security
Security of 100 AI Agents Tested and Ranked – What You Need to Know - SecurityWeek
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Russian hacker tricked MAGA Telegram channel with jailbroken AI | TechRadar
Cybersecurity threats from new language models | Max-Planck-Gesellschaft
What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks
Infosecurity Europe: AI-Powered Cybercrime Tools Surge on Dark Web - Infosecurity Magazine
Free AI model powers self-spreading worm in enterprise test network
Commvault says it's time to rethink resiliency as AI crooks leave victims in a 'dark, dead' state
Hugging Face security analysis: ~70,000 live secrets and API keys, private repos, and leaky pics!
UK banks still lack access to Mythos AI model, BoE's Bailey says - CNA
ICO publishes blog on AI-powered cyber threats | A&O Shearman - JDSupra
WhatsApp, Slack Notifications Could Hijack Google Gemini on Android
Cyber threats are becoming 'high level' with AI
President Trump Signs AI Executive Order After Delaying It Over China Concerns - Decrypt
Bots/Botnets
Botnet of 17 Million Devices Dismantled in the Netherlands
Huge Botnet Linked To Russia Infected Over 10 Million Devices Before Being Shut Down
Careers, Roles, Skills, Working in Cyber and Information Security
6 critical security gaps every CISO must address | CSO Online
CISO burnout: How to prevent contagion across the team | Computer Weekly
Cloud/SaaS
PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network
19.6 Billion Files Are Sitting Open on the Internet. No Password Required
FSB Group Gamaredon Hides Worm in Windows Data Streams - Infosecurity Magazine
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2
What is configuration drift — And why it’s your biggest M365 security risk | native | MSSP Alert
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Russian hacker tricked MAGA Telegram channel with jailbroken AI | TechRadar
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets
Cyber Crime, Organised Crime & Criminal Actors
'The Com' Cyberattacks Support Violence & Sexploitation
Chinese Cybercrime Group in Spotlight for Record Campaign Pace - SecurityWeek
China's TA4922 Expands Cybercrime Attacks Globally
Dutch Raid Fails to Dent Russian Bulletproof Host
Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown - SecurityWeek
Data Breaches/Leaks
19.6 Billion Files Are Sitting Open on the Internet. No Password Required
Hugging Face security analysis: ~70,000 live secrets and API keys, private repos, and leaky pics!
Your OnlyFans may not be private – and neither are your passwords | Cybernews
The worst hacks and breaches of 2026 (so far) | TechCrunch
Europe's hotel data breach hits 100+ properties | Cybernews
Troops’ phones leaked location data to foreign adversaries
Man sent to prison for selling data of 7 millions elderly Americans
23andMe Failed to Stop Months-Long Hack, State Alleges
California AG sues 23andMe over 2023 breach exposing health data
A Fake UK Visa Site Left 100,000 Passports Wide Open. Then Sent Lawyers Instead of a Fix.
Social Security numbers exposed in Rich Products cyberattack | Cybernews
Carnival Data Breach Exposes Personal Data of Nearly 6 Million Customers
Scots affected by Capita cyber attack given route to compensation | Scottish Legal News
Spain arrests doxer leaking sensitive data of govt employees
One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens
Ultrahuman says recent hack didn't affect passwords or credit cards
GTA cheat service Atlas Menu hacked as attacker alleges screenshot spying
64,000 accounts exposed in breach of GTA V cheat service Atlas Menu - Help Net Security
Hackers just stole health data from Ultrahuman users, and I’m ditching my smart ring because of it
Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals - SecurityWeek
Data Protection
ICO publishes blog on AI-powered cyber threats | A&O Shearman - JDSupra
Data/Digital Sovereignty
Vivre la Linux: Behind France’s bold open source move into digital sovereignty
Denial of Service/DoS/DDoS
Why Your Rate Limits Fail Under Distributed DDoS Attacks - Security Boulevard
New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
Encryption
Let's Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats
Fraud, Scams and Financial Crime
Russian hacker tricked MAGA Telegram channel with jailbroken AI | TechRadar
As the 2026 World Cup Looms, a Shadow Tournament of Cyber Fraud Begins | OCCRP
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins
Meta tries to get ahead of scammers before the World Cup begins - Help Net Security
Insurance
Cyber Insurance Rates Are Dropping, but Exclusions Widen
Internet of Things – IoT
Are our cars spying on us? A cybersecurity expert explains how to stay safe
Hacking your car’s dash cam in real time, remotely: tips, tricks, and lazy manufacturers.
How To Reduce Cyber Risks Across Connected Devices And Services
Law Enforcement Action and Take Downs
Botnet of 17 Million Devices Dismantled in the Netherlands
Huge Botnet Linked To Russia Infected Over 10 Million Devices Before Being Shut Down
Man sent to prison for selling data of 7 millions elderly Americans
Dutch Raid Fails to Dent Russian Bulletproof Host
Sextortionist sentenced to 33 years for targeting 145 children
Spain arrests doxer leaking sensitive data of govt employees
Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown - SecurityWeek
European authorities crack down on illegal streaming networks | CyberScoop
Police seize £1.2m of kit from illegal streaming operation - BBC News
DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets
Reporting Cybersecurity Incidents to Law Enforcement- Best Practice
29 Arrests, Nine Crime Groups Dismantled: Another Blow to Illegal Streaming
Linux and Open Source
Organizations Warned of Exploited Linux Kernel Vulnerability - SecurityWeek
Vivre la Linux: Behind France’s bold open source move into digital sovereignty
New CIFSwitch Linux flaw gives root on multiple distributions
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access - SecurityWeek
Dozens of Red Hat packages backdoored through its official NPM channel - Ars Technica
Shai-Hulud malware infects Red Hat npm packages downloaded 80K times weekly
Malware
Attackers Abuse Shared Content for ChatGPT Phishing Campaign - Infosecurity Magazine
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
Infostealers are becoming the go-to phishing payload | Malwarebytes
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
Dozens of Red Hat packages backdoored through its official NPM channel - Ars Technica
Shai-Hulud malware infects Red Hat npm packages downloaded 80K times weekly
Free AI model powers self-spreading worm in enterprise test network
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure
Chinese hackers use new Atlas RAT malware in European cyberattacks
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
Rust-Written IronWorm Hits NPM Supply Chain
Mobile
Russian hacker tricked MAGA Telegram channel with jailbroken AI | TechRadar
Troops’ phones leaked location data to foreign adversaries
BTMOB Android malware service generates custom phishing payloads
Signal users targeted in backup-stealing phishing attacks | Malwarebytes
Mobile security's dirty cupboard: The app layer nobody's watching
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
WhatsApp, Slack Notifications Could Hijack Google Gemini on Android
Models, Frameworks and Standards
EU organizations buckle under rising compliance pressure - Help Net Security
145 AI laws passed in 2025 and privacy teams aren't catching a break - Help Net Security
Anthropic to Open Mythos AI to EU's ENISA
ENISA report shows cybersecurity gains across EU critical sectors ...
MSSPs need to look beyond AI compliance badges | perspective | MSSP Alert
Outages
Microsoft fixes outage affecting MFA setup, MySignIn service
Microsoft Exchange Online outage causes email delays, failures
Passwords, Credential Stuffing & Brute Force Attacks
Your OnlyFans may not be private – and neither are your passwords | Cybernews
Pink is the latest goon squad to use fake helpdesk calls to steal creds
Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads - SecurityWeek
Regulations, Fines and Legislation
EU organizations buckle under rising compliance pressure - Help Net Security
145 AI laws passed in 2025 and privacy teams aren't catching a break - Help Net Security
President Trump Signs AI Executive Order After Delaying It Over China Concerns - Decrypt
Executive order sets voluntary cyber reviews for advanced AI | Miami Herald
EO 14390 raises stakes for enterprise cybersecurity | TechTarget
DHS Secretary Markwayne Mullin pinpoints optimal CISA staffing levels | CyberScoop
CISA close to issuing new cyber AI directive | Federal News Network
Social Media
Your OnlyFans may not be private – and neither are your passwords | Cybernews
Five Eyes: China expanding state secret recruitment campaign
LinkedIn-themed phishing abuses Adobe's A/B testing platform - Help Net Security
Software Supply Chain
Rust-Written IronWorm Hits NPM Supply Chain
Supply Chain and Third Parties
Supply Chain Risk Is Now a Cyber Resilience Problem | Dell
Scots affected by Capita cyber attack given route to compensation | Scottish Legal News
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Nation state attacks: The risk to UK firms | SC Media UK
Why Execs and CISOs Must Treat Cyber Threats as Statecraft - Infosecurity Magazine
Five Eyes: China expanding state secret recruitment campaign
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Plan to toughen protections for subsea internet cables amid heightened Russian activity - GOV.UK
The Pentagon Finally Admits That Location Data Is a Battlefield Problem - Security Affairs
Chinese Hackers Exploit Iran War to Target Maritime and Energy Firms - Infosecurity Magazine
As Global Powers Explore Humanoid Robots, Cyber-Risk Looms
Cyber espionage campaign targeted stock exchange executive’s Outlook account
A Year After Launch, Ukraine’s Tallinn Mechanism Is Becoming a Cybersecurity Hub | The Gaze
Nation State Actors
Nation state attacks: The risk to UK firms | SC Media UK
Why Execs and CISOs Must Treat Cyber Threats as Statecraft - Infosecurity Magazine
As Global Powers Explore Humanoid Robots, Cyber-Risk Looms
China
Are our cars spying on us? A cybersecurity expert explains how to stay safe
Five Eyes: China expanding state secret recruitment campaign
Chinese hackers use new Atlas RAT malware in European cyberattacks
The Green Grid’s Hidden Backdoor: Who Controls Europe's Clean Energy?
Chinese Hackers Exploit Iran War to Target Maritime and Energy Firms - Infosecurity Magazine
Germany, Spain said to push back on European plan to ban Huawei gear
China Uses Dual-Method Cyberattack on Czech Orgs
Chinese Cybercrime Group in Spotlight for Record Campaign Pace - SecurityWeek
China's TA4922 Expands Cybercrime Attacks Globally
China turns its aging camera network into an AI-powered mass surveillance apparatus
Russia
FSB Group Gamaredon Hides Worm in Windows Data Streams - Infosecurity Magazine
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2
The Green Grid’s Hidden Backdoor: Who Controls Europe's Clean Energy?
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Plan to toughen protections for subsea internet cables amid heightened Russian activity - GOV.UK
Huge Botnet Linked To Russia Infected Over 10 Million Devices Before Being Shut Down
Estonians' will to defend the country remains high, cyberattacks seen as a threat | News | ERR
'Dumbass' criminal breaks the 'first rule of ransomware club'
Russian spy agency says foreign spies turned officials' smartphones into surveillance devices
Russia Says Foreign Spyware Found on High-Ranking Officials' Mobile Phones
North Korea
Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels
Iran
Chinese Hackers Exploit Iran War to Target Maritime and Energy Firms - Infosecurity Magazine
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
Tools and Controls
Building Cyber Resilience For Mission-critical Operations In 2026
Microsoft under fire for threatening security researcher with criminal investigation | TechCrunch
Two New Reports Offer Competing Explanations for Cybersecurity's Growing Crisis - SecurityWeek
How to Get Boards to Prioritize Cyber Risk Quantification - Infosecurity Magazine
Attackers Abuse Open RDP Ports to Gain Initial Access Into Business Networks
Microsoft quietly removes a blog post claiming Windows 11 offers sufficient security - BetaNews
Dashlane Brute-Force Attack Leads to Limited Encrypted Vault Downloads - SecurityWeek
How To Reduce Cyber Risks Across Connected Devices And Services
Why Your Rate Limits Fail Under Distributed DDoS Attacks - Security Boulevard
What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks
Threat Actors Deploy Tiflux RMM For Persistent Remote Access
Business Leaders Lack Understanding of Threat Intelligence - Infosecurity Magazine
Lost in translation: Cybersecurity board reporting for CISOs | TechTarget
The behavioral signals that sharpen Trojan malware detection - Help Net Security
Known vulnerabilities behind most application security incidents - Help Net Security
How Leading Organizations Are Turning EDR Into Operational Resilience
Raising the Cybersecurity Stakes: Ante up for the Agentic Era - SecurityWeek
Anthropic to Open Mythos AI to EU's ENISA
UK banks still lack access to Mythos AI model, BoE's Bailey says - CNA
Zoom CISO: AI as Security Enabler, Not Role-Replacer
Agent Threat Rules: Open detection rule format for AI agent security threats - Help Net Security
Anthropic ups Glasswing partner count 4x, UK banks snubbed
Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes
Reports Published in the Last Week
Other News
Farage's £5m gift leak 'hack' reported to police by Labour - Essex Live
Microsoft quietly removes a blog post claiming Windows 11 offers sufficient security - BetaNews
ENISA report shows cybersecurity gains across EU critical sectors ...
No Longer Invisible: When Cyber Attacks Go Physical
Security Specialist Warns of Business Aviation Cyberattack Threats | Aviation International News
National cyber shield could be ready in five years | Computer Weekly
Vulnerability Management
IBM and Red Hat believe they have the answer to open source security risks | IT Pro
Vulnerabilities
Windows Netlogon RCE exploited, domain controllers at risk (CVE-2026-41089) - Help Net Security
Microsoft blames unexpected Windows driver updates on caching issue
Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026 - SecurityWeek
Organizations Warned of Exploited Linux Kernel Vulnerability - SecurityWeek
New CIFSwitch Linux flaw gives root on multiple distributions
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access - SecurityWeek
Oracle's First Monthly Patches Resolve 77 Vulnerabilities - SecurityWeek
Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation
Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
Recent Palo Alto Networks Vulnerability Exploited for Weeks - SecurityWeek
Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands
Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited
Chrome 148 Update Patches 151 Vulnerabilities - SecurityWeek
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Critical Flowise Flaw Gives Attackers Full Server Control - Infosecurity Magazine
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Acer working to patch max severity zero-days in Wave 7 routers
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
Automotive
Construction
Critical National Infrastructure (CNI)
Defence & Space
Education & Academia
Energy & Utilities
Estate Agencies
Financial Services
FinTech
Food & Agriculture
Gaming & Gambling
Government & Public Sector (including Law Enforcement)
Health/Medical/Pharma
Hotels & Hospitality
Insurance
Legal
Manufacturing
Maritime & Shipping
Oil, Gas & Mining
OT, ICS, IIoT, SCADA & Cyber-Physical Systems
Retail & eCommerce
Small and Medium Sized Businesses (SMBs)
Startups
Telecoms
Third Sector & Charities
Transport & Aviation
Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 29 May 2026
Black Arrow Cyber Threat Intelligence Briefing 29 May 2026:
-Could Your CEO Be the Weakest Link When It Comes to AI Security? New Study Warns Execs Are ‘Knowingly Bypassing Safeguards Because the Perceived Benefits Outweigh the Risks’
-Companies Built AI into Core Systems Before Figuring out How to Govern It
-When Your Biggest Security Risk Has Never Signed a Contract
-The AI Phishing Revolution: From Spray-and-Pray to Autonomous Operations
-Bosses Blinded by Confidence About Shadow AI Use by Workers
-68% of UK Firms Plan to Increase Cyber Spending as AI Risks Rise
-Preparing for Severe Cyber Threat: Why Leaders Must Act Now
-The UK’s Top Spy Says the Window to Stay Ahead of China and Russia Is Narrowing and Cyber Security Needs to Become ‘10 Times More Urgent’
-UK Spy Chief Labels AI ‘Unstoppable Force’ with Offensive, Defensive Ramifications for Cyberspace
-Phishing Most Prevalent Cyber Attack, Confirms UK Survey
-Security Experts Caution MFA Alone Can No Longer Stop Threat Actors
-To Pay, or Not to Pay: 58% of CISOs Say They Would Pay the Ransom for Their Data
-Lessons for Organisations from the Verizon 2026 Data Breach Investigations Report
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
Continuing the theme from recent weeks, our review of current cyber news in the media considers how organisations can use AI more securely by being aware of the risks and the need for stronger governance and oversight.
We highlight that this starts from the top of the organisation, including how the leadership uses AI, how they understand the risks to their core systems, and how they can fulfil regulatory and accountability responsibilities where AI agent failures cause disruption or harm. We also report on messaging from the UK’s NCSC on the need for organisations to strengthen their security in the face of escalating risks.
Alongside AI risks, traditional cyber risks remain: we include a reminder that phishing and vulnerability exploits are top cyber threats (which are also empowered by AI), alongside third-party risks.
While the threat landscape shifts and evolves, the actions required from business leaders remain consistent: ensure an objective and complete understanding of your risks, and an unbiased assessment of how your controls address those risks. Contact us to discuss how to achieve this proportionately.
Top Cyber Stories of the Last Week
Could Your CEO Be the Weakest Link When It Comes to AI Security? New Study Warns Execs Are ‘Knowingly Bypassing Safeguards Because the Perceived Benefits Outweigh the Risks’
New research from TrustedTech highlights a growing risk around unapproved AI use, with 62% of senior leaders admitting to using tools outside company controls, double the rate of wider employees. More than a quarter said they would continue using AI even if it was banned, despite many being concerned about staff doing the same. The risk is greater at leadership level because executives often have access to sensitive financial, HR, customer and legal data. The findings highlight how behaviour at senior level can undermine governance and increase organisational risk as AI adoption accelerates.
Companies Built AI into Core Systems Before Figuring Out How to Govern It
Check Point reports that 70% of organisations now use generative AI in live environments, while 64% have AI agents in pilot or production. In some cases, these agents have privileged access to core systems, increasing exposure to security incidents. More than half of organisations have already experienced at least one AI-related security issue, including unapproved AI use, AI-generated phishing, deepfake content and sensitive data leaks. Yet only 5% have visibility of the AI tools and services being used, leaving many organisations unable to consistently govern access, data flows and risk.
https://www.helpnetsecurity.com/2026/05/28/check-point-genai-security-controls-report/
When Your Biggest Security Risk Has Never Signed a Contract
As AI agents, systems that can act independently on behalf of an organisation, become embedded in business processes, accountability is moving from policy into law. UK and EU regimes increasingly expect a named senior leader to show reasonable oversight when agent failures cause disruption or harm. Responsibility cannot simply be assigned on paper. Senior sponsors need enough practical understanding to supervise the agents they own, supported by formal training that links legal accountability with meaningful operational control.
https://www.computerweekly.com/opinion/When-your-biggest-security-risk-has-never-signed-a-contract
The AI Phishing Revolution: From Spray-and-Pray to Autonomous Operations
AI is reshaping phishing from broad, low-effort scams into targeted, always-on campaigns. Attackers can now create convincing, personalised emails in under five minutes, operate across email, text, voice and collaboration tools, and adapt their approach when a target does not respond. Some attacks also bypass multi-factor authentication by tricking users into approving legitimate-looking login requests. With AI reducing the skill and cost needed to run these campaigns, organisations face a shift where attacks operate continuously and adapt in real time, making traditional, user-focused defences increasingly less effective.
Bosses Blinded by Confidence about Shadow AI Use by Workers
Okta research found that 58% of organisations experienced an AI-related security incident or near miss in the past year, despite 90% of executives feeling confident they can see how AI is being used. The gap is driven by “shadow AI”, where employees use unapproved tools outside company oversight. More than half of knowledge workers admitted doing this, including 55% in the UK. Some also shared confidential documents, HR information or even login details, increasing business risk. The findings suggest a disconnect between leadership visibility and actual AI usage, increasing exposure to data leakage and governance challenges as adoption grows.
68% of UK Firms Plan to Increase Cyber Spending as AI Risks Rise
Barclays reports that 68% of UK business leaders expect to increase cyber security spending over the next 12 months, as AI adoption and geopolitical uncertainty reshape technology priorities. Despite this, fewer than three in 10 firms are confident they could respond effectively to a major cyber incident. Average cyber security spend has reached £505,000 so far in 2026, rising to £1.3m among large businesses. Key concerns include loss of sensitive data or intellectual property, disruption to operations, loss of revenue and damage to customer trust.
https://www.infosecurity-magazine.com/news/uk-firms-cyber-spending-ai-risks/
Preparing for Severe Cyber Threat: Why Leaders Must Act Now
The NCSC has warned that severe cyber threats are becoming a credible risk for organisations delivering the UK’s critical services, including financial services, health, energy, transport, and communications. These attacks can cause extended downtime, financial loss, reputational damage and risks to public safety. With technologies such as advanced AI increasing the speed and scale of attacks, leaders are being urged to plan beyond prevention. Building resilience means identifying critical systems, preparing for degraded operations, rehearsing recovery plans and ensuring key decisions are understood before a major incident occurs.
https://www.ncsc.gov.uk/blogs/preparing-for-severe-cyber-threat-why-leaders-must-act-now
The UK’s Top Spy Says the Window to Stay Ahead of China and Russia Is Narrowing and Cyber Security Needs to Become ‘10 Times More Urgent’
GCHQ has warned that the UK and its allies have a narrowing window to stay ahead of growing cyber and intelligence threats from China and Russia. The agency’s director said warfare is becoming increasingly driven by data, artificial intelligence and automation, while Russia is intensifying activity against critical infrastructure, democratic processes, supply chains and public trust. The warning highlights the increasing pressure on organisations to strengthen supply chain resilience, protect data and manage access controls as part of a more urgent approach to cyber security.
UK Spy Chief Labels AI ‘Unstoppable Force’ with Offensive, Defensive Ramifications for Cyberspace
GCHQ has warned that artificial intelligence is reshaping cyber security, creating both new opportunities and risks. Anne Keast-Butler, head of the UK intelligence agency, described AI as an “unstoppable force” that can be used to find weaknesses in critical technology and to support activity below the level of traditional warfare. GCHQ is developing an AI powered cyber shield to strengthen national defences, while warning that countries including China and Russia are using AI, data and automation to enhance cyber and hybrid threats.
https://cyberscoop.com/gchq-warns-ai-cyber-warfare-threats/
Phishing Most Prevalent Cyber Attack, Confirms UK Survey
New UK government research shows cyber attacks remain a persistent risk, affecting 43% of businesses and 28% of charities in the past year. Phishing, where criminals trick people into sharing information or clicking harmful links, remains the most common attack, impacting 38% of businesses and 25% of charities. Larger organisations face higher exposure, with 69% reporting an incident. Despite this, only around 30% conduct cyber risk assessments, while just 25% of businesses and 19% of charities have formal response plans. Supply chain oversight also remains limited, leaving many organisations exposed through partners and providers.
Security Experts Caution MFA Alone Can No Longer Stop Threat Actors
Security researchers are warning that multi factor authentication is no longer enough on its own to stop account takeover attempts. New phishing services can steal Microsoft 365 access tokens, which allow criminals to access Outlook, Teams and OneDrive without needing a password or another login check. One service, Kali365, costs from $250 for 30 days and gives even less skilled attackers ready-made templates, dashboards and AI generated messages. This shift highlights how attackers are bypassing traditional authentication controls, reflecting a move toward identity-focused risks such as token misuse and anomalous account activity rather than reliance on login-based protections alone.
To Pay, or Not to Pay: 58% of CISOs Say They Would Pay the Ransom for Their Data
A survey of 750 CISOs in the US and UK found that 58% would be willing to pay a ransom to end a ransomware incident, despite official guidance advising against it. In practice, fewer organisations appear to pay, with IDC reporting that 37% of affected companies did so last year. Paying does not guarantee recovery, with some organisations receiving incomplete data restoration and only 60% of SMEs in one survey recovering all or part of their data after payment. The findings highlight the operational and recovery risks of ransomware, where payment does not guarantee data restoration and can still result in prolonged disruption.
Lessons for Organisations from the Verizon 2026 Data Breach Investigations Report
Verizon’s 2026 Data Breach Investigations Report highlights how many breaches still stem from gaps in basic cyber security controls. Based on more than 31,000 incidents and 22,000 confirmed breaches across 145 countries, the report found vulnerability exploitation was the leading route into organisations, accounting for 31% of breaches. Ransomware remained a major issue, appearing in 48% of breaches, while third party involvement also featured in 48%. The report also points to rising risks from employee use of unauthorised AI tools, with sensitive internal information being uploaded outside corporate control.
https://www.helpnetsecurity.com/2026/05/25/lessons-from-verizon-dbir-2026-findings/
Governance, Risk and Compliance
68% of UK Firms Plan to Increase Cyber Spending as AI Risks Rise - Infosecurity Magazine
The readiness paradox: Why a false sense of cyber confidence is becoming a liability | CyberScoop
UK businesses accelerate cyber and AI investment amidst geopolitical tensions | WebWire
Preparing for severe cyber threat: why leaders must act now | National Cyber Security Centre
Developing An Executive Cybersecurity Strategy When Director Duties Extend To The Home Router
Threats
Ransomware, Extortion and Destructive Attacks
Why pure extortion is replacing traditional ransomware - Security Affairs
To pay, or not to pay: 58% of CISOs say they would pay the ransom for their data | CSO Online
The Hidden Ransomware Economy Running on Exposed Databases
Ransomware Actors Show Up In Person to Steal Law Firm Data
The Gentlemen is Making Its Mark in the Ransomware World - Security Boulevard
Law enforcement shuts down VPN service used by two dozen ransomware gangs | TechCrunch
Payload Ransomware Uses ChaCha20 and Curve25519 ECDH to Encrypt Windows Files
More Australian firms are panicking and paying ransoms | The North West Star | Mt Isa, QLD
Ransomware and Destructive Attack Victims
Charter confirms data breach after ShinyHunters extortion threat
MyPillow appears on Play ransomware leak site
Phishing & Email Based Attacks
Phishing most prevalent cyber attack, confirms UK survey | ICAEW
Microsoft 365 users targeted by new phishing threat that bypasses MFA - Help Net Security
FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required
The AI Phishing Revolution - IT Security Guru
AI-Powered Phishing Puts MSSPs on the Defensive: Barracuda | news | MSSP Alert
Inside business email compromise attack: Real-world examples | TechTarget
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Chinese Threat Actors Shift to Live Credential Interception - Infosecurity Magazine
Business Email Compromise (BEC)/Email Account Compromise (EAC)
Inside business email compromise attack: Real-world examples | TechTarget
Other Social Engineering
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
700+ education and tech websites hijacked in huge ClickFix malware campaign | Malwarebytes
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Iranian Hackers Using Fake Job Sites to Breach Defense Firms
Thousands of Fake FIFA Domains Target World Cup Fans - Infosecurity Magazine
FBI director Kash Patel’s brand website taken offline after malware reports
2FA/MFA
Security experts caution MFA alone can no longer stop threat actors | CSO Online
Microsoft 365 users targeted by new phishing threat that bypasses MFA - Help Net Security
FBI warns about fast-growing phishing kit targeting Microsoft 365 users | CyberScoop
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
Two arrested for facilitating pro-Russia cyberattacks, violating EU sanctions | NL Times
Artificial Intelligence
Turns out the C-suite loves shadow AI - Help Net Security
Companies built AI into core systems before figuring out how to govern it - Help Net Security
When your biggest security risk has never signed a contract | Computer Weekly
Bosses blinded by confidence about shadow AI use by workers
The AI Phishing Revolution - IT Security Guru
ECB convenes banks over AI cybersecurity risks from Mythos
AI guardrails stripped from Meta and Google models in minutes
European AI adoption hits 99% with regulated data driving most policy violations - Help Net Security
GCHQ draws up plans for world-first national AI cyber defence system | The Standard
Frontier AI models collapse under multi-turn AI attacks, Cisco finds - Help Net Security
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems - SecurityWeek
Defenders Fall Behind, as AI Rewrites the Rules of a Data Breach
Fake Gemini and Claude Code Sites Spread Infostealers - Infosecurity Magazine
The Growing Cybersecurity Risks To The Supply Chain In The AI Era
GPU mining malware spreads via SEO poisoning, AI chatbots
Why AI Could Make Cybersecurity One of the Hottest Jobs in Tech - ClearanceJobs
Cisco used AI to write security incident reports, with mixed results
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
Fake ChatGPT and Claude installers on GitHub are dropping Deno RAT malware - Help Net Security
Trump Postpones Signing AI Security Order Over Parts He Disliked
OpenAI heralds cybersecurity, election interference safeguard plans for 2026 midterms | CyberScoop
Anthropic Says a Mythos-Class AI Model Will Be Available Soon - CNET
Bots/Botnets
Canadian Man Arrested for Operating Kimwolf Botnet - SecurityWeek
GlassWorm Botnet Disrupted - SecurityWeek
Careers, Roles, Skills, Working in Cyber and Information Security
Why AI Could Make Cybersecurity One of the Hottest Jobs in Tech - ClearanceJobs
Amid fears of AI killing tech jobs, companies race to fill cybersecurity roles - Sherwood News
One Job That Is Growing in the A.I. Era? Cybersecurity Experts. - The New York Times
Why Burnout in Cybersecurity Demands Risk-Based Response - Infosecurity Magazine
Cloud/SaaS
Microsoft 365 users targeted by new phishing threat that bypasses MFA - Help Net Security
FBI warns about fast-growing phishing kit targeting Microsoft 365 users | CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
GPU mining malware spreads via SEO poisoning, AI chatbots
Jailbroken Gemini helped Russian-speaking fraudster target MAGA crypto users
Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
Cyber Crime, Organised Crime & Criminal Actors
Ghost hackers: the cybersecurity mystery that nobody has solved | TechCrunch
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
Dutch authorities dismantle hosting network allegedly used for cyberattacks and disinformation
Canadian Man Arrested for Operating Kimwolf Botnet - SecurityWeek
One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure
Netherlands seizes 800 servers of hosting firm enabling cyberattacks
Former US execs plead guilty to aiding tech support scammers
Data Breaches/Leaks
Hacker claims to leak massive WhatsApp database before vanishing from forums | Cybernews
Defenders Fall Behind, as AI Rewrites the Rules of a Data Breach
46k plaintext passwords pwned in Myspace93 breach
German hospitals targeted in massive cyberattack
Victims 'violated' after South Staffs Water's data breach - BBC News
OnlyFans mega leak reveals 340M user records, hackers claim | Cybernews
UK luxury car drivers' data may be exposed after Mercedes data leak claim | Cybernews
340 Million OnlyFans Profiles Allegedly Rebuilt from Leaks
Trump Mobile site leaks customer data as phone finally ships
7-Eleven data breach exposes personal information of 185,000 people
DocketWise Data Breach Impacts 143,000 - SecurityWeek
Data Protection
European AI adoption hits 99% with regulated data driving most policy violations - Help Net Security
Data/Digital Sovereignty
How a 900% Surge in Cyberattacks Is Forcing Europe to Rethink Its Tech Sovereignty — UNITED24 Media
Dutch Government just said no to an American firm buying the keys to their digital State
Denial of Service/DoS/DDoS
Why the Surge in DDoS Attacks Should Worry Security Leaders - Infosecurity Magazine
Encryption
Texas AG sues Meta over claims that WhatsApp doesn't provide end-to-end encryption - Ars Technica
‘Q-Day’ could be cybersecurity’s Armageddon | The Week
Apple open-sources quantum-resistant encryption code | CyberScoop
Fraud, Scams and Financial Crime
Jailbroken Gemini helped Russian-speaking fraudster target MAGA crypto users
Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet
Is your phone bill higher? 200+ Android apps might secretly be stealing money from you - PhoneArena
Thousands of Fake FIFA Domains Target World Cup Fans - Infosecurity Magazine
Security Leaders Should Prepare for World Cup Scams | Security Magazine
Fake Streams, Counterfeit Merch & Scams: How Fraudsters Target F1 Fans - Infosecurity Magazine
Insider Risk and Insider Threats
Turns out the C-suite loves shadow AI - Help Net Security
Bosses blinded by confidence about shadow AI use by workers
Why ‘shadow AI’ could become an expensive headache for businesses
Internet of Things – IoT
This Is Where Your Doorbell Camera's Security Footage Actually Goes
Law Enforcement Action and Take Downs
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands - SecurityWeek
Dutch authorities dismantle hosting network allegedly used for cyberattacks and disinformation
Netherlands seizes 800 servers of hosting firm enabling cyberattacks
GlassWorm Botnet Disrupted - SecurityWeek
Two arrested for facilitating pro-Russia cyberattacks, violating EU sanctions | NL Times
Romanian Hacker Gets Nearly 5 Years in US Prison Over Network Intrusion
Canadian Man Arrested for Operating Kimwolf Botnet - SecurityWeek
Former US execs plead guilty to aiding tech support scammers
Dutch police arrests suspect linked to Ajax football club hack
Linux and Open Source
A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale | WIRED
Dirty Frag, Copy Fail, Fragnesia: The start of a worrisome Linux security trend
Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects - SecurityWeek
Shai-Hulud Hackers TeamPCP: Lucky or Skilled Operators?
China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant
Malware
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems - SecurityWeek
Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
GPU mining malware spreads via SEO poisoning, AI chatbots
700+ education and tech websites hijacked in huge ClickFix malware campaign | Malwarebytes
Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users
China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant
GlassWorm Botnet Disrupted - SecurityWeek
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
Fake Gemini and Claude Code Sites Spread Infostealers - Infosecurity Magazine
Fake ChatGPT and Claude installers on GitHub are dropping Deno RAT malware - Help Net Security
Megalodon chums the waters in 5.5K+ GitHub repo poisonings
Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
Attackers Move Past Typosquatting to Realistic Package Impersonation - Infosecurity Magazine
Shai-Hulud Hackers TeamPCP: Lucky or Skilled Operators?
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
FBI director Kash Patel’s brand website taken offline after malware reports
Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer
MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Iranian APT Targets Aviation, Software Companies With Updated Tools - SecurityWeek
Scammers are Exploiting GTA 6 Hype to Spread Malware | Extremetech
Chinese APTs Share Linux Backdoor in Telco Attacks
Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
Misinformation, Disinformation and Propaganda
Dutch authorities dismantle hosting network allegedly used for cyberattacks and disinformation
Mobile
Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users
Is your phone bill higher? 200+ Android apps might secretly be stealing money from you - PhoneArena
BTMOB Android RAT Spreads Through No-Code Builder Tooling - Infosecurity Magazine
Outages
Downtime has become a $600 billion business problem - Help Net Security
Passwords, Credential Stuffing & Brute Force Attacks
The Credential Crisis: How Stolen Credentials Defeat Modern Security - SecurityWeek
Why businesses still get password management wrong | TNW Deals
Typed the wrong macOS password? That brief pause isn't a glitch | Macworld
Regulations, Fines and Legislation
ECB convenes banks over AI cybersecurity risks from Mythos
'We cannot regulate cyber threats away,' top lawyer warns
Trump Postpones Signing AI Security Order Over Parts He Disliked
Minister Lloyd cyber security speech at the New Statesman - GOV.UK
Restoring CISA is one issue many lawmakers can agree on | Federal News Network
Shadow IT
Turns out the C-suite loves shadow AI - Help Net Security
Bosses blinded by confidence about shadow AI use by workers
Why ‘shadow AI’ could become an expensive headache for businesses
Social Media
46k plaintext passwords pwned in Myspace93 breach
Software Supply Chain
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems - SecurityWeek
A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale | WIRED
Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation
Over 5,500 GitHub Repositories Infected in 'Megalodon' Supply Chain Attack - SecurityWeek
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
Megalodon chums the waters in 5.5K+ GitHub repo poisonings
Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
The Growing Cybersecurity Risks To The Supply Chain In The AI Era
Shai-Hulud Hackers TeamPCP: Lucky or Skilled Operators?
Supply Chain and Third Parties
‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems - SecurityWeek
The Growing Cybersecurity Risks To The Supply Chain In The AI Era
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
UK Spy Chief Warns China Is Closing Cyber Gap With West
Cyber warfare is outpacing global legal accountability - The Hindu
How concerned should CIOs be with geopolitics? | CIO
Nation State Actors
China
UK Spy Chief Warns China Is Closing Cyber Gap With West
Chinese Threat Actors Shift to Live Credential Interception - Infosecurity Magazine
China-Linked Hackers Target Southeast Asian Edge Routers With Custom Linux Implant
Chinese APTs Share Linux Backdoor in Telco Attacks
Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
Russia
Russia 'relentlessly targeting' critical infrastructure, democracy - GCHQ - BBC News
Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands - SecurityWeek
Two arrested for facilitating pro-Russia cyberattacks, violating EU sanctions | NL Times
Experts question Nigel Farage’s Russian phone-hacking claims
North Korea
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
Iran
Iranian Hackers Using Fake Job Sites to Breach Defense Firms
Nimbus Manticore Expanded Attacks With AI-Assisted Malware and Fake Zoom Installers
MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Iranian APT Targets Aviation, Software Companies With Updated Tools - SecurityWeek
The LA Metro Attack Wasn't Hacktivism. It Was a State Operation With a Costume On.
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware
How concerned should CIOs be with geopolitics? | CIO
A nation on a hard drive: Inside the rise of digital embassies – POLITICO
Tools and Controls
Security experts caution MFA alone can no longer stop threat actors | CSO Online
Anthropic's Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing
Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump
MFA Prompt Bombing: Why Your Second Factor Isn't Saving You
Preparing for severe cyber threat: why leaders must act now | National Cyber Security Centre
The Next-Gen Flipper Zero Looks Even More Powerful Than Expected
Project Glasswing by Anthropic didn't just find the bugs. It also found the real vuln | Ctech
Why businesses still get password management wrong | TNW Deals
Why Burnout in Cybersecurity Demands Risk-Based Response - Infosecurity Magazine
Cybersecurity Evolution: Perimeter Defense to AI-Native Security
Apple open-sources quantum-resistant encryption code | CyberScoop
European AI adoption hits 99% with regulated data driving most policy violations - Help Net Security
Amid fears of AI killing tech jobs, companies race to fill cybersecurity roles - Sherwood News
One Job That Is Growing in the A.I. Era? Cybersecurity Experts. - The New York Times
Cisco used AI to write security incident reports, with mixed results
Anthropic adds 28 security and compliance integrations for Claude - Help Net Security
For CISOs, dawn of OpenAI Daybreak brings good and bad news | TechTarget
Claude now reviews and fixes vulnerabilities as you write code - Help Net Security
Other News
Tech giants need oversight to protect national security
Farage under mounting pressure to prove Russian hack claim | Nigel Farage | The Guardian
Water, the Soft Underbelly of Critical Infrastructure
OT attacks shift from recon to physical control, raising stakes | TechTarget
A nation on a hard drive: Inside the rise of digital embassies – POLITICO
Cyber attacks are ‘inevitable’, warns NHS comms lead | PR Week UK
Experts question Nigel Farage’s Russian phone-hacking claims
Scottish social enterprise supports national cyber efforts | Computer Weekly
Vulnerability Management
Anthropic's Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar
Three-Quarters of Firms Knowingly Ship Vulnerable Code, Says Checkmarx - Infosecurity Magazine
NIST’s CVE Shift Raises the Bar for Vulnerability Prioritization | perspective | MSSP Alert
Why some security fixes never reach your vulnerability dashboard | CSO Online
Verizon 2026 DBIR: 6 key takeaways for CISOs | TechTarget
Project Glasswing by Anthropic didn't just find the bugs. It also found the real vuln | Ctech
Anthropic to release Mythos-class models to the public
Why CISA Accepting KEV Nominations Is So Important | Security Magazine
Cisco refines its risk-based vulnerability disclosure for the AI era - Help Net Security
Vulnerabilities
Microsoft patches two zero-day flaws in Defender | CSO Online
SharePoint Has a New RCE Flaw. If You Haven't Patched Yet, Go Do That.
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure - SecurityWeek
CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
700+ education and tech websites hijacked in huge ClickFix malware campaign | Malwarebytes
Gitea Vulnerability Exposed 30,000 Deployments to Attacks - SecurityWeek
New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely
KnowledgeDeliver flaw exploited as a zero-day to install web shells
Dirty Frag, Copy Fail, Fragnesia: The start of a worrisome Linux security trend
Notepad++ fixes critical vulnerabilities that can lead to malware | Cybernews
Trend Micro warns of Apex One zero-day exploited in the wild
Ubiquiti patches three max severity UniFi OS vulnerabilities
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
Automotive
Construction
Critical National Infrastructure (CNI)
Defence & Space
Education & Academia
Energy & Utilities
Estate Agencies
Financial Services
FinTech
Food & Agriculture
Gaming & Gambling
Government & Public Sector (including Law Enforcement)
Health/Medical/Pharma
Hotels & Hospitality
Insurance
Legal
Manufacturing
Maritime & Shipping
Oil, Gas & Mining
OT, ICS, IIoT, SCADA & Cyber-Physical Systems
Retail & eCommerce
Small and Medium Sized Businesses (SMBs)
Startups
Telecoms
Third Sector & Charities
Transport & Aviation
Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 22 May 2026
Black Arrow Cyber Threat Intelligence Briefing 22 May 2026:
-Bank of England, FCA and Treasury Raise Alarm Over Frontier AI
-NCSC Publishes Guidance on Securing Agentic AI Use
-Social Engineering Attacks Are Rising as Employee Data Becomes Easier to Exploit
-Mobile Phishing Is a Bigger Threat than Email Now – How to Stay Protected
-Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
-Critical Microsoft Vulnerabilities Doubled: from Exposure to Escalation
-Cyber Attacks Cost UK Businesses £3.7Bn in Litigation in 2025
-Crime Increasingly a ‘Serious Barrier’ to UK Growth, Say Business Leaders
-Cyber Resilience is the New Business Continuity Plan
-Cyber Threats Push SMBs to Spend More on Security
-When Compliance Isn’t Continuous, That’s a Security Risk
-Taking Care of Business: The CISO’s Role in a Cyber Crisis
-Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
Authorities in the UK have warned organisations about the cyber risks of AI, both because it has elevated the risks of an attack and the internal risks when used by organisations in their operations. While AI presents new risks, attackers are also advancing their use of more established tactics, from social engineering to exploiting vulnerabilities.
Research this week highlights the effects of cyber attacks, through the financial costs to organisations and the damage to business growth. In response, business leaders are focusing on their resilience to a cyber incident, including their business continuity plans. We highlight that, for organisations with regulatory requirements, compliance must be continuous.
We also discuss how resilience is played out in the way organisations respond to a cyber incident, and the role of a CISO in helping the business leadership team to manage the effect of an incident throughout the organisation. We describe how preparation for a cyber incident is essential, and some mistakes to avoid. Contact us to discuss how we support organisations like yours to lay the foundations to manage a cyber incident more confidently.
Top Cyber Stories of the Last Week
Bank of England, FCA and Treasury Raise Alarm Over Frontier AI
The Bank of England, FCA and Treasury have warned UK financial services firms to strengthen cyber security controls as frontier AI (advanced AI systems at the cutting edge of capability) increases the speed, scale and cost efficiency of attacks. The authorities said current models can already exceed what a skilled practitioner could achieve, raising risks to customers, market integrity and financial stability. Boards are expected to understand the threat, invest in core defences, manage supplier risk, fix weaknesses quickly, protect data and access, and improve response and recovery planning.
https://www.infosecurity-magazine.com/news/bank-england-fca-treasury-alarm/
NCSC Publishes Guidance on Securing Agentic AI Use
The UK’s NCSC has issued new guidance on the safe use of agentic AI, meaning AI systems that can act with a degree of independence. Developed with partners in Australia, Canada, the US and New Zealand, the guidance warns that poorly controlled AI agents could access too much data, make decisions faster than people can review, or behave unpredictably. Organisations are advised to start with tightly controlled pilots, limit access to only what is necessary, monitor activity closely and ensure clear ownership, human oversight and incident response plans before wider deployment.
https://www.infosecurity-magazine.com/news/ncsc-publishes-guidance-securing/
Social Engineering Attacks Are Rising as Employee Data Becomes Easier to Exploit
Optery reports that targeted social engineering is rising, with 96% of cyber security leaders seeing an increase over the past year. Attackers are using legitimate data brokers and people search sites to find employee details, such as personal phone numbers, email addresses, job roles and home addresses, making impersonation more convincing across email, calls, texts and social media. Nearly three quarters reported credential compromise linked to these attacks, while IT and identity teams were targeted more often than executives. The research found that organisations are increasingly prioritising reduction of exposed employee data, with around 60% already using this approach and a third identifying it as a top investment priority.
Mobile Phishing Is a Bigger Threat than Email Now – How to Stay Protected
Verizon’s latest data breach research shows attackers are increasingly moving from email to mobile channels such as text messages and phone calls. Based on more than 31,000 incidents and 22,000 confirmed breaches, phone-based phishing was around 40% more effective than email in simulations. Human involvement featured in 62% of breaches, while exploitation of software weaknesses rose to 31% of initial entry points. The report also highlights growing risks from unapproved AI use, with 67% of employees using personal AI accounts on company devices.
https://www.zdnet.com/article/mobile-phishing-is-a-bigger-threat-than-email-now/
Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
Verizon’s 2026 DBIR found that exploiting unpatched vulnerabilities became the leading cause of data breaches in 2025, accounting for 31% of cases across more than 22,000 confirmed breaches. Credential abuse fell to 13%, while ransomware appeared in 48% of breaches. Patching performance also worsened, with the median time to fully fix flaws rising to 43 days. Third parties were involved in 48% of breaches, highlighting the growing risk from suppliers and cloud services. The findings underscore the urgency of prioritising vulnerability remediation and strengthening core security practices, as attack speeds increase and exposure expands through third-party and cloud dependencies.
Critical Microsoft Vulnerabilities Doubled: from Exposure to Escalation
Microsoft disclosed 1,273 vulnerabilities in 2025, and critical weaknesses doubled from 78 to 157. The sharpest concern is in cloud and business platforms, where critical issues in Azure and Dynamics 365 rose from 4 to 37. Microsoft Office also saw a 234% rise in vulnerabilities, increasing the risk of staff being targeted through everyday documents and emails. The findings highlight that while patching remains essential, excessive privilege and weak identity controls are enabling attackers to escalate access and extend impact across systems and cloud environments.
Cyber Attacks Cost UK Businesses £3.7Bn in Litigation in 2025
Gallagher and the independent economic research consultancy CEBR estimate that cyber attacks cost large UK businesses £11.7bn in 2025, with shareholder litigation accounting for £3.7bn and disrupted trading a further £5.4bn. Reputational damage added £573m, alongside £339m in lost customer goodwill. 88% of large UK businesses have cyber insurance, however only 59% are insured for third-party legal claims and fewer than half for regulatory fines or GDPR penalties, leaving boards exposed to costs that can continue long after systems are restored.
Crime Increasingly a ‘Serious Barrier’ to UK Growth, Say Business Leaders
The British Chambers of Commerce reports that cyber attacks are contributing to rising crime levels that are increasingly affecting UK business growth. In a survey of 1,411 firms, 21% experienced cyber attacks in the past year, alongside wider fraud and scam activity. High-profile incidents involving major UK brands demonstrate the scale of potential impact, with significant financial losses and operational disruption. The findings highlight that cyber threats are not only a security issue but a wider economic risk, requiring sustained investment and stronger support to improve business resilience and reduce disruption to growth.
https://www.theguardian.com/uk-news/2026/may/17/crime-serious-barrier-uk-growth-business-leaders
Cyber Resilience is the New Business Continuity Plan
Cyber resilience is becoming central to business continuity as disruption increasingly affects operations, customers, compliance and suppliers at the same time. Security incidents, cloud outages, identity compromise and supplier failures can quickly spread across connected systems. Effective continuity planning now depends on understanding the organisation’s most critical processes, the systems and suppliers they rely on, and how quickly they must recover. Plans should be tested against realistic scenarios, including ransomware and cloud failure, to ensure critical operations can continue when key systems or data cannot be fully trusted.
https://www.securityweek.com/cyber-resilience-is-the-new-business-continuity-plan/
Cyber Threats Push SMBs to Spend More on Security
Global market research and advisory firm IDC has found that 60% of small and medium sized businesses expect to increase cyber security spending over the next 12 months as threats increase and AI adoption accelerates. However, many remain reactive, with informal security ownership, limited planning and gaps in staff training. Nearly half say keeping up with new threats is their biggest concern, while 84% of micro businesses and 65% of small businesses are unprepared or only taking early steps to manage AI related risks, including more convincing phishing and deepfake scams.
https://www.helpnetsecurity.com/2026/05/21/idc-smbs-cybersecurity-spending-report/
When Compliance Isn’t Continuous, That’s a Security Risk
Manual governance, risk and compliance (GRC) processes are becoming a growing security risk as organisations struggle to keep pace with regulation. While 95% have introduced some automation, only 4% have fully automated the process. The burden is significant, with 83% of security leaders reporting delays from manual tasks and 58% spending over 2,000 hours a year collecting evidence. With 72% managing six or more compliance frameworks, delayed control testing and policy updates can leave leadership with an outdated view of cyber security risk, reinforcing the need for continuous monitoring of controls.
https://www.scworld.com/perspective/when-compliance-isnt-continuous-thats-a-security-risk
Taking Care of Business: The CISO’s Role in a Cyber Crisis
In a cyber crisis, the CISO’s role expands beyond managing the immediate response to helping the whole organisation protect operations, reputation and trust. Effective preparation means having clear escalation routes, tested crisis plans, defined responsibilities and joined-up communications across legal, compliance, HR, PR, business continuity and recovery teams. During and after a major incident, CISOs must translate complex security issues into business impact, support evidence gathering and regulatory obligations, guide recovery and ensure lessons learned strengthen future resilience.
Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs
Organisations can lose valuable time and face higher breach costs when incident response plans are unclear, untested or disconnected from legal, insurance and specialist response teams. Common mistakes include negotiating supplier contracts during a crisis, taking rushed actions that destroy evidence, failing to involve legal advisers early, and overlooking cyber insurance notification requirements. These gaps can delay containment, prolong business disruption and increase legal or financial exposure. Regularly tested plans, agreed response roles and pre-arranged expert support help organisations recover faster while preserving critical evidence.
Governance, Risk and Compliance
Gallagher warns cyber-related litigation likely to increase - Insurance Post
Crime increasingly a ‘serious barrier’ to UK growth, say business leaders | Crime | The Guardian
Cyber threats push SMBs to spend more on security - Help Net Security
PYMNTS | WEF Says Cybersecurity Has Become Economic Priority
Boulevard of Broken Dreams: 2 Decades of Cyber Fails
Cyber Resilience is the New Business Continuity Plan - SecurityWeek
Taking care of business: The CISO's role in a cyber crisis | TechTarget
When compliance isn’t continuous, that’s a security risk | perspective | SC Media
Communicating cyber risk in dollars boards understand - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
When ransomware gets physical: cybercriminals turn to threats of violence
The economics of ransomware 3.0 | CSO Online
Instructure cyberattack reignites ransom payment debate | TechTarget
When ransomware hits, confidence doesn’t restore endpoints - Help Net Security
The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks
ISMG Editors: Should We Trust Ransomware Gangs?
Cybercrime service disrupted for abusing Microsoft platform to sign malware
Microsoft disrupts alleged malware-signing operation used by ransomware gangs
Cybersecurity Breaches Survey: Why Phishing Now Beats Ransomware – And What To D... | SC Media UK
Ransomware and Destructive Attack Victims
JLR records £244m post-tax loss after being hit by tariffs and cyber attack | Autocar
JLR Profit Drops 99 Percent After Cyber-Attack | Silicon UK Tech
M&S profits slump 25% after cyber attack hits sales - Sharecast.com
7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand - SecurityWeek
Foxconn Confirms Cyberattack, Security Experts Discuss | Security Magazine
Security pros doubt Canvas attackers really deleted stolen student data
Instructure cyberattack reignites ransom payment debate | TechTarget
FBI warns students and staff that ShinyHunters may come knocking after Canvas breach
Phishing & Email Based Attacks
Social engineering attacks are rising as employee data becomes easier to exploit | Biometric Update
Mobile phishing is a bigger threat than email now - how to stay protected | ZDNET
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
Public Instagram posts provide raw material for AI phishing campaigns - Help Net Security
Phishing With Real Bait: Company Messaging Tools Reel in Scam Victims
INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers
201 arrested in INTERPOL disruption of phishing and fraud networks - Help Net Security
Interpol leads cybercrime crackdown across 13 countries in Middle East, North Africa | CyberScoop
Researchers Warn CypherLoc Scareware Has Targeted Millions of Users - Infosecurity Magazine
Cybersecurity Breaches Survey: Why Phishing Now Beats Ransomware – And What To D... | SC Media UK
The New Phishing Click: How OAuth Consent Bypasses MFA
Other Social Engineering
Social engineering attacks are rising as employee data becomes easier to exploit | Biometric Update
Public Instagram posts provide raw material for AI phishing campaigns - Help Net Security
Attackers bypass traditional security tools with ‘user driven’ attacks - BetaNews
Hackers Bypass Security Tools to Target Users Directly - Infosecurity Magazine
Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem
Phishing With Real Bait: Company Messaging Tools Reel in Scam Victims
Researchers Warn CypherLoc Scareware Has Targeted Millions of Users - Infosecurity Magazine
2FA/MFA
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
The New Phishing Click: How OAuth Consent Bypasses MFA
Microsoft is officially killing SMS verification for personal accounts | PCWorld
Artificial Intelligence
Tenable Warns AI Adoption Is Outpacing Governance As Cloud Exposure Risks Surge
Bank of England, FCA and Treasury Raise Alarm Over Frontier AI - Infosecurity Magazine
NCSC Publishes Guidance on Securing Agentic AI Use - Infosecurity Magazine
NCSC Warns Organisations Not To Rush Into Agentic AI
Public Instagram posts provide raw material for AI phishing campaigns - Help Net Security
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
The Boring Stuff is Dangerous Now
Most Organizations Use AI Agents for Sensitive Security Tasks - Infosecurity Magazine
The dual-threat landscape and evolution of digital workers - SiliconANGLE
AI Raises the Bar on Vulnerability Awareness and Secure-by-Design Soft - Infosecurity Magazine
Cyber Pros Can't Decide If AI Is a Good or a Bad Thing
OpenAI Confirms Security Breach Via TanStack npm Supply Chain Attack - Cyber Security News
TeamPCP hackers advertise Mistral AI code repos for sale
G7 Countries Release AI SBOM Guidance - SecurityWeek
'Claw Chain' OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery - SecurityWeek
AI infrastructure is cracking under sovereignty demands - Help Net Security
5 Steps to Managing Shadow AI Tools Without Slowing Down Employees
Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere - SecurityWeek
Anthropic's Mythos is evolving faster than expected, reports AI safety agency | ZDNET
Agentic AI opens the door to identity breach risk - CIR Magazine
ICO Publishes Five-Step Plan to Counter Emerging AI-Powered Attacks - Infosecurity Magazine
AI shrinks vulnerability exploitation window to hours - Help Net Security
Employee’s AI Shortcut Triggers SEC Filing — Boards, Take Note
Trump to sign order on AI oversight as security fears mount among supporters | Tacoma News Tribune
Linus Torvalds admits he has a 'love-hate relationship with AI' | ZDNET
AI can find bugs and flaws, but don't forget the cybersecurity basics
AI is drowning software maintainers in junk security reports - Help Net Security
Agent AI is Coming. Are You Ready?
Bots/Botnets
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Careers, Roles, Skills, Working in Cyber and Information Security
Upscale vs. Upskill: The Real Cybersecurity Gap
Cloud/SaaS
Tenable Warns AI Adoption Is Outpacing Governance As Cloud Exposure Risks Surge
Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing
US cyber agency CISA exposed reams of passwords and cloud keys to the open web
Microsoft Self-Service Password Reset abused in Azure data theft attacks
Google Cloud suspended major customer Railway.com without cause, causing outage
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them
Transit Finance hacked for $1.88 million
FBI: Americans lost over $388 million to scams using crypto ATMs in 2025
Cyber Crime, Organised Crime & Criminal Actors
Crime increasingly a ‘serious barrier’ to UK growth, say business leaders | Crime | The Guardian
When ransomware gets physical: cybercriminals turn to threats of violence
TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks
B1ack's Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards - SecurityWeek
Fired hacker twins forget to end Teams recording, capture own crimes - Ars Technica
Most dark web activity revolves around a handful of topics - Help Net Security
Data Breaches/Leaks
US cyber agency CISA exposed reams of passwords and cloud keys to the open web
Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
Millions Impacted Across Several US Healthcare Data Breaches - SecurityWeek
Gîtes de France cyberattack: 389,000 clients affected in France booking data breach
Data Protection
ICO Publishes Five-Step Plan to Counter Emerging AI-Powered Attacks - Infosecurity Magazine
Data/Digital Sovereignty
AI infrastructure is cracking under sovereignty demands - Help Net Security
Poland builds its own Signal amid security concerns
Encryption
Microsoft backpedals: Edge to stop loading passwords into memory
Fraud, Scams and Financial Crime
B1ack's Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards - SecurityWeek
FBI: Americans lost over $388 million to scams using crypto ATMs in 2025
INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers
201 arrested in INTERPOL disruption of phishing and fraud networks - Help Net Security
Interpol leads cybercrime crackdown across 13 countries in Middle East, North Africa | CyberScoop
How AI can trick you into making fake payments - 5 red flags | ZDNET
Identity and Access Management
Agentic AI opens the door to identity breach risk - CIR Magazine
Insider Risk and Insider Threats
Fired hacker twins forget to end Teams recording, capture own crimes - Ars Technica
Law Enforcement Action and Take Downs
INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers
201 arrested in INTERPOL disruption of phishing and fraud networks - Help Net Security
Interpol leads cybercrime crackdown across 13 countries in Middle East, North Africa | CyberScoop
Fired hacker twins forget to end Teams recording, capture own crimes - Ars Technica
London's police asked Big Tech for comms data over 700,000 times last year
Linux and Open Source
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
DirtyDecrypt: PoC Released for yet another Linux flaw
Debian 13.5 point release lands with security fixes, bug patches - Help Net Security
Linux kernel flaw opens root-only files to unprivileged users
Exploit released for new PinTheft Arch Linux root escalation flaw
Malware
Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them
Cybercrime service disrupted for abusing Microsoft platform to sign malware
Microsoft disrupts alleged malware-signing operation used by ransomware gangs
Gremlin Stealer Evolves into Modular Threat - Infosecurity Magazine
Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution
First Shai-Hulud Worm Clones Emerge - SecurityWeek
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
TanStack Details Sophisticated npm Supply Chain Attack That Compromised 42 Packages - InfoQ
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
New Shai-Hulud malware wave compromises 600 npm packages
Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack - SecurityWeek
GitHub confirms breach of 3,800 repos via malicious VSCode extension
Ukraine identifies infostealer operator tied to 28,000 stolen accounts
Mobile
Mobile phishing is a bigger threat than email now - how to stay protected | ZDNET
Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
Android Malware Used Fake Apps to Charge Users in Mass Billing Scam - Infosecurity Magazine
Outages
Alleged Huawei zero-day blamed for the 2025 Luxembourg telecom crash
Passwords, Credential Stuffing & Brute Force Attacks
Do fear the Reaper - stealer swipes macOS users' passwords, wallets, then backdoors them
US cyber agency CISA exposed reams of passwords and cloud keys to the open web
Microsoft backpedals: Edge to stop loading passwords into memory
Microsoft Self-Service Password Reset abused in Azure data theft attacks
You’re using a password manager, but you’re storing everything wrong
Regulations, Fines and Legislation
PYMNTS | UK Bills Target Late Payments and Cybersecurity Threats
MPs want social media treated more like unsafe toys than harmless apps
FCC walks back router update ban before it bricks America's network security
UK: The King’s Speech 2026 – Cybersecurity at the Forefront | DLA Piper - JDSupra
Mozilla warns UK: Breaking VPNs will not magically fix Britain's age-check mess
Trump to sign order on AI oversight as security fears mount among supporters | Tacoma News Tribune
Congress Puts Heat on Instructure After Canvas Outage
UK begins antitrust inquiry into Microsoft's business software ecosystem
Social Media
Public Instagram posts provide raw material for AI phishing campaigns - Help Net Security
MPs want social media treated more like unsafe toys than harmless apps
Software Supply Chain
Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility - SecurityWeek
TanStack Details Sophisticated npm Supply Chain Attack That Compromised 42 Packages - InfoQ
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
New Shai-Hulud malware wave compromises 600 npm packages
Developer Workstations Are Now Part of the Software Supply Chain
Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks
Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack - SecurityWeek
GitHub confirms breach of 3,800 repos via malicious VSCode extension
TeamPCP breached GitHub's internal codebase via poisoned VS Code extension - Help Net Security
Supply Chain and Third Parties
Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility - SecurityWeek
Typosquatting Is No Longer a User Problem. It's a Supply Chain Problem
OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
From exposure to assurance: how data signals are reshaping supply chain security
America’s Next National Security Supply Chain Crisis Is Already Starting
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
The Newest Space Race Is Cyber - InfoRiskToday
Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive
Nation State Actors
China
Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns - SecurityWeek
FCC walks back router update ban before it bricks America's network security
Trump warns Taiwan against independence - Gulf Times
Trump says he and Xi discussed cyberattacks and spying between US, China - Nextgov/FCW
Russia
NCSC warns of Russian cyber hijack threat | UKAuthority
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Iran
Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
FrostyNeighbor Carefully Targets Govt Orgs in Poland, Ukraine
Ghostwriter group resumes attacks on Ukrainian Government targets
Tools and Controls
Q&A: Why Vulnerability Scans Are Giving Businesses a False Sense of Security - IT Security Guru
Most Organizations Use AI Agents for Sensitive Security Tasks - Infosecurity Magazine
Cyber Pros Can't Decide If AI Is a Good or a Bad Thing
AI shrinks vulnerability exploitation window to hours - Help Net Security
AI is drowning software maintainers in junk security reports - Help Net Security
Taking care of business: The CISO's role in a cyber crisis | TechTarget
How AI Hallucinations Are Creating Real Security Risks
Developer Workstations Are Now Part of the Software Supply Chain
Mozilla warns UK: Breaking VPNs will not magically fix Britain's age-check mess
Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere - SecurityWeek
Microsoft is officially killing SMS verification for personal accounts | PCWorld
When compliance isn’t continuous, that’s a security risk | perspective | SC Media
Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs | native | MSSP Alert
You’re using a password manager, but you’re storing everything wrong
Linus Torvalds admits he has a 'love-hate relationship with AI' | ZDNET
Self-hosting your password vault eliminates the one breach that could lock you out of everything
Reports Published in the Last Week
Government publish the cyber security breaches survey 2025/2026
Attackers bypass traditional security tools with ‘user driven’ attacks - BetaNews
Hackers Bypass Security Tools to Target Users Directly - Infosecurity Magazine
Bridewell CTI Report 2026 - IT Security Guru
Verizon DBIR 2026: What The Experts Are Saying
UK Cyber Security Breaches Survey 2025/2026: Key Takeaways | Alston & Bird - JDSupra
Other News
Cybersecurity Fears Rise Ahead of 2026 FIFA World Cup | EasternEye
Cyber attacks more advanced five years on from HSE breach
Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight
The End Of The Secret String: Why Cybersecurity Must Move From Hidden Keys To Governed Matter
Vulnerability Management
Q&A: Why Vulnerability Scans Are Giving Businesses a False Sense of Security - IT Security Guru
AI shrinks vulnerability exploitation window to hours - Help Net Security
Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation
The Boring Stuff is Dangerous Now
AI is drowning software maintainers in junk security reports - Help Net Security
Windows Zero-Day Barrage Continues After Patch Tuesday
Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility - SecurityWeek
Google's Surge in Chrome Vulnerability Discoveries Likely Driven by AI - SecurityWeek
Microsoft to automatically roll back faulty Windows drivers
Cyber Pros Can't Decide If AI Is a Good or a Bad Thing
AI can find bugs and flaws, but don't forget the cybersecurity basics
HackerOne takes an axe to its bug bounty rewards
Linus Torvalds admits he has a 'love-hate relationship with AI' | ZDNET
Vulnerabilities
Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days - SecurityWeek
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Windows Zero-Day Barrage Continues After Patch Tuesday
CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day
Microsoft rejects critical Azure vulnerability report, no CVE issued
New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released
Unpatched Windows zero-day from 2020 gives hackers full system access | PCWorld
Cisco warns of an actively exploited SD-WAN flaw with max severity | CSO Online
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Hackers bypass SonicWall VPN MFA due to incomplete patching
Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix
The 4th Linux kernel flaw this month can lead to stolen SSH host keys | ZDNET
Critical Linux Kernel Flaw 'ssh-keysign-pwn' Exposes SSH Keys and Shadow Passwords
Exploit available for new DirtyDecrypt Linux root escalation flaw
Exploitation of Critical NGINX Vulnerability Begins - SecurityWeek
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
Security Researchers, Aided By Anthropic's Mythos, Claim To Have Breached macOS
Max-severity flaw in ChromaDB for AI apps allows server hijacking
Debian 13.5 point release lands with security fixes, bug patches - Help Net Security
Dell confirms its SupportAssist software causes Windows BSOD crashes
Chrome 148 Update Patches Critical Vulnerabilities - SecurityWeek
Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices
This Chrome flaw could hand hackers the keys to your browser
Google accidentally exposed details of unfixed Chromium flaw
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
'Claw Chain' OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery - SecurityWeek
TrendAI Patches Apex One Zero-Day Exploited in the Wild - SecurityWeek
Critical Wordpress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
Automotive
Construction
Critical National Infrastructure (CNI)
Defence & Space
Education & Academia
Energy & Utilities
Estate Agencies
Financial Services
FinTech
Food & Agriculture
Gaming & Gambling
Government & Public Sector (including Law Enforcement)
Health/Medical/Pharma
Hotels & Hospitality
Insurance
Legal
Manufacturing
Maritime & Shipping
Oil, Gas & Mining
OT, ICS, IIoT, SCADA & Cyber-Physical Systems
Retail & eCommerce
Small and Medium Sized Businesses (SMBs)
Startups
Telecoms
Third Sector & Charities
Transport & Aviation
Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 15 May 2026
Black Arrow Cyber Threat Intelligence Briefing 15 May 2026:
-Vibe Coding Is Causing ‘Thousands’ of Data Security Vulnerabilities
-NCSC and International Partners Warn of Agentic AI Risks
-Why Agentic AI Is Security's Next Blind Spot
-Over Half of MSPs Admit to Being Breached Multiple Times in Past Year
-Businesses Ask Non-Specialist Employees to Take On Cyber Security Tasks
-Poor Employee Awareness and Skills Gap Drive Cyber Security Breaches
-Increase in Email Attacks Driven by AI and Phishing-as-a-Service
-QR Code Phishing Was ‘Fastest-Growing’ Form of Email Attacks in Q1, Reports Microsoft Threat Intelligence
-Cyber Crime Increasingly Coming with Threats of Physical Violence
-The Evolution of Cyber Risk: Addressing Geopolitical Threats
-Europe Is Moving to Block Microsoft, Amazon, and Google from Handling Government Health, Financial, and Legal Data
-Britons Build ‘Emergency Stashes’ as Fears over Cyber-Attacks and Power Cuts Grow
-AI Cyber Attack Threatens Global Financial Crisis, Warns International Monetary Fund
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
This week’s review of cyber security in the specialist and general media highlights the growing challenge of managing cyber risks due to AI alongside existing security practices. We consider the rapid emergence of agentic and AI-enabled capabilities that are expanding attack surfaces, introducing new vulnerabilities, and accelerating the scale and effectiveness of threats such as phishing and automated exploitation.
Alongside this, the human factor remains central. Social engineering and credential-based attacks continue to be primary entry points, and separately some organisations are allocating cyber risk management responsibilities to employees without training.
We include a report on cyber breaches affecting managed service providers (MSPs) and how economic pressure is influencing how organisations prioritise cyber security, even as breach rates and exposure continue to rise.
At Black Arrow, we consistently see that resilience depends on the organisation’s leadership and governance to align security across people, processes and technology. This week’s themes reinforce the need for organisations to take a balanced and pragmatic approach that evolves with both technological change and the broader threat landscape. Contact us to discuss how to achieve this.
Top Cyber Stories of the Last Week
Vibe Coding Is Causing ‘Thousands’ of Data Security Vulnerabilities
Research into AI-built web applications has raised concerns about how quickly new tools can create business risk when security is not built in from the start. RedAccess reported finding 5,000 web apps created with AI development platforms that had little or no access protection, with 40% allegedly exposing sensitive information such as personal data, financial records and business plans. Several platform providers disputed parts of the findings, saying they lacked enough detail to verify the claims, but the issue highlights the need for governance over AI-created software.
NCSC and International Partners Warn of Agentic AI Risks
The UK’s NCSC and international partners have warned that agentic AI, which can act independently across systems and data, brings new risks for organisations. While it can help automate routine tasks, it may also behave unpredictably, expose connected systems to greater risk, or create uncertainty over accountability when things go wrong. The guidance recommends starting with low-risk uses, applying strict access controls, maintaining human oversight, and monitoring activity closely. Until standards mature, organisations should plan for resilience, containment, and the ability to reverse AI-driven actions quickly.
https://www.ukauthority.com/articles/ncsc-and-international-partners-warns-of-agentic-ai-risks
Why Agentic AI Is Security's Next Blind Spot
Agentic AI is already being used in many organisations to automate tasks, access data and take actions, often without security team involvement. The main risk is not the technology itself, but a lack of understanding and control over how these tools are built, what systems they can access and what actions they can take. As teams across the organisation create their own AI agents, permissions can quickly become too broad. Careful configuration, clear ownership and early security involvement are essential to limit exposure while still enabling useful innovation.
https://thehackernews.com/2026/05/why-agentic-ai-is-securitys-next-blind.html
Over Half of MSPs Admit to Being Breached Multiple Times in Past Year
CyberSmart’s 2026 MSP Survey shows that economic pressure is pushing cyber security down the agenda for many smaller businesses, with 46% of MSP customers more focused on rising costs and inflation than cyber risks. This comes despite 75% of MSPs reporting at least one breach in the past year, including 54% breached more than once. AI-enabled threats remain MSPs’ top concern at 49%. The findings indicate that economic pressure is influencing how organisations prioritise cyber security, despite continued exposure to repeated breaches and rising threat levels.
Businesses Ask Non-Specialist Employees to Take On Cyber Security Tasks
Small and medium sized organisations are increasingly relying on non-specialist staff to help manage cyber security, often without clear roles or limited training. Research commissioned by Uswitch Business Broadband found 43% of UK businesses reported a cyber security breach or attack in 2025, while over a third of employees with cyber security responsibilities said this was not part of their original job description. Training gaps remain significant, with 45% receiving only basic training and 16% receiving none. Nearly two-thirds said they had felt out of their depth at least sometimes, indicating gaps in capability as cyber security responsibilities extend beyond specialist roles.
Poor Employee Awareness and Skills Gap Drive Cyber Security Breaches
Fortinet reports that poor employee awareness remains a major factor in security incidents, cited by 56% of cyber security and IT leaders, while 54% point to a shortage of trained professionals. Familiar attack methods continue to dominate, including malware at 39%, phishing at 36% and password-related breaches at 30%. Although 73% of organisations now see cyber security as a critical priority, only 59% dedicate sufficient budget. The impact is rising, with 52% reporting average losses from cyber incidents of more than $1 million.
https://petri.com/employee-awareness-skills-gap-cybersecurity-breaches/
Increase in Email Attacks Driven by AI and Phishing-as-a-Service
Barracuda Networks reports that AI-assisted deception and ready-made phishing services are increasing both the scale and success of email attacks. Analysis of more than 3.1 billion emails in January 2026 found that one in three messages were malicious or unwanted spam, with phishing making up 48% of malicious email activity. Attackers are increasingly using links and QR codes hidden in trusted document formats, with 70% of malicious PDFs containing QR codes leading to phishing websites. Account takeover also remains a frequent risk, affecting 34% of organisations at least monthly.
https://betanews.com/article/increase-in-email-attacks-driven-by-ai-and-phishing-as-a-service/
QR Code Phishing Was ‘Fastest-Growing’ Form of Email Attacks in Q1, Reports Microsoft Threat Intelligence
Microsoft Threat Intelligence reports that email phishing remains a major threat, detecting around 8.3 billion email-based phishing attempts between January and March 2026. QR code phishing was the fastest-growing method, rising from 7.6 million attacks in January to 18.7 million in March, a 146% increase. These attacks hide harmful links inside scannable codes, often in emails or attachments, to steal login details. Attackers also used fake CAPTCHA checks and confidentiality notices to make malicious emails appear more trustworthy.
Cyber Crime Increasingly Coming with Threats of Physical Violence
Cyber criminals are increasingly combining cyber attacks with threats of physical violence to pressure victims into paying. Reported cyber crime in the US reached a record 1,008,597 cases in 2025, with losses rising to $20.8 billion, while UK cyber attacks also hit new highs. Research found that in up to 40% of global ransomware cases, criminals threatened to harm staff, rising to 46% in the US. Attackers are using stolen personal details, including home addresses, to intimidate employees, with some paying others to carry out threats or attacks.
https://www.bbc.co.uk/news/articles/cr71d8vyjv0o
The Evolution of Cyber Risk: Addressing Geopolitical Threats
Geopolitical tensions are reshaping cyber risk, with some attacks now focused on disruption and damage rather than financial gain. IBM has previously estimated that a single data breach can cost more than $4 million, while World Economic Forum research found 65% of respondents see supply chain and third-party weaknesses as their biggest barrier to cyber resilience. As third-party involvement in breaches continues to rise, organisations need tighter control over who can access critical systems, including suppliers and partners, and must plan for incidents where attackers have no incentive to stop.
https://informationsecuritybuzz.com/cyber-risk-addressing-geopolitical-threats/
Europe Is Moving to Block Microsoft, Amazon, and Google from Handling Government Health, Financial, and Legal Data
Europe is considering new rules that could restrict US cloud providers such as Microsoft, Amazon and Google from handling sensitive public sector data, including health, financial and legal records. The proposed Tech Sovereignty Package is aimed at strengthening Europe’s control over critical digital infrastructure and encouraging greater use of European cloud and AI providers. Private companies would remain free to choose their preferred platforms, but the move signals growing concern over reliance on overseas technology suppliers for essential government services.
Britons Build ‘Emergency Stashes’ as Fears over Cyber-Attacks and Power Cuts Grow
New research from Link, the UK’s ATM network, suggests more households are preparing for everyday disruption linked to cyber attacks, power cuts and payment failures. Nearly one in five Britons now keep emergency cash at home, while 47% store tinned food, 49% have battery-powered items such as torches and 37% keep power banks for mobile phones. The trend reflects growing concern that essential services, including electricity, communications and digital payments, may not always be available during a major incident.
https://www.easterneye.biz/uk-emergency-stashes-cyber-attack-fears/
AI Cyber Attack Threatens Global Financial Crisis, Warns International Monetary Fund
The IMF has warned that AI-powered cyber attacks could destabilise the global financial system by disrupting payments, weakening solvency and straining liquidity. The risk is heightened by financial firms’ reliance on shared cloud services, where one weakness can affect many organisations at once. The concern extends beyond banking, as finance, energy, telecoms and public services often depend on the same digital infrastructure. The IMF called for stronger international cooperation, better regulation and greater investment in resilience, including disaster recovery, business continuity and human oversight of AI-enabled security tools.
Governance, Risk and Compliance
Cyber risks top business threats for first time
90% Of SMEs Losing Sleep As Business Risks Rise
Why Cyber Governance Will Define The Next Generation Of Market Leader
The missing cybersecurity leader in small business | CyberScoop
Over Half of MSPs Admit to Being Breached Multiple Times in Past Year - IT Security Guru
Cybersecurity is now where the real heists happen – but are companies ready? - Digital Journal
Poor Employee Awareness and Skills Gap Drive Cybersecurity Breaches
Cybersecurity Without Awareness Is Like Driving Without Knowing The Rules
CISOs: Align cyber risk communication with boardroom psychology | CSO Online
Why Cyber Insurance Faces New AI Liability Risks
Why boards must stop chasing buzzwords | perspective | SC Media
The Critical Cyber Skills Every Security Team Still Needs
Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities - Security Boulevard
Cyber cover needs to get explicit as risk evolution continues unchecked
UK government renews calls to sign Cyber Resilience Pledge | Computer Weekly
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware: Over Half of CISOs Would Consider Paying Ransom to Hackers - Infosecurity Magazine
Reviewing the trends in ransomware attacks in 2026 | Securelist
The State of Ransomware - Q1 2026 - Check Point Research
WannaCry, the ransomware attack that changed the history of cybersecurity
90% of ransomware attacks target SMEs: SK shieldus - The Korea Herald
Tables Turned: Gentlemen Ransomware Group Suffers Data Leak
Ransomware and Destructive Attack Victims
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
Ransomware Group Takes Credit for Trellix Hack - SecurityWeek
International cyber attack disrupts swath of universities and schools - BBC News
ShinyHunters claims nearly 9,000 schools affected by Canvas data breach | EdScoop
RansomHouse says it breached Trellix and exposes internal systems
Lapsus$ dumps Vodafone source code online after failed extortion attempt | Cybernews
Instructure claims hackers returned stolen Canvas data after an extortion standoff | CyberScoop
West Pharmaceutical says hackers stole data, encrypted systems
Foxconn confirms cyberattack after Nitrogen claims Apple, Nvidia data theft
Phishing & Email Based Attacks
Over 500 Organizations Hit in Years-Long Phishing Campaign - SecurityWeek
When the Breach Gets In Through the CEO's Inbox, Not the Firewall - IT Security Guru
Increase in email attacks driven by AI and phishing-as-a-service - BetaNews
Tech Can't Stop These Threats — Your People Can
Other Social Engineering
When the Breach Gets In Through the CEO's Inbox, Not the Firewall - IT Security Guru
Tech Can't Stop These Threats — Your People Can
Signal adds security warnings for social engineering, phishing attacks
Plymouth radio station closes after 'ruthless' cyber attack | Plymouth Live
Artificial Intelligence
NCSC and international partners warns of agentic AI risks | UKAuthority
Artificial Intelligence And The End Of Digital Security As We Know It
Why Agentic AI Is Security's Next Blind Spot
PYMNTS | The End of the Artisanal Hack: How AI Industrialized Cybercr…
Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Increase in email attacks driven by AI and phishing-as-a-service - BetaNews
Vibe Coding Is Causing ‘Thousands’ of Data Security Vulnerabilities
Prepare for AI-driven patch correction - NCSC | UKAuthority
ECB Urges Banks to Quickly Prepare for AI-Assisted Cyberattacks
Why Cyber Insurance Faces New AI Liability Risks
Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking - SecurityWeek
Claude Code trust prompt can trigger one-click RCE
Flaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI | CyberScoop
Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information
Hackers abuse Google ads, Claude.ai chats to push Mac malware
UK schools blackmailed with sexualised AI deepfakes of pupils, experts warn | The Independent
Ollama vulnerability highlights danger of AI frameworks with unrestricted access | CSO Online
Hugging Face Packages Weaponized With a Single File Tweak
US bank reports itself after AI customer data mishap
Fighting fire with fire: Defending against Mythos-powered cyberattacks | resource | SC Media
What Security Leaders Say About the First AI-Developed Zero-Day Exploit | Security Magazine
White House considers implementing regulations on AI technology | The Jerusalem Post
Experts say Mythos is not a threat, instead it is exposing how vulnerable enterprises already are
AI-Powered Cyberattacks Put MSSPs and SOC Teams Under Pressure | news | MSSP Alert
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
Attackers Use Fake OpenAI Model to Push Credential-Stealing Malware - Security Boulevard
Japan’s PM orders cybersecurity review to defend against Anthropic Mythos
Bots/Botnets
NCSC warns of China-linked botnet attacks on UK targets
Careers, Roles, Skills, Working in Cyber and Information Security
The Critical Cyber Skills Every Security Team Still Needs
Computer Misuse Act reform to move forward in National Security Bill | Computer Weekly
AI models are getting better at replacing cybersecurity pros on certain tasks
Cloud/SaaS
'PCPJack' cloud worm hijacks TeamPCP hacker infrastructure - iTnews
After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto gang member gets 6.5 years for role in $230 million heist
Why a 2017 Linux bug is now a major concern for the crypto industry
Cyber Crime, Organised Crime & Criminal Actors
Cyber-crime increasingly coming with threats of physical violence - BBC News
Cybersecurity is now where the real heists happen – but are companies ready? - Digital Journal
Cybercrime's Human Trafficking Problem - GovInfoSecurity
Kids as young as 8 are groomed into cybercrime through Minecraft and Roblox: Report - Dexerto
Data after the breach: Economics of the dark web | TechTarget
Police Shut Relaunched Crimenetwork Dark Web Marketplace - Infosecurity Magazine
Data Breaches/Leaks
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
One in four organizations have exposed MySQL databases - BetaNews
US bank reports itself after AI customer data mishap
Data after the breach: Economics of the dark web | TechTarget
UK fines water supplier $1.3M for exposing data of 664k customers
Dutch lab failed security standards before 850K breach | Cybernews
Ransomware Group Takes Credit for Trellix Hack - SecurityWeek
Lapsus$ dumps Vodafone source code online after failed extortion attempt | Cybernews
Tables Turned: Gentlemen Ransomware Group Suffers Data Leak
Zara Data Breach: 197,000 Customers Exposed in Third-Party Security Incident
Škoda Security Incident Exposes Customers Data From Online Shop
Identity security firm SailPoint discloses GitHub repository breach
GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
West Pharmaceutical says hackers stole data, encrypted systems
Data/Digital Sovereignty
Vietnam to develop domestic cloud so it can ditch risky overseas operators for government workloads
Encryption
New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
60% of MD5 password hashes are crackable in under an hour
Instagram removed end-to-end encryption for DMs. What should users do?
Meta: Lawsuit Claiming WhatsApp Lacks End-to-End Encryption Is Falling Apart | PCMag
Your iPhone RCS chats with Android are encrypted in iOS 26.5: How to verify E2E is enabled | ZDNET
Apple, Google drag cross-platform texting into the encrypted age
Fraud, Scams and Financial Crime
Silent phone call scam in France: how AI voice theft can steal your identity
How AI job scams are destroying people’s hopes | Job hunting | The Guardian
How to detect AI in fraudulent job applicants - Raconteur
Sri Lanka makes 37 arrests as it raids another scam centre
Signal adds security warnings for social engineering, phishing attacks
Your Android phone is about to get much better at blocking scams - Digital Trends
Identity and Access Management
Why Changing Passwords Doesn’t End an Active Directory Breach
How Stealer Logs Lead to Active Directory Incidents
Insider Risk and Insider Threats
When the Breach Gets In Through the CEO's Inbox, Not the Firewall - IT Security Guru
Tech Can't Stop These Threats — Your People Can
Poor Employee Awareness and Skills Gap Drive Cybersecurity Breaches
Cybersecurity Without Awareness Is Like Driving Without Knowing The Rules
Former govt contractor convicted for wiping dozens of federal databases
Insurance
Why Cyber Insurance Faces New AI Liability Risks
Cyber cover needs to get explicit as risk evolution continues unchecked
77 percent of SMEs don’t understand cyber insurance - BetaNews
Internet of Things – IoT
Police equipment can be tracked via Bluetooth. What about your phone, watch and headphones?
Hacking one shared IoT device (e-scooters, e-bikes, cars, chargers, etc.) to rule them all.
China-linked Yarbo fixes robot mower hacking flaw | Cybernews
Law Enforcement Action and Take Downs
Resurrected 'Crimenetwork' Marketplace Taken Down, Administrator Arrested - SecurityWeek
Crypto gang member gets 6.5 years for role in $230 million heist
Former govt contractor convicted for wiping dozens of federal databases
Sri Lanka makes 37 arrests as it raids another scam centre
Met Police Arrest 173 In Live Facial Recognition Trial | Silicon UK
Linux and Open Source
Dirty Frag is a new Linux bug putting your system at risk - and there's no easy fix yet | ZDNET
Dirty Frag Exploit Poised to Blow Up on Enterprise Linux Distros
Rushed Patches Follow Broken Embargo on Linux Kernel Vulnerabilities - Infosecurity Magazine
Linux is getting a security wake-up call - why it was inevitable and I'm not worried | ZDNET
Why a 2017 Linux bug is now a major concern for the crypto industry
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
Malvertising
Hackers abuse Google ads, Claude.ai chats to push Mac malware
Malware is now hiding in Google search ads — here's how to protect yourself
Malware
After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Mistral AI and TanStack hit in supply chain attack with SLSA-attested malware - Cryptopolitan
Attackers Use Fake OpenAI Model to Push Credential-Stealing Malware - Security Boulevard
Worm rubs out competitor's malware, then takes control
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
Official JDownloader site served malware to Windows and Linux users between May 6 and May 7
Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub
Hackers abuse Google ads, Claude.ai chats to push Mac malware
Malware is now hiding in Google search ads — here's how to protect yourself
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
How Stealer Logs Lead to Active Directory Incidents
PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux
Official CheckMarx Jenkins package compromised with infostealer
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor
Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware - SecurityWeek
Misinformation, Disinformation and Propaganda
Mobile
Android banking Trojan TrickMo evolves using TON network for C2
Signal adds security warnings for social engineering, phishing attacks
Your Android phone is about to get much better at blocking scams - Digital Trends
Your iPhone RCS chats with Android are encrypted in iOS 26.5: How to verify E2E is enabled | ZDNET
Apple, Google drag cross-platform texting into the encrypted age
Models, Frameworks and Standards
Mapping NIS2 controls to ISO 27001 and NIST CSF for UK SMEs - Security Boulevard
Here’s how NIST is teeing up guidance for securing AI | Federal News Network
What businesses need to know about the update to Cyber Essentials | IT Pro
UK government renews calls to sign Cyber Resilience Pledge | Computer Weekly
Online Safety Act Failing To Deliver “step Change” For Children
Passwords, Credential Stuffing & Brute Force Attacks
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
Why Changing Passwords Doesn’t End an Active Directory Breach
60% of MD5 password hashes are crackable in under an hour
Regulations, Fines and Legislation
Computer Misuse Act reform to move forward in National Security Bill | Computer Weekly
2026 Kings Speech - New UK Cyber Security Laws and Broadband Rights for Leaseholders - ISPreview UK
US bank reports itself after AI customer data mishap
UK fines water supplier $1.3M for exposing data of 664k customers
ECB Urges Banks to Quickly Prepare for AI-Assisted Cyberattacks
Online Safety Act Failing To Deliver “step Change” For Children
White House considers implementing regulations on AI technology | The Jerusalem Post
US govt seeks Instructure testimony on massive Canvas cyberattack
Social Media
Instagram removed end-to-end encryption for DMs. What should users do?
Supply Chain and Third Parties
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
The Cybersecurity Gap No One Owns: You’re Securing The Wrong Perimeter
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
Foxconn confirms cyberattack after Nitrogen claims Apple, Nvidia data theft
Zara Data Breach: 197,000 Customers Exposed in Third-Party Security Incident
GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Understanding the Cyber Security Fallout of Geopolitical Tensions
The Evolution Of Cyber Risk: Addressing Geopolitical Threats
Cyberattacks on Poland's Water Plants: A Blueprint for Hybrid Warfare - Security Affairs
Feds urge greater protection of critical infrastructure from Chinese hacks
Britons Build Emergency Stashes Amid Cyber Attack Fears | EasternEye
“Cyberwar is already in Poland,” Polish deputy prime minister says
AI, Cyberwarfare, and Autonomous Weapons: Inside America’s New Military Strategy
Fresh Handala shenanigans prove Iranian hackers don’t care about any ceasefires | Cybernews
Cyber Espionage Group Targets Aviation Firms to Steal Map Data
Russian Attacks on Polish Water Utilities Use Fear as Weapon
Nation State Actors
Understanding the Cyber Security Fallout of Geopolitical Tensions
The Evolution Of Cyber Risk: Addressing Geopolitical Threats
State-sponsored actors, better known as the friends you don’t want
Britons Build Emergency Stashes Amid Cyber Attack Fears | EasternEye
State-backed hackers hammer Palo Alto firewall zero-day before patch lands
China
NCSC warns of China-linked botnet attacks on UK targets
Feds urge greater protection of critical infrastructure from Chinese hacks
Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
Russia
Cyberattacks on Poland's Water Plants: A Blueprint for Hybrid Warfare - Security Affairs
“Cyberwar is already in Poland,” Polish deputy prime minister says
Russian Attacks on Polish Water Utilities Use Fear as Weapon
Inside Department 4: Russia's secret school for hackers
“Russia is already testing NATO”
Iran
Fresh Handala shenanigans prove Iranian hackers don’t care about any ceasefires | Cybernews
Iran's cyberwar reaches the families of American troops - Asia Times
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Understanding the Cyber Security Fallout of Geopolitical Tensions
The Evolution Of Cyber Risk: Addressing Geopolitical Threats
Tools and Controls
Vibe Coding Is Causing ‘Thousands’ of Data Security Vulnerabilities
Prepare for AI-driven patch correction - NCSC | UKAuthority
CISOs: Align cyber risk communication with boardroom psychology | CSO Online
How Stealer Logs Lead to Active Directory Incidents
Why Cyber Insurance Faces New AI Liability Risks
Cyber cover needs to get explicit as risk evolution continues unchecked
Poor Employee Awareness and Skills Gap Drive Cybersecurity Breaches
Cybersecurity Without Awareness Is Like Driving Without Knowing The Rules
Ollama vulnerability highlights danger of AI frameworks with unrestricted access | CSO Online
Fighting fire with fire: Defending against Mythos-powered cyberattacks | resource | SC Media
Legacy Security Tools Are Failing Data Protection - Infosecurity Magazine
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
The patching treadmill: Why traditional application security is no longer enough | ZDNET
Day Zero Readiness: The Operational Gaps That Break Incident Response
Traditional MDR Is Reaching Its Limit | news | MSSP Alert
Experts say Mythos is not a threat, instead it is exposing how vulnerable enterprises already are
Japan’s PM orders cybersecurity review to defend against Anthropic Mythos
The Browser Is Breaking Your DLP: How Data Slips Past Modern Controls
Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? - SecurityWeek
Daybreak is OpenAI's answer to the AI arms race in cybersecurity | CyberScoop
Your Android phone is about to get much better at blocking scams - Digital Trends
EU says OpenAI offers to open access to cybersecurity model, Anthropic not there yet - CNA
Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator
CISO's guide: How to test an incident response plan | TechTarget
94 percent of cyberattacks use VPNs or residential proxies - BetaNews
Other News
94 percent of cyberattacks use VPNs or residential proxies - BetaNews
Cybercrime's Human Trafficking Problem - GovInfoSecurity
The most dangerous threats to the internet in 2026
Simon Pegg’s Tense 2-Part Cyber-Thriller Returns With a New Nightmare
Construction sector urged to build better cyber security strategies
Germany plans 'active cyberdefence' as online attacks rise - The Economic Times
Taiwan's train cyber-trauma reveals a global system that’s coming off the tracks
Vulnerability Management
Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Prepare for AI-driven patch correction - NCSC | UKAuthority
Ollama vulnerability highlights danger of AI frameworks with unrestricted access | CSO Online
Experts say Mythos is not a threat, instead it is exposing how vulnerable enterprises already are
The patching treadmill: Why traditional application security is no longer enough | ZDNET
What Security Leaders Say About the First AI-Developed Zero-Day Exploit | Security Magazine
Daybreak is OpenAI's answer to the AI arms race in cybersecurity | CyberScoop
Closed briefing sets stage for House hearing on Anthropic’s Mythos and cyber risks | CyberScoop
Linux is getting a security wake-up call - why it was inevitable and I'm not worried | ZDNET
Vulnerabilities
Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed, Including 29 Critical RCE Flaws
Microsoft Teams Vulnerability Allows Hackers to Perform Spoofing Attacks
New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises - SecurityWeek
Microsoft fixes Windows Autopatch bug installing restricted drivers
Windows BitLocker zero-day gives access to protected drives, PoC released
Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information
Critical Palo Alto Networks software bug hits exposed firewalls | CSO Online
State-backed hackers hammer Palo Alto firewall zero-day before patch lands
Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026 - SecurityWeek
F5 Patches Over 50 Vulnerabilities - SecurityWeek
F5 patches 18-year-old AI-found 'Rift' vulnerability in NGINX web server - iTnews
SAP Patches Critical S/4HANA, Commerce Vulnerabilities - SecurityWeek
Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
Dirty Frag is a new Linux bug putting your system at risk - and there's no easy fix yet | ZDNET
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit
Adobe Patches 52 Vulnerabilities in 10 Products - SecurityWeek
Flaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI | CyberScoop
Apple Patches Dozens of Vulnerabilities in macOS, iOS - SecurityWeek
Apple Alerted to macOS Security Vulnerability Uncovered With AI Tool - MacRumors
Broadcom releases VMware Fusion security update for root access bug
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
New critical Exim mailer flaw allows remote code execution
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
18-year-old NGINX vulnerability allows DoS, potential RCE
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Quest KACE SMA flaw CVE-2025-32975: when one unpatched tool opens the door to 60 organizations
Avada Builder Flaws Expose One Million WordPress Sites - Infosecurity Magazine
Bug hunter tracks down three serious MCP database flaws, one left unpatched
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 08 May 2026
Black Arrow Cyber Threat Intelligence Briefing 08 May 2026:
-Cyber is the Number One Global “People Risk,” Says Marsh
-Employees Are Now More Dangerous to Their Company than External Hackers
-Your Employees Know What Phishing Looks Like. They’re Still Getting Fooled. Here’s Why.
-Nearly Half of Initial Access Attacks Start with One Human Mistake
-86% of Phishing Attacks are AI Driven, KnowBe4 Research Finds
-Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
-Researchers Discover New All-in-One ‘Bluekit’ Phishing Kit Capable of Bypassing Enterprise 2FA Protocols and Emulating 40+ Global Brands
-MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
-Only One in Nine Ransomware Attacks Is Made Public
-Five Eyes Spook Shops Warn Rapid Rollouts of Agentic AI Are Too Risky
-AI Speeds Flaw Discovery, Forcing Rapid Updates, UK NCSC Warns
-Bank Executives Cite Economy, Cyber Security Risks as Top Concerns
-North Korea Stole 76% of All Crypto Taken in 2026
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
This week’s review of cyber security in the specialist and general media highlights employees and the risks they bring to their employer’s security. Research cited this week reports that cyber is the top global people risk, including employees sharing sensitive company information when using AI, and employees enabling attacks by falling for phishing emails and other malicious communications. At Black Arrow, we address this in our work with our clients, where we use our expertise and qualifications in HR and cyber security to strengthen the role that employees play in protecting their organisations.
In our review this week, we also look deeper at the evolution of ransomware, including toolkits used by attackers and insights into the prevalence of ransomware attacks. We further highlight the risks and misuse of AI, which has led bank executives to flag cyber security as their top risk.
At Black Arrow, we are consistent in our messaging that cyber security can only be achieved by aligned controls across people, operations and technology, as reinforced by insights from this week’s review. Contact us to discuss how to address this in a pragmatic way.
Top Cyber Stories of the Last Week
Cyber is the Number One Global “People Risk,” Says Marsh
Marsh’s 2026 People Risks report, based on interviews with more than 4,500 HR and risk professionals across 26 markets, ranks cyber related challenges as the leading global people risk. Weak cyber threat awareness, shortages in cyber and AI skills, poor understanding of AI risks and mishandling of data all feature in the top 10 concerns. These issues can increase the likelihood of cyber attacks, disrupt operations, damage trust and slow business progress, while 40% of respondents with effective people risk management initiatives reported improved workforce productivity, and 36% saw faster progress on strategic initiatives such as AI adoption.
https://www.infosecurity-magazine.com/news/cyber-number-one-global-people/
Employees Are Now More Dangerous to Their Company than External Hackers
Orange Cyberdefense reports that internal security risks now account for 57% of incidents, up from 47% in less than a year, overtaking external hacking for the first time. Employee misuse has risen sharply from 29% to 45%, often linked to unapproved tools such as public AI apps where sensitive information may be shared. Staff devices were involved in 53% of incidents, while identity attacks, where criminals use stolen login details, increased from 10% to 17%. Organisations should tighten access controls and multi-factor authentication to help reduce this growing risk.
Your Employees Know What Phishing Looks Like. They’re Still Getting Fooled. Here’s Why.
AI is making phishing emails and messages harder to spot, with 72% of surveyed workers saying attempts are more convincing than a year ago and 66% believing AI could impersonate a colleague. The risk is not simply lack of training. Employees often recognise the warning signs, but still click or respond when rushing, multitasking or working after hours. Nearly 70% check work messages outside normal hours, increasing exposure when attention is lower. Organisations should review response expectations, approval processes and communication habits so staff have clear, normal opportunities to pause and verify unusual requests.
Nearly Half of Initial Access Attacks Start with One Human Mistake
Attackers are continuing to exploit everyday human behaviour, with ClickFix attacks accounting for 47% of initial access incidents observed over the past year. These attacks present users with a fake technical problem, such as a broken verification check or failed update, then guide them into running a harmful command that appears to fix it. The approach requires no advanced flaw or complex exploit, just pressure, trust and a desire to stay productive. For organisations, this highlights the need to treat human risk as a continuous cyber security priority, supported by monitoring for unusual user activity.
86% of Phishing Attacks are AI Driven, KnowBe4 Research Finds
KnowBe4 reports that phishing is becoming more sophisticated, with 86% of attacks now AI driven. Over the past six months, calendar invite phishing rose by 49%, Microsoft Teams attacks increased by 41%, and the use of tools to steal Microsoft 365 login details surged by 139%. Attackers are also moving beyond email, using multiple channels at once and impersonating internal teams, seen in 30% of attacks in early 2026. This highlights a growing need to protect people, collaboration tools and AI systems together.
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
A phishing campaign active since at least April 2025 has affected more than 80 organisations, mainly in the US, by tricking victims into installing legitimate remote access tools. The emails impersonated the US Social Security Administration and used compromised websites to avoid basic email filtering. Once installed, the tools gave attackers ongoing access to devices, including the ability to view screens, transfer files and return later. Because the software is legitimate and digitally signed, traditional security tools may not flag the activity as suspicious.
https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html
Researchers Discover New All-in-One ‘Bluekit’ Phishing Kit Capable of Bypassing Enterprise 2FA Protocols and Emulating 40+ Global Brands
Bluekit is a new phishing platform that makes it easier for criminals to launch convincing attacks at scale. It can imitate more than 40 global brands, automate campaign setup, alert attackers when data is stolen and use AI to draft tailored phishing emails. More concerningly, it can steal active browser sessions, which may allow attackers to bypass multi-factor authentication by appearing to be a legitimate user. Its rapid development reinforces the value of phishing-resistant authentication, such as hardware security keys, alongside regular staff awareness testing.
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Rapid7 has linked a Microsoft Teams based credential theft campaign to Iranian state-backed attackers posing as a ransomware group. The incident used screen sharing and fake IT support tactics to trick staff into revealing passwords and approving multi-factor authentication requests. Rather than encrypting files, the attackers focused on stealing data and keeping long-term access through remote management tools. The case highlights a growing trend where state-linked groups use criminal ransomware brands and widely available cyber crime tools to hide their involvement and slow down response efforts.
https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html
Only One in Nine Ransomware Attacks Is Made Public
Ransomware appears to be significantly under-reported, with BlackFog identifying 2,160 undisclosed attacks in the first quarter, compared with just 264 publicly disclosed incidents. The average ransom demand exceeded $1 million, with victims across 97 countries. Healthcare was the most targeted sector, accounting for 27% of reported attacks, followed by government and technology. Logistics saw a 200% year-on-year increase. The findings also show that stolen data was involved in 96% of attacks, highlighting the growing risk of sensitive information being taken before disruption is even visible.
https://betanews.com/article/only-one-in-nine-ransomware-attacks-is-made-public/
Five Eyes Spook Shops Warn Rapid Rollouts of Agentic AI Are Too Risky
Five Eyes security agencies (UK, US, Canada, Australia and New Zealand) have warned that rapid adoption of agentic AI, where systems can take actions on behalf of users, could create new risks across critical infrastructure and defence. Their joint guidance highlights 23 risks and more than 100 recommended safeguards, noting that these systems often rely on multiple tools, data sources and permissions. If poorly controlled, they could be exploited to alter contracts, approve payments or delete audit records. Organisations are advised to adopt agentic AI gradually, starting with low-risk tasks and maintaining strong human oversight.
AI Speeds Flaw Discovery, Forcing Rapid Updates, UK NCSC Warns
The UK National Cyber Security Centre (NCSC) has warned that artificial intelligence is accelerating the discovery of weaknesses in software, increasing the likelihood of a surge in urgent security updates. Skilled attackers can now find and exploit flaws faster, creating pressure for organisations to update systems quickly across cloud, supplier and internal technology environments. Priority should be given to internet-facing systems, critical security tools and older technologies that no longer receive updates. Where possible, automatic updates should be enabled, supported by clear risk-based processes to decide what must be fixed first.
Bank Executives Cite Economy, Cyber Security Risks as Top Concerns
Bank executives are increasingly concerned about economic uncertainty and cyber security risk, with IntraFi’s Q1 2026 survey of 409 US bank leaders finding 29% cited cyber security and fraud as their top concern for the year ahead. Many pointed to criminals’ growing use of artificial intelligence, where software can be used to create more convincing scams or automate attacks. A possible economic downturn was also a major worry, cited by 56% as either the biggest or second biggest concern.
North Korea Stole 76% of All Crypto Taken in 2026
North Korea-linked hackers accounted for 76% of all cryptocurrency stolen by cyber criminals in 2026 up to the end of April, according to TRM Labs. Two attacks alone drained $577 million from decentralised finance platforms, despite representing only 3% of recorded incidents. The group has reportedly stolen more than $6 billion from crypto protocols since 2017, with its share of theft rising sharply each year. The incidents highlight the scale and sophistication of long‑planned intrusion activity, as well as weaknesses in complex digital finance platforms.
https://coinmarketcap.com/academy/article/north-korea-crypto-theft-76-percent-2026
Governance, Risk and Compliance
Cyber is the Number One Global “People Risk,” Says Marsh - Infosecurity Magazine
UK business breach rate stuck at 43%... blame the phishing • The Register
Almost half of UK businesses hit by cyber attacks | Computer Weekly
UK Cyber Resilience Plateaus as AI and Supply Chain Risks Rise | SC Media UK
Cyber still dominates global risk thinking – Marsh
Skills Gap Top CISO Concern, Says New SANS Survey
Bank Executives Cite Economy, Cybersecurity Risks as Top Concerns
How CISOs should utilize data security posture management to inform risk | CSO Online
Threats
Ransomware, Extortion and Destructive Attacks
Only one in nine ransomware attacks is made public - BetaNews
Ransomware victims increase 389 percent fueled by AI - BetaNews
Two new extortion crews are speedrunning the Scattered Spider playbook | CyberScoop
Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Iranian cyber espionage disguised as a Chaos Ransomware attack
Qilin Ransomware Enumerates RDP Authentication History on a Compromised Server
Cybersecurity pros jailed for ransomware attacks linked to ALPHV BlackCat | Cybernews
How safe is your money from cyber attack?
Conti, Akira ransomware affiliate given 8-year sentence | The Record from Recorded Future News
Karakurt Ransomware Negotiator Sentenced to Prison - SecurityWeek
Ransom Attacks up, but Payments Headed Down as Cyber Becomes Top of Mind
Five Years On: Lessons Learned From the Colonial Pipeline Cyber-Attack - Infosecurity Magazine
Member Of Russian Ransomware Group Sentenced To Prison – Eurasia Review
Two cybersecurity pros get prison time for helping ransomware gang - Help Net Security
Ransomware and Destructive Attack Victims
Five Years On: Lessons Learned From the Colonial Pipeline Cyber-Attack - Infosecurity Magazine
Instructure confirms data breach, ShinyHunters claims attack
Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats - SecurityWeek
Sandhills Medical Says Ransomware Breach Affects 170,000 - SecurityWeek
Cushman & Wakefield confirms vishing cyberattack
DOJ says ransomware gang tapped into Russian government databases | TechCrunch
Phishing & Email Based Attacks
86% of Phishing Attacks are AI Driven, KnowBe4 Research Finds - IT Security Guru
Cyber is the Number One Global “People Risk,” Says Marsh - Infosecurity Magazine
Email threat landscape: Q1 2026 trends and insights | Microsoft Security Blog
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
ConsentFix v3 Automates OAuth Abuse to Bypass MFA and Hijack Azure Accounts - Security Boulevard
Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace
Microsoft Flags Mass Phishing Campaign Using Fake Compliance Emails - Infosecurity Magazine
The Mimecast Portal BEC risk: how attackers stay in the inbox after a password reset | TechFinitive
30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign
Fake SSA Emails Drive Venomous#Helper Phishing Campaign - Infosecurity Magazine
Attackers Abuse Amazon SES to Send Authenticated Phishing Emails That Bypass Security
Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks
Business Email Compromise (BEC)/Email Account Compromise (EAC)
The Mimecast Portal BEC risk: how attackers stay in the inbox after a password reset | TechFinitive
Other Social Engineering
Cyber is the Number One Global “People Risk,” Says Marsh - Infosecurity Magazine
ConsentFix v3 Automates OAuth Abuse to Bypass MFA and Hijack Azure Accounts - Security Boulevard
Nearly Half of Initial Access Attacks Start With One Human Mistake | perspective | MSSP Alert
Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
Hugging Face, ClawHub Abused for Malware Distribution - SecurityWeek
Fake background remover spreads password-stealing malware | Cybernews
You’ve hired a fraudulent employee. What comes next? | HR Dive
DigiCert breached via malicious screensaver file - Help Net Security
Romance fraudsters fleeced UK victims of £102M in 2025
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Trend Micro (US)
ClickFix campaign uses fake macOS utilities lures to deliver infostealers | Microsoft Security Blog
Your job search is getting riskier, says LinkedIn - 9 ways to tell real listings from scams | ZDNET
Cushman & Wakefield confirms vishing cyberattack
2FA/MFA
ConsentFix v3 Automates OAuth Abuse to Bypass MFA and Hijack Azure Accounts - Security Boulevard
The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA
Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs | CSO Online
Artificial Intelligence
Five Eyes warn agentic AI is too dangerous for rapid rollout • The Register
86% of Phishing Attacks are AI Driven, KnowBe4 Research Finds - IT Security Guru
New Bluekit phishing service includes an AI assistant, 40 templates
UK cyber security agency warns of AI-driven 'patch wave' - iTnews
The AI Vulnerability Storm Is Here. Is Your Security Program Breach Ready? - Security Boulevard
AI speeds flaw discovery, forcing rapid updates, UK NCSC warns
AI Adoption Outpaces Safety Policies, Leaving Organizations Exposed - Infosecurity Magazine
Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing?
UK Cyber Resilience Plateaus as AI and Supply Chain Risks Rise | SC Media UK
If AI's So Smart, Why Does It Keep Deleting Production Databases?
AI digs up decades of code debt. Patch up. • The Register
Shadow AI risks deepen as 31% of users get no employer training - Help Net Security
We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is
Malicious OpenClaw DeepSeek Skill Exploits Agentic AI Workflows to Deliver RAT and Stealer
Hugging Face, ClawHub Abused for Malware Distribution - SecurityWeek
How safe is your money from cyber attack?
Cyber talent harder to find as AI reshapes threat landscape - CNA
Europe’s laws ‘ill-equipped’ to deal with superhacking AI, lawmakers warn – POLITICO
Does Anthropic's Claude Mythos break the cyber insurance underwriting model? | Insurance Times
Malicious PyTorch Lightning update hits AI supply chain security
Mythos is 'very heightened risk': JPMorganChase's Jamie Dimon | American Banker
One in four MCP servers opens AI agent security to code execution risk - Help Net Security
British mathematician hands OpenClaw agent a credit card
Why Chrome may have quietly downloaded a 4GB file to your PC - and how to get rid of it | ZDNET
Met Police face criticism for using AI to spy on their own officers - Help Net Security
AI-BOMs replace SBOMs as way to track AI agents and bots • The Register
India orders infosec red alert in case Mythos sparks crime
When AI Starts Making Decisions, Cybersecurity Becomes A Governance Issue | Scoop News
Careers, Roles, Skills, Working in Cyber and Information Security
CISOs step up to the security workforce challenge | CSO Online
Cyber talent harder to find as AI reshapes threat landscape - CNA
Anthropic’s Mythos and the global cybersecurity gap - Rest of World
Skills Gap Top CISO Concern, Says New SANS Survey
Cloud/SaaS
ConsentFix v3 Automates OAuth Abuse to Bypass MFA and Hijack Azure Accounts - Security Boulevard
Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace
Azure AD Conditional Access Bypassed Through Phantom Device Registration and PRT Abuse
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korea Stole 76% of All Crypto Taken in 2026 | CoinMarketCap
Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring
Police dismantles 9 crypto scam centers, arrests 276 suspects
Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M
New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware
Cyber Crime, Organised Crime & Criminal Actors
Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring
Police dismantles 9 crypto scam centers, arrests 276 suspects
Europol Busts Albanian Scam Call Centers in Major Online Fraud Case - Infosecurity Magazine
French prosecutors link 15-year-old to gov mega-breach • The Register
Data Breaches/Leaks
French prosecutors link 15-year-old to gov mega-breach • The Register
Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats
Trellix Source Code Breach Highlights Supply Chain Threats
Instructure hacker claims data theft from 8,800 schools, universities
Police statement 10 months after Glasgow City Council cyber attack | Glasgow Times
A DOD contractor’s API flaw exposed military course data and service member records | CyberScoop
Sandhills Medical Says Ransomware Breach Affects 170,000 - SecurityWeek
Denial of Service/DoS/DDoS
Canonical Says Ubuntu Infrastructure Is Facing Cross-Border DDoS Attack
New Cisco DoS flaw requires manual reboot to revive devices
Encryption
Agent’s claims on WhatsApp access spark security concerns
What to Know About Quantum Computing and Your Cybersecurity Progr
Fraud, Scams and Financial Crime
Romance fraudsters fleeced UK victims of £102M in 2025
Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring
You’ve hired a fraudulent employee. What comes next? | HR Dive
Police dismantles 9 crypto scam centers, arrests 276 suspects
Europol Busts Albanian Scam Call Centers in Major Online Fraud Case - Infosecurity Magazine
Your job search is getting riskier, says LinkedIn - 9 ways to tell real listings from scams | ZDNET
Insider Risk and Insider Threats
1 in 8 workers say selling company logins is justifiable
You’ve hired a fraudulent employee. What comes next? | HR Dive
Cyber is the Number One Global “People Risk,” Says Marsh - Infosecurity Magazine
Employees are now more dangerous to their company than external hackers | TechRadar
Nearly Half of Initial Access Attacks Start With One Human Mistake | perspective | MSSP Alert
Why Trained Employees Are Still Falling for Phishing Attacks
Insurance
How cyber insurance helped with breach recovery -- or not | TechTarget
Does Anthropic's Claude Mythos break the cyber insurance underwriting model? | Insurance Times
Law Enforcement Action and Take Downs
US ransomware negotiators get 4 years in prison over BlackCat attacks
Police dismantles 9 crypto scam centers, arrests 276 suspects
Europol Busts Albanian Scam Call Centers in Major Online Fraud Case - Infosecurity Magazine
French prosecutors link 15-year-old to gov mega-breach • The Register
A Ransomware Negotiator Was Working for a Ransomware Gang - Schneier on Security
Conti, Akira ransomware affiliate given 8-year sentence | The Record from Recorded Future News
Karakurt Ransomware Negotiator Sentenced to Prison - SecurityWeek
Police statement 10 months after Glasgow City Council cyber attack | Glasgow Times
Member Of Russian Ransomware Group Sentenced To Prison – Eurasia Review
Two cybersecurity pros get prison time for helping ransomware gang - Help Net Security
Russian hacker pleads guilty to cyberattacks on US, Ukrainian oil and gas facilities
Linux and Open Source
The Evolution of Open Source Malware: From Volume to Trust Abuse
Canonical Says Ubuntu Infrastructure Is Facing Cross-Border DDoS Attack
New stealthy Quasar Linux malware targets software developers
Malware
Malicious OpenClaw DeepSeek Skill Exploits Agentic AI Workflows to Deliver RAT and Stealer
Hugging Face, ClawHub Abused for Malware Distribution - SecurityWeek
Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs | CSO Online
Fake background remover spreads password-stealing malware | Cybernews
ClickFix campaign uses fake macOS utilities lures to deliver infostealers | Microsoft Security Blog
New Deep#Door RAT uses stealth and persistence to target Windows
1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom - SecurityWeek
Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack - Ars Technica
The Evolution of Open Source Malware: From Volume to Trust Abuse
New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware
New stealthy Quasar Linux malware targets software developers
New MicroStealer Malware Actively Attacking Telecom & Education Sectors
China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions
North Korean APT Targets Yanbian Gamers via Trojanized Platform - Infosecurity Magazine
Mobile
Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA
Stealthy malware abuses Microsoft Phone Link to siphon SMS OTPs from enterprise PCs | CSO Online
New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware
Critical Android vulnerability CVE-2026-0073 fixed by Google
Critical Android Zero-Click Vulnerability Grants Remote Shell Access
Passwords, Credential Stuffing & Brute Force Attacks
1 in 8 workers say selling company logins is justifiable
Fake background remover spreads password-stealing malware | Cybernews
The Back Door Attackers Know About — and Most Security Teams Still Haven’t Closed
Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch
The Passwordless Future Has a Password Problem - Security Boulevard
Syncing passkeys to Google defeats the whole point of passkeys
I'm a cyber security expert - 60% of the public are making this dangerous mistake
Regulations, Fines and Legislation
Europe’s laws ‘ill-equipped’ to deal with superhacking AI, lawmakers warn – POLITICO
Kids can bypass some age checks with a drawn-on mustache • The Register
UK age-gating plans risk breaking the internet, privacy groups warn
Brussels reissues its Huawei warning, and prepares to make it stick
US lists offensive cyberattacks in counterterrorism strategy - Nextgov/FCW
Social Media
30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign
Vimeo confirms breach via third-party vendor impacts 119K users
Supply Chain and Third Parties
Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack - Ars Technica
UK Cyber Resilience Plateaus as AI and Supply Chain Risks Rise | SC Media UK
1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom - SecurityWeek
Trellix Source Code Breach Highlights Supply Chain Threats
DigiCert breached via malicious screensaver file - Help Net Security
Vimeo confirms breach via third-party vendor impacts 119K users
A DOD contractor’s API flaw exposed military course data and service member records | CyberScoop
Instructure Breach Exposes Schools' Vendor Dependence
Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
MuddyWater hackers use Chaos ransomware as a decoy in attacks
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Russian cyberattacks against Ukraine may be considered war crimes - CCD | УНН
War is not just missiles, defence experts warn Britons
How Iranian Cyber Intrusions Unfold Inside Enterprise Networks
Small Defense Firms Lack Network Data to Stop Nation-State Hackers - Infosecurity Magazine
Nation State Actors
Small Defense Firms Lack Network Data to Stop Nation-State Hackers - Infosecurity Magazine
China
FBI: China's hacker-for-hire ecosystem 'out of control' • The Register
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists
Brussels reissues its Huawei warning, and prepares to make it stick
Chinese spy group caught lurking in Poland, Asia networks • The Register
Police dismantles 9 crypto scam centers, arrests 276 suspects
Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M
China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions
EU moves to ban high-risk inverters from China over cybersecurity threats | Euronews
Russia
Russian cyberattacks against Ukraine may be considered war crimes - CCD | УНН
Russian hacker pleads guilty to cyberattacks on US, Ukrainian oil and gas facilities
DOJ says ransomware gang tapped into Russian government databases | TechCrunch
Russia disrupts mobile internet as Kremlin scales back Victory Day parade | The Independent
North Korea
North Korea Stole 76% of All Crypto Taken in 2026 | CoinMarketCap
You’ve hired a fraudulent employee. What comes next? | HR Dive
North Korean APT Targets Yanbian Gamers via Trojanized Platform - Infosecurity Magazine
Iran
Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware
MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Iranian cyber espionage disguised as a Chaos Ransomware attack
How Iranian Cyber Intrusions Unfold Inside Enterprise Networks
Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
FBI: China's hacker-for-hire ecosystem 'out of control' • The Register
Tools and Controls
UK Cyber Resilience Plateaus as AI and Supply Chain Risks Rise | SC Media UK
US ransomware negotiators get 4 years in prison over BlackCat attacks
How cyber insurance helped with breach recovery -- or not | TechTarget
Azure AD Conditional Access Bypassed Through Phantom Device Registration and PRT Abuse
AI digs up decades of code debt. Patch up. • The Register
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools
RMM Tools Fuel Stealthy Phishing Campaign
Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
Windows Remote Desktop Leaves Behind Image Fragments Attackers Can Stitch Into Screenshots
Security’s Blind Spot: The Threats Hiding In “Low-Severity” Alerts
The Passwordless Future Has a Password Problem - Security Boulevard
Mythos is 'very heightened risk': JPMorganChase's Jamie Dimon | American Banker
India orders infosec red alert in case Mythos sparks crime
When AI Starts Making Decisions, Cybersecurity Becomes A Governance Issue | Scoop News
Amazon SES increasingly abused in phishing to evade detection
How CISOs should utilize data security posture management to inform risk | CSO Online
Understanding Digital Forensics After A Cyber Incident
Europe’s laws ‘ill-equipped’ to deal with superhacking AI, lawmakers warn – POLITICO
Microsoft fixes Remote Desktop warnings displaying incorrectly
Tape's strategic role in modern data protection | TechTarget
After dissing Anthropic for limiting Mythos, OpenAI restricts access to Cyber, too | TechCrunch
Financial Services Industry Collaborates to Test Real-World Cyber Readiness
Other News
Windows Remote Desktop Leaves Behind Image Fragments Attackers Can Stitch Into Screenshots
UK: Education Sector Faces Surge in Cyber Breaches - Infosecurity Magazine
Cybercriminals Are Now Coming After Freight Cargo. And They’re Doing a Great Job.
CISA tells critical organizations to prepare for cyber outages | Federal News Network
Cyberattacks against universities becoming ‘more prevalent’
Physical Cargo Theft Gets a Boost From Cybercriminals
Vulnerability Management
The AI Vulnerability Storm Is Here. Is Your Security Program Breach Ready? - Security Boulevard
AI speeds flaw discovery, forcing rapid updates, UK NCSC warns
AI digs up decades of code debt. Patch up. • The Register
Security’s Blind Spot: The Threats Hiding In “Low-Severity” Alerts
Oracle Debuts Monthly Critical Security Patch Updates - SecurityWeek
Why every organization should make it easy to report security flaws
Vulnerabilities
cPanel zero-day exploited for months before patch release (CVE-2026-41940) - Help Net Security
Over 40,000 Servers Compromised in Ongoing cPanel Exploitation - SecurityWeek
Critical cPanel exploited: 'Millions' of sites could be hit • The Register
Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks
Exploit Cyber-Frenzy Threatens Millions via cPanel Vulnerability
Hackers target governments and MSPs via critical cPanel flaw CVE-2026-41940
MOVEit automation flaws could enable full system compromise
Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks - SecurityWeek
Ivanti customers confront yet another actively exploited zero-day | CyberScoop
Cisco Patches High-Severity Vulnerabilities in Enterprise Products - SecurityWeek
SonicWall patches three SonicOS flaws in Gen 6, 7 and 8 firewalls. Patch them now
Linux 'Copy Fail' flaw lets anyone hijack system privileges. Update ASAP | PCWorld
'Copy Fail' is a real Linux security crisis wrapped in AI slop | CyberScoop
New Linux 'Dirty Frag' zero-day gives root on all major distros
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
Google Chrome 148 Released with 127 Security Fixes, Three Critical Vulnerabilities Patched
Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE
New Cisco DoS flaw requires manual reboot to revive devices
Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover - SecurityWeek
vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution
Weaver E-cology critical bug exploited in attacks since March
Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft - SecurityWeek
Malicious PyTorch Lightning update hits AI supply chain security
Critical Android Zero-Click Vulnerability Grants Remote Shell Access
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 01 May 2026
Black Arrow Cyber Threat Intelligence Briefing 01 May 2026:
-Cyber Attacks Now the Top Operational Risk for 60% of Financial Organisations
-Get Ready to be Attacked - NCSC
-UK Cyber Essentials Overhaul Could Trigger Instant Certification Failures
-Cyber Threat Literacy, AI Disruption Top Risks to an Organisation’s People
-AI Rush Is Reviving Old Cyber Security Mistakes, Mandiant VP Warns
-Deepfake Era Demands Proof-Based Security, Not Just Awareness
-Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren't Ready for the Remediation Side
-Over 2.8 Billion Credentials Stolen in 2025 as Ransomware Evolves
-A Sneaky Cyber Enemy Is Creeping into Our Browsers and Password Managers
-The Behavioural Shift: Why Trusted Relationships Are the Newest Attack Surface
-Threat Actors Ditch ‘Spray and Pray’ Attacks in Shift to Targeted Exploitation
-A Dozen Allied Agencies Say China Is Building Covert Hacker Networks out of Everyday Routers
-What’s Behind Europe’s Efforts to Ditch US Software in Favour of Sovereign Tech
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
As reported cyber attacks continue to rise, it is unsurprising that business leaders see cyber risk as their top threat. This week’s research shows that 60% of financial services organisations view cyber attacks and outages as their biggest operational risk, alongside the UK Government urging organisations to prepare to manage and operate during cyber disruption. We also highlight changes to the UK Government’s Cyber Essentials scheme, which now emphasise ongoing control rather than point‑in‑time assessment and could see some certificate holders fail on reassessment.
Artificial intelligence is also increasing cyber risk, through factors such as inadequate cyber threat literacy among employees and the amplification of insufficient cyber hygiene, as well as accelerating the pace at which vulnerabilities are identified and exploited. We report on striking figures, including more than 2.8 billion credentials stolen last year; a sharp rise in infostealer malware on Apple macOS devices; and the continued prevalence of phishing and third‑party attacks. Finally, we examine wider developments, from China’s use of covert hacker networks to European efforts to strengthen data and technology sovereignty.
The way to manage the impact of these developments requires a sound business leadership understanding of risks and how to maintain proportionate controls that enable the organisation to grow. Contact us to discuss how to achieve this.
Top Cyber Stories of the Last Week
Cyber Attacks Now the Top Operational Risk for 60% of Financial Organisations
A survey of around 150 senior compliance experts found that 60% of financial services organisations now see cyber attacks or system outages as their biggest operational risk this year, far ahead of supply chain disruption or staff shortages at 10%. While most say their organisation has measures in place to manage the risk, 13% are not confident in their ability to address disruption. The findings also highlight concern that criminals are using artificial intelligence faster than firms and regulators can respond, signalling to business leaders the need for sustained vigilance and continuous improvement as cyber threats evolve in scale and sophistication.
Get Ready to be Attacked - NCSC
The UK’s National Cyber Security Centre (NCSC) has warned that UK organisations of national significance, including financial services, health, energy and transport, face a growing risk from severe cyber threats that could disrupt essential services, cause financial loss and affect public safety. It says advanced attackers are increasingly targeting nationally significant organisations, while technologies such as frontier AI may increase the speed and scale of attacks. The guidance highlights that cyber resilience is a leadership responsibility, requiring critical systems to be mapped, disruption plans tested, and recovery arrangements rehearsed before an incident occurs.
https://www.ukauthority.com/articles/get-ready-to-be-attacked-ncsc
UK Cyber Essentials Overhaul Could Trigger Instant Certification Failures
Changes to the UK Cyber Essentials scheme that tighten enforcement and widen scope could increase the risk of instant certification failure for organisations with inconsistent day‑to‑day controls. Failing to apply high-risk or critical security updates and patches within 14 days can now trigger automatic failure. Enforcement of multi‑factor authentication is also applied more strictly across cloud services where MFA is available, while the updated scope clarifies that cloud services hosting organisational data or services cannot be excluded. This increases the likelihood that overlooked systems, legacy applications or active but overlooked accounts create compliance gaps. For business leaders, the update highlights that Cyber Essentials is increasingly a test of ongoing operational discipline rather than a point‑in‑time exercise.
Cyber Threat Literacy, AI Disruption Top Risks to an Organisation’s People
Marsh’s 2026 People Risks report identifies insufficient cyber threat literacy as the leading people risk for organisations, reflecting the continued role of human error in cyber losses. Phishing and social engineering continue to succeed by tricking employees into disclosing log‑in details, enabling ransomware attacks and data breaches. The report also warns that rapid adoption of artificial intelligence without adequate employee training is increasing risk. For business leaders, the findings highlight that cyber resilience depends as much on leadership-led training, communication and support for employees as on technology investments.
https://www.insurancejournal.com/news/national/2026/04/30/867782.htm
AI Rush Is Reviving Old Cyber Security Mistakes, Mandiant VP Warns
Mandiant has warned that rapid AI adoption is causing organisations to overlook basic cyber security controls. Its testing teams, who simulate real attacker behaviour, found AI environments where attackers could alter data classifications, bypass data loss prevention tools that stop sensitive information leaving the business, and use unencrypted communication links. In some cases, once initial access was gained through social engineering, where people are manipulated into granting access, AI systems carried out further actions including data theft and policy changes. Mandiant’s warning highlights the need for governance, secure design and independent testing that keeps pace with AI deployment.
https://www.infosecurity-magazine.com/news/ai-old-cybersecurity-mistakes/
Deepfake Era Demands Proof-Based Security, Not Just Awareness
Deepfake and voice cloning attacks are making it harder for employees to trust what they see or hear, particularly when requests appear to come from senior executives. Research found that 77% of fraud professionals say deepfake attacks are increasing, yet only 7% believe their organisations are well prepared. High-risk actions, such as payments, password resets or access changes, should rely on agreed verification steps through trusted channels, not on a single call, video meeting or message. This reduces pressure on staff and makes fraud prevention a consistent business process.
Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren't Ready for the Remediation Side
AI tools such as Anthropic’s Claude Mythos Preview could significantly increase the speed and scale of vulnerability discovery, exposing flaws faster than traditional testing approaches. However, faster discovery risks overwhelming organisations that lack clear ownership, centralised tracking and consistent prioritisation of remediation efforts. Without effective processes to assign responsibility, assess business impact and verify that fixes have been applied, organisations may simply accumulate a larger backlog of unresolved security issues. The findings highlight that operational readiness for remediation has not kept pace with advances in AI‑driven vulnerability discovery.
https://thehackernews.com/2026/04/mythos-changed-math-on-vulnerability.html
Over 2.8 Billion Credentials Stolen in 2025 as Ransomware Evolves
A report identified 2.86 billion compromised credentials in 2025, with business cloud and login services accounting for more than 30% of exposed data. Attackers are increasingly logging in using stolen credentials rather than exploiting technical weaknesses. The report also highlights risks from unsanctioned AI tools, where employees may unknowingly expose confidential data, and a sharp rise in infostealer malware on Apple macOS devices, from fewer than 1,000 cases in 2024 to over 70,000 in 2025. Ransomware activity remains highly active, with 147 groups recorded. The findings highlight identity compromise, unsanctioned AI use and reliance on legacy defences as central factors shaping the evolving ransomware threat.
https://betanews.com/article/over-2-8-billion-credentials-stolen-in-2025-as-ransomware-evolves/
A Sneaky Cyber Enemy Is Creeping into Our Browsers and Password Managers
KELA reports that almost 4 million devices were exposed to infostealer malware last year, leading to around 350 million compromised login details. Infostealers are malicious tools that quietly collect sensitive data such as browser cookies, passwords and local files, often without obvious signs on the device. Windows users remain heavily targeted, but attacks on Apple devices are rising as adoption grows in corporate environments. The risk is significant because stolen browser sessions can sometimes let criminals access accounts without needing a password or multi-factor authentication.
The Behavioural Shift: Why Trusted Relationships Are the Newest Attack Surface
An analysis of almost 800,000 email attacks across more than 4,600 organisations shows how attackers exploit trust and routine business processes rather than technical weaknesses. Phishing remains the most common method at 58% of attacks, and business email compromise 11%. Over 20% of phishing attacks hide harmful web pages behind redirect chains. Invoice fraud accounts for 42% of campaigns in North America and procurement related scams 41% in EMEA. The findings highlight that trusted workflows and supplier interactions have become a key attack surface, reinforcing the need for verification controls within routine business processes.
Threat Actors Ditch ‘Spray and Pray’ Attacks in Shift to Targeted Exploitation
Cyber criminals are moving away from broad, high-volume ‘spray and pray’ attacks and focusing on fewer organisations where they can cause greater disruption. SonicWall reported a 20% rise in compromised UK organisations last year, despite overall ransomware volumes falling by 87%. Smaller businesses appear especially exposed, with ransomware involved in 88% of SMB breaches compared with 39% for larger enterprises. Outdated technology remains a major risk, with one decade-old camera weakness linked to 67 million attempted UK attacks. AI-enabled attacks also rose by 89%, while attackers can remain undetected for an average of 181 days.
A Dozen Allied Agencies Say China Is Building Covert Hacker Networks out of Everyday Routers
Allied cyber agencies have warned that China-linked hackers are increasingly using everyday devices, including home office routers and smart devices, to build hidden networks for cyber attacks. These networks disguise where activity is coming from and can support spying, malware delivery and information theft. One example, known as Raptor Train, infected 200,000 devices worldwide. The warning highlights China‑linked hackers are moving away from running their own small, dedicated attack servers, and instead are hijacking vast numbers of ordinary internet‑connected devices to form large, hidden attack networks. This makes detection harder and reinforces the need for strong device management, monitoring and basic cyber security controls.
https://cyberscoop.com/china-nexus-covert-networks-advisory/
What’s Behind Europe’s Efforts to Ditch US Software in Favour of Sovereign Tech
European governments are reassessing dependence on US technology as concerns grow over data access, legal control and resilience. US federal law, called the 2018 CLOUD Act, means US providers may be required to hand over data even when it is stored overseas, increasing worries around sensitive information such as health records. France is moving its Health Data Hub from Microsoft Azure to a sovereign cloud provider, while the European Commission has awarded a €180 million tender to European cloud firms. However, alternatives still face scale and adoption challenges, particularly where private sector buyers continue to favour established US providers.
Governance, Risk and Compliance
Get ready to be attacked - NCSC | UKAuthority
Cyber threats challenge global business resilience
Cyber Attacks Emerge As Top Risk For Professional Firms In 2026 - Minutehack
Cyber attacks now the top operational risk for 60% of financial organisations - TechCentral.ie
Cyber Insurance Data Gives CISOs New Ammo for Budget Talks - SecurityWeek
Cyber Threat Literacy, AI Disruption Top Risks to an Organization’s People
The cyber security of British business is a matter of national security - Dan Jarvis
Nearly half of cybersecurity pros want to quit - here's why | ZDNET
Cybersecurity professional getting more work and less pay • The Register
Threats
Ransomware, Extortion and Destructive Attacks
Trigona ransomware attacks use custom exfiltration tool to steal data
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitation | IT Pro
Feuding Ransomware Groups Leak Each Other's Data
New BlackFile extortion group linked to surge of vishing attacks
RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace
ShinyHunters exploit Anodot incident to target Vimeo
Critical Flaw Turns Vect Ransomware into Data Destroying Wiper - Infosecurity Magazine
Do not pay VECT ransom: recovery is impossible | Cybernews
Scattered Spider co-conspirator pleads guilty | CSO Online
Ransomware and Destructive Attack Victims
Udemy Data Breach - ShinyHunters Claims Compromise of 1.4M User Records
Over 2.8 billion credentials stolen in 2025 as ransomware evolves - BetaNews
ADT confirms data breach after ShinyHunters leak threat
ShinyHunters claim they have cruise giant Carnival’s booty • The Register
Checkmarx Confirms Data Stolen in Supply Chain Attack - SecurityWeek
Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden - Ars Technica
Medtronic Confirms Data Breach After ShinyHunters Claims - Infosecurity Magazine
Ransomware attacks affect 2 senior care providers
Pitney Bowes the latest victim of ShinyHunters’ breach-spree • The Register
Mystery Around Venezuelan Cyberattack Deepens, with New Discovery of "Highly Destructive" Wiper
Phishing & Email Based Attacks
AI Phishing Is No. 1 With a Bullet for Cyberattackers
The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface - SecurityWeek
7 Reasons Smishing Is More Effective Than Phishing
Robinhood account creation flaw abused to send phishing emails
Kuse Web App Abused to Host Phishing Document | Trend Micro (US)
Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software
Business Email Compromise (BEC)/Email Account Compromise (EAC)
The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface - SecurityWeek
Other Social Engineering
The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface - SecurityWeek
7 Reasons Smishing Is More Effective Than Phishing
Crime crew impersonates help desk, abuses Teams chats • The Register
Threat actor uses Microsoft Teams to deploy new “Snow” malware
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
New BlackFile extortion group linked to surge of vishing attacks
Helping Romance Scam Victims Require a Proactive Approach
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
Money launderer for crypto thieves given 5-year sentence | The Record from Recorded Future News
Money launderer linked to $230M crypto heist gets 70 months in prison
Artificial Intelligence
AI Phishing Is No. 1 With a Bullet for Cyberattackers
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
Deepfake era demands proof-based security, not just awareness | TechTarget
AI Rush is Reviving Old Cybersecurity Mistakes, Mandiant VP Warns - Infosecurity Magazine
Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren't Ready for the Remediation Side
UK firms accelerate ‘sovereign AI’ plans amid concerns over dependence on overseas tech | IT Pro
Cyber Threat Literacy, AI Disruption Top Risks to an Organization’s People
Board Oversight of AI: Do Boards Need AI Experts?
Researchers Uncover 10 In-the-Wild Indirect Prompt Injection Attacks - Infosecurity Magazine
Six AI Vulnerabilities, Three Attack Patterns, One Dangerous Service Gap | perspective | MSSP Alert
Attack of the killer script kiddies | The Verge
AI bot attacks increase 10-fold, report reveals | The Independent
77% of IT managers say their AI agents are out of control - 5 ways to rein in yours | ZDNET
30 ClawHub skills secretly turn AI agents into crypto swarm • The Register
Learning from the Vercel breach: Shadow AI & OAuth sprawl
Vercel Confirms April 2026 Security Incident Linked To Third-party AI Tool
How indirect prompt injection attacks on AI work - and 6 ways to shut them down | ZDNET
Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?
Mythos access by Discord group reveals real danger of AI-powered hacking | Fortune
How to fix cybersecurity's agentic AI identity crisis | TechTarget
Chinese Cybersecurity Firm's AI Hacking Claims Draw Comparisons to Claude Mythos - SecurityWeek
Mythos Is a Wake-Up Call for DDoS Defense - Security Boulevard
AI Models Can Attack, But Can They Defend? Simbian Says Not Yet | news | MSSP Alert
Bots/Botnets
UK warns of Chinese hackers using proxy networks to evade detection
China-linked threat actors use consumer device botnets to evade detection, warn UK and partners
China-Backed Hackers Are Industrializing Botnets
Careers, Roles, Skills, Working in Cyber and Information Security
Nearly half of cybersecurity pros want to quit - here's why | ZDNET
Cybersecurity professional getting more work and less pay • The Register
Cyber Hiring in 2026: Talent Gap or Expectation Problem? - ClearanceJobs
Cloud/SaaS
Vercel Confirms April 2026 Security Incident Linked To Third-party AI Tool
Hybrid clouds have two attack surfaces – so watch both • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Money launderer for crypto thieves given 5-year sentence | The Record from Recorded Future News
26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
European police dismantles €50 million crypto investment fraud ring
How the U.S.-China cold war went crypto - Cryptopolitan
Cyber Crime, Organised Crime & Criminal Actors
Money launderer for crypto thieves given 5-year sentence | The Record from Recorded Future News
French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches
Inside an OPSEC Playbook: How Threat Actors Evade Detection
Scattered Spider co-conspirator pleads guilty | CSO Online
Data Breaches/Leaks
Udemy Data Breach - ShinyHunters Claims Compromise of 1.4M User Records
Researchers Track 2.9 Billion Compromised Credentials - Infosecurity Magazine
Learning from the Vercel breach: Shadow AI & OAuth sprawl
A sneaky cyber enemy is creeping into our browsers and password managers | Cybernews
Vercel Confirms April 2026 Security Incident Linked To Third-party AI Tool
ADT confirms data breach after ShinyHunters leak threat
ShinyHunters claim they have cruise giant Carnival’s booty • The Register
Checkmarx Confirms Data Stolen in Supply Chain Attack - SecurityWeek
Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden - Ars Technica
Personal data of almost entire Dutch town stolen in cyberattack
French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches
Discord users breach access controls to reach Anthropic’s Mythos model - Digital Trends
Medtronic Confirms Data Breach After ShinyHunters Claims - Infosecurity Magazine
Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security
UK Biobank Breach: Health Data of 500,000 Listed for Sale in China - Infosecurity Magazine
Ransomware attacks affect 2 senior care providers
U.S. utility giant Itron discloses a security breach
Data Protection
U.S. companies hit with record fines for privacy in 2025 | CyberScoop
Data/Digital Sovereignty
UK firms accelerate ‘sovereign AI’ plans amid concerns over dependence on overseas tech | IT Pro
The push for digital sovereignty: What CISOs need to know | TechTarget
What’s behind Europe’s efforts to ditch US software in favor of sovereign tech | TechCrunch
Germany fights US “cyber dominance” with sovereignty checklist | Cybernews
The European Commission is turning Google Search into a privacy and national-security risk
Denial of Service/DoS/DDoS
Mythos Is a Wake-Up Call for DDoS Defense - Security Boulevard
MP Sir David Davis's website shut down in suspected cyber attack - BBC News
Encryption
The 2026 MSSP Blueprint: Navigating the Quantum Countdown | native | MSSP Alert
Fraud, Scams and Financial Crime
French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches
Money launderer for crypto thieves given 5-year sentence | The Record from Recorded Future News
Money launderer linked to $230M crypto heist gets 70 months in prison
European police dismantles €50 million crypto investment fraud ring
Helping Romance Scam Victims Require a Proactive Approach
US Busts Myanmar Ring Targeting US Citizens in Financial Fraud
Insider Risk and Insider Threats
Cyber Threat Literacy, AI Disruption Top Risks to an Organization’s People
Insurance
Cyber Insurance Data Gives CISOs New Ammo for Budget Talks - SecurityWeek
Internet of Things – IoT
A Quarter of Healthcare Organizations Report Medical Device Attacks - Infosecurity Magazine
Attackers could disable all of a city's public EV chargers • The Register
Law Enforcement Action and Take Downs
Money launderer linked to $230M crypto heist gets 70 months in prison
US Sanctions Target Cambodian Scam Network Leaders - Infosecurity Magazine
European police dismantles €50 million crypto investment fraud ring
Hackers arrested for hijacking and selling 610,000 Roblox accounts
French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches
US Busts Myanmar Ring Targeting US Citizens in Financial Fraud
Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security
Scattered Spider co-conspirator pleads guilty | CSO Online
Chinese national extradited to US for pandemic-era Silk Typhoon attacks | CyberScoop
Linux and Open Source
12-year-old Pack2TheRoot bug lets Linux users gain root privileges
Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System
AI's not going to kill open source code security • The Register
Linux cryptographic code flaw offers fast route to root • The Register
Malware
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
A sneaky cyber enemy is creeping into our browsers and password managers | Cybernews
Crime crew impersonates help desk, abuses Teams chats • The Register
Threat actor uses Microsoft Teams to deploy new “Snow” malware
Checkmarx Confirms Data Stolen in Supply Chain Attack - SecurityWeek
Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden - Ars Technica
Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2
GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions
Widely Used Browser Extensions Selling User Data - Infosecurity Magazine
Vidar Rises to Top of Chaotic Infostealer Market
Unwary Chinese Hackers Hardcoded Credentials into Backdoors
20-Year-Old Malware Rewrites History of Cyber Sabotage
Pre-Stuxnet Sabotage Malware 'Fast16' Linked to US-Iran Cyber Tensions - SecurityWeek
Mobile
26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
Another spyware maker caught distributing fake Android snooping apps | TechCrunch
This hidden SIM flaw lets spies track your location, and using a VPN can't help | TechRadar
New Android spyware Morpheus linked to Italian surveillance firm
Models, Frameworks and Standards
UK Cyber Essentials overhaul could trigger instant certification failures - BetaNews
DORA and the Practical Test of Operational Resilience - IT Security Guru
ENISA updates framework to enhance EU member state cybersecurity capabilities » Iraqi News Agency
Outages
Microsoft says Outlook.com outage is causing sign‑in failures
Passwords, Credential Stuffing & Brute Force Attacks
Over 2.8 billion credentials stolen in 2025 as ransomware evolves - BetaNews
Researchers Track 2.9 Billion Compromised Credentials - Infosecurity Magazine
Official SAP npm packages compromised to steal credentials
Regulations, Fines and Legislation
Proton CEO: Age checks turn internet into ID checkpoint • The Register
The European Commission is turning Google Search into a privacy and national-security risk
U.S. companies hit with record fines for privacy in 2025 | CyberScoop
EU waves through age-check app to keep kids safe online • The Register
Latest spy power reauthorization bill leaves critics unimpressed | CyberScoop
The Iran Factor In Trump’s Cyber Strategy – Analysis – Eurasia Review
Social Media
ShinyHunters exploit Anodot incident to target Vimeo
Supply Chain and Third Parties
The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface - SecurityWeek
Why supply chain resilience is under the spotlight | IT Pro
Official SAP npm packages compromised to steal credentials
Ongoing supply-chain attack targets security, dev tools • The Register
Checkmarx Confirms Data Stolen in Supply Chain Attack - SecurityWeek
Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden - Ars Technica
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
How Big a Threat Are Iranian-Backed Cyberattacks? | The New Yorker
Compromised everyday devices power Chinese cyber espionage operations - Help Net Security
The New Rules Of War Have No Rules
Is the Middle East Conflict Opening a Digital Front in Europe? | The Gaze
Cyberwar Without Borders: How Iran’s Digital Offensive Is Reaching Europe | The Gaze
Cyberwar brings frontline to heart of European infrastructure - SWI swissinfo.ch
UK in talks with telecoms industry on undersea cable threat
Pre-Stuxnet Sabotage Malware 'Fast16' Linked to US-Iran Cyber Tensions - SecurityWeek
NASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software
Locked Shields 2026 united the power of 41 nations to defend cyberspace CCDCOE
Golden Dome weapons to attack enemy missiles with new high-tech interceptors, lasers, cyberattacks
FCC adds mobile hotspots to router ban • The Register
Chinese Hackers Spied On Cuban Embassy As US Prepared Blockade
Nation State Actors
The New Rules Of War Have No Rules
Cyberwar brings frontline to heart of European infrastructure - SWI swissinfo.ch
UK in talks with telecoms industry on undersea cable threat
Locked Shields 2026 united the power of 41 nations to defend cyberspace CCDCOE
China
UK in talks with telecoms industry on undersea cable threat
Chinese Cybersecurity Firm's AI Hacking Claims Draw Comparisons to Claude Mythos - SecurityWeek
China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks - SecurityWeek
FCC adds mobile hotspots to router ban • The Register
Unwary Chinese Hackers Hardcoded Credentials into Backdoors
Chinese national extradited to US for pandemic-era Silk Typhoon attacks | CyberScoop
UK warns of Chinese hackers using proxy networks to evade detection
China-linked threat actors use consumer device botnets to evade detection, warn UK and partners
China-Backed Hackers Are Industrializing Botnets
Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software
New GopherWhisper APT group abuses Outlook, Slack, Discord for comms
Chinese Hackers Spied On Cuban Embassy As US Prepared Blockade
EU bans funding for energy projects using Chinese inverters - PV Tech
Russia
UK in talks with telecoms industry on undersea cable threat
Incomplete Windows Patch Opens Door to Zero-Click Attacks - SecurityWeek
Microsoft patch fell short. New Windows flaw exploited • The Register
RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace
PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks
Germany Caught Up in Likely Russian Signal Phishing
Internet censorship index reveals Russia’s lead and widespread content blocking
North Korea
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
Iran
The New Rules Of War Have No Rules
How Big a Threat Are Iranian-Backed Cyberattacks? | The New Yorker
Is the Middle East Conflict Opening a Digital Front in Europe? | The Gaze
Cyberwar Without Borders: How Iran’s Digital Offensive Is Reaching Europe | The Gaze
Pre-Stuxnet Sabotage Malware 'Fast16' Linked to US-Iran Cyber Tensions - SecurityWeek
The Iran Factor In Trump’s Cyber Strategy – Analysis – Eurasia Review
Iranian Cyber Group Handala Targets US Troops in Bahrain - SecurityWeek
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
The New Rules Of War Have No Rules
Golden Dome weapons to attack enemy missiles with new high-tech interceptors, lasers, cyberattacks
Mystery Around Venezuelan Cyberattack Deepens, with New Discovery of "Highly Destructive" Wiper
Tools and Controls
Mythos Changed the Math on Vulnerability Discovery. Most Teams Aren't Ready for the Remediation Side
Cyber threats challenge global business resilience
Cyber Insurance Data Gives CISOs New Ammo for Budget Talks - SecurityWeek
Mythos sniffs out your bugs, can't fix your bloody idiots • The Register
DORA and the Practical Test of Operational Resilience - IT Security Guru
Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?
Glasswing Secured the Code. The Rest is on You
Cyber pros say unauthorized Mythos access is a sign of things to come | Cybernews
Mythos access by Discord group reveals real danger of AI-powered hacking | Fortune
“Mythos-like hacking, open to all”: Industry reacts to OpenAI’s GPT 5.5 - The New Stack
AI Models Can Attack, But Can They Defend? Simbian Says Not Yet | news | MSSP Alert
Google Favors General‑Purpose Gemini Models Over Cybersecurity‑Specif - Infosecurity Magazine
Remote Desktop security beefed up with hard-to-read messages • The Register
Shadow code: The hidden threat for enterprise IT | TechTarget
Cyber Threat Literacy, AI Disruption Top Risks to an Organization’s People
Vercel Confirms April 2026 Security Incident Linked To Third-party AI Tool
Vercel attack fallout expands to more customers and third-party systems | CyberScoop
Mythos Is a Wake-Up Call for DDoS Defense - Security Boulevard
Hybrid clouds have two attack surfaces – so watch both • The Register
Open source models can find bugs as well as Mythos • The Register
Myth Or Mythos? The Illusion Of Advantage In The AI Cybersecurity Race
The Hidden Tax on Security: How Data Costs Are Eating Your Controls Budget - Security Boulevard
Locked Shields 2026 united the power of 41 nations to defend cyberspace CCDCOE
FS cybersecurity experts gather for “industry first” training exercise - FStech
Other News
Cyber Attacks Emerge As Top Risk For Professional Firms In 2026 - Minutehack
Cyber attacks now the top operational risk for 60% of financial organisations - TechCentral.ie
The cyber security of British business is a matter of national security - Dan Jarvis
UK in talks with telecoms industry on undersea cable threat
FS cybersecurity experts gather for “industry first” training exercise - FStech
Why are top university websites serving porn? It comes down to shoddy housekeeping. - Ars Technica
BT has now blocked over a billion clicks to malicious websites, says NCSC | Computer Weekly
Experts warn offshore wind could face risks from drones, sabotage and cyber attacks | Aberdeen Live
Army extends cyber awareness challenge and privacy training to five years | Stars and Stripes
Vulnerability Management
Open source models can find bugs as well as Mythos • The Register
Microsoft updates the Windows Update Experience • The Register
5 ways your Windows updates are about to get a lot less painful | ZDNET
Everything Runs on Software. None of It Is Secure.
Vulnerabilities
Firestarter malware survives Cisco firewall updates, security patches
SonicWall Urges Immediate Patching of Firewall Vulnerabilities - SecurityWeek
Vulnerabilities Patched in CrowdStrike, Tenable Products - SecurityWeek
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
Incomplete Windows Patch Opens Door to Zero-Click Attacks - SecurityWeek
OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years - SecurityWeek
No Patch for New PhantomRPC Privilege Escalation Technique in Windows - SecurityWeek
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
April KB5083769 Windows 11 update causes backup software failures
12-year-old Pack2TheRoot bug lets Linux users gain root privileges
Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks
Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System
Critical bug in CrowdStrike LogScale let attackers access files
Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover
Linux cryptographic code flaw offers fast route to root • The Register
Chrome 147, Firefox 150 Security Updates Rolling Out - SecurityWeek
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
cPanel's authentication bypass bug is being exploited in the wild, CISA warns | CyberScoop
Hackers are actively exploiting a bug in cPanel, used by millions of websites | TechCrunch
Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting
Nessus Agent Vulnerability on Windows Enables Arbitrary Code Execution with SYSTEM Privileges
Critical GitHub Vulnerability Exposed Millions of Repositories - SecurityWeek
New Linux 'Copy Fail' Vulnerability Enables Root Access on Major Distributions
New Linux ‘Copy Fail’ flaw gives hackers root on major distros
Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 24 April 2026
Black Arrow Cyber Threat Intelligence Briefing 24 April 2026:
-AI Is Now a ‘Standard Part of the Attacker Toolkit’
-Every Old Vulnerability Is Now an AI Vulnerability
-New Technology Is Increasing the Speed and Depth of Cyber Attacks
-The AI Era Demands a Different Kind of CISO
-Phishing and MFA Exploitation: Targeting the Keys to the Kingdom
-Phishing Reclaims the Top Initial Access Spot, Attackers Experiment with AI Tools
-Surge in Silent Subject Phishing Attacks Targets VIP Users
-Threat Actors Exploiting Trust in Everyday Workflows
-UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
-CISOs See Gaps in Their Incident Response Playbooks
-SMEs Say Cyber Resilience Is Lacking Amid Fears Security Is Failing
-Insurance Carriers Quietly Back Away from Covering AI Outputs
-Ransomware, Fraud, and Lawsuits Drive Cyber Insurance Claims to New Peaks
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
Our review of cyber security open source intelligence this week includes insights that fall into four key themes.
AI is now a standard part of an attacker’s toolkit, increasing the speed and scale of attacks and amplifying the impact of existing techniques and vulnerabilities. Phishing remains a highly successful and popular route into organisations, including exploiting weaknesses in MFA and trusted business activities. The cyber insurance market is responding to the shifting risks, with insurers tightening terms around AI related risks while claims arising from ransomware, fraud and lawsuits remain prominent. Lastly, various sources are highlighting that businesses need to strengthen their management of cyber risks, including how they plan to respond to an incident.
From our perspective at Black Arrow, we are clear that the response to these developments must be from a leadership team that is upskilled on today’s evolving risks and has worked with impartial experts to assess their risks and controls, and to practice how to protect their business during an incident rather than relying only on the Technology team assurance. Contact us to discuss how to do this in a proportionate manner.
Top Cyber Stories of the Last Week
AI Is Now a ‘Standard Part of the Attacker Toolkit’
Forescout reports that artificial intelligence is now a routine part of cyber criminals’ toolkit, helping them identify weaknesses and speed up attacks. Its research found a sharp rise in AI capability, with all tested models in its latest study performing well at basic vulnerability research, compared with 55% failing a year earlier. The pace is striking: once inside a network, criminals now hand over access to other attackers in a median of 22 seconds, down from more than eight hours in 2022, increasing pressure on organisations to detect and respond far faster.
https://www.itpro.com/security/ai-is-now-a-standard-part-of-the-attacker-toolkit
Every Old Vulnerability Is Now an AI Vulnerability
In March 2026, Microsoft patched an Excel vulnerability that exposed a broader risk created by embedded AI assistants. A malicious spreadsheet could execute hidden code and use Copilot to exfiltrate data without user interaction or warning. The flaw was not new, but AI amplified its impact by acting with the same access as the host application. This means vulnerabilities in applications with embedded AI assistants can carry far greater business risk, highlighting that AI assistants effectively act as privileged systems, amplifying the impact of existing vulnerabilities.
https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability
New Technology Is Increasing the Speed and Depth of Cyber Attacks
Financial services firms are facing faster, broader cyber attacks as criminals use artificial intelligence to find weaknesses, craft convincing scams and target suppliers as a route into larger organisations. IBM found the finance and insurance sector accounted for 27% of all incidents in 2025, while Kroll reported that 76% of organisations experienced an AI-related security incident over the past two years. In response, banks are tightening supplier checks, improving staff awareness and investing in tools that detect genuine threats more accurately, with regulators placing greater emphasis on operational resilience and rapid recovery.
https://www.ft.com/content/954a44c6-cc11-49dd-b95a-dba61438b532?syn-25a6b1a6=1
The AI Era Demands a Different Kind of CISO
AI is rapidly increasing the speed of cyber attacks, allowing weaknesses to be found and exploited in minutes rather than days or weeks. This is exposing the limits of traditional security checks such as audits, compliance reviews and periodic testing, which only show a snapshot in time. Security leadership is increasingly focused on real‑time visibility of risks, tighter control over who and what can access critical systems and data, and stronger incident response planning.
https://cyberscoop.com/ciso-strategy-ai-real-time-risk-op-ed/
Phishing and MFA Exploitation: Targeting the Keys to the Kingdom
Phishing remained a major route into organisations in 2025, featuring in 40% of incidents, while attackers increasingly bypassed multi‑factor authentication by exploiting weaknesses in how identity controls were implemented and managed. Criminals use convincing emails about routine business tasks such as IT requests, invoices, travel and expenses, often sent from trusted or seemingly internal accounts. Attackers increasingly targeted the controls that manage who is allowed to access systems, with a sharp rise in cases where organisations were fooled into trusting malicious devices, leading to a 178% increase in these types of breaches. The trend highlights how everyday workflows and trusted systems can be turned against an organisation when controls are inconsistent or poorly enforced.
https://blog.talosintelligence.com/phishing-and-mfa-exploitation-targeting-the-keys-to-the-kingdom/
Phishing Reclaims the Top Initial Access Spot, Attackers Experiment with AI Tools
Cisco Talos reports that phishing was the main route into organisations in early 2026, responsible for more than a third of known break-ins, while attacks on internet-facing systems fell from 62% at their peak to 18% after fixes and better detection. Healthcare and public administration were the most targeted sectors, each making up 24% of incidents. Weak multi-factor authentication, used to add a second identity check, remained the most common security gap at 35%. Talos also saw attackers using an AI website builder to create convincing fake login pages and steal credentials.
https://www.helpnetsecurity.com/2026/04/22/cisco-phishing-initial-access-2026/
Surge in Silent Subject Phishing Attacks Targets VIP Users
Cyberproof has reported a rise in phishing emails sent with no subject line, a tactic often targeting senior staff and other high value users. By removing normal warning signs, these messages are more likely to be opened and can also avoid some email security checks. The campaign grew throughout the first quarter of 2026, rising over 13% from January to February and a further 7.0% in March. Messages often include links, QR codes or attachments that lead to fake sign-in pages or harmful software, with attackers also misusing legitimate remote access tools to stay hidden inside organisations.
https://www.infosecurity-magazine.com/news/silent-subject-phishing-campaigns/
Threat Actors Exploiting Trust in Everyday Workflows
Abnormal AI found that email-based cyber attacks are increasingly designed to blend into normal business activity by mimicking trusted suppliers, routine payment requests and familiar internal communications. Its analysis of nearly 800,000 email attacks across more than 4,600 organisations found that 61% of business email compromise incidents involved supplier relationships. Phishing made up 58% of attacks, with many using multi-step web links to evade detection. The findings show that attackers are exploiting trust and everyday working practices, making fraudulent messages far harder to distinguish from legitimate business communication.
https://betanews.com/article/threat-actors-exploiting-trust-in-everyday-workflows/
UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
The UK is facing a growing threat from state-backed cyber attacks, with the National Cyber Security Centre handling around four nationally significant incidents each week. While ransomware remains the most common risk, the most serious attacks are now increasingly linked to hostile governments. Officials also warned that rising geopolitical tensions could trigger large-scale disruptive campaigns, particularly against critical national infrastructure. In response, the government is seeking closer cooperation with AI firms and has committed £90 million over three years to strengthen cyber security, including support for smaller businesses.
https://www.claimsjournal.com/news/national/2026/04/22/337080.htm
CISOs See Gaps in Their Incident Response Playbooks
Sygnia found that more than three quarters of senior security leaders said their organisation had suffered a cyber attack in the past year, yet 73% felt unprepared for the next one. While almost all reported having a formal incident response plan, many still struggle to put it into practice. Common weaknesses include poor coordination between decision makers, limited board and executive involvement, and delays caused by legal or communications concerns. The findings point to the importance of direct business leader involvement in incident response readiness, clearer decision‑making and coordination during attacks, and addressing visibility gaps before an incident occurs.
https://www.ciodive.com/news/cisos-gaps-incident-response-playbooks/817765/
SMEs Say Cyber Resilience Is Lacking Amid Fears Security Is Failing
A survey of 500 UK SMEs suggests cyber security readiness remains weak despite rising threat levels. One in eight businesses reported a past cyber attack, while 52% rated themselves moderately to highly vulnerable to future incidents. Fewer than one in ten provide regular staff awareness training, and less than a third have increased cyber security spending in the past two years. The findings also show limited resilience if operations are disrupted, with one in eight businesses saying they could not survive a full shutdown lasting more than 48 hours, highlighting that gaps in training, preparedness and investment translate directly into business survival risk.
https://www.emergingrisks.co.uk/smes-say-cyber-resilience-is-lacking-amid-fears-security-is-failing/
Insurance Carriers Quietly Back Away from Covering AI Outputs
Insurers are becoming more cautious about covering risks linked to artificial intelligence, with some excluding losses caused by AI generated decisions and others raising premiums. The concern is that many AI systems can produce inconsistent or hard to explain results, making claims harder to assess. Insurance providers are also asking far more detailed questions about how organisations use and control AI. Cover is proving especially difficult for businesses whose products are built around AI, while firms with clear oversight, monitoring and fallback plans are viewed more favourably by insurers.
Ransomware, Fraud, and Lawsuits Drive Cyber Insurance Claims to New Peaks
Cyber insurance provider At-Bay’s 2026 analysis of more than 100,000 policy years shows cyber insurance claims rising, with overall claim frequency up 7% and average losses reaching a record $221,000. Ransomware remained the most costly incident, averaging $508,000, while financial fraud was the most common, making up about 30% of claims. In 2025, 73% of ransomware attacks started through a virtual private network, or VPN, up from 38% two years earlier, while VPNs and remote desktop tools together accounted for 87% of claims. Separate legal claims also increased significantly, adding further cost through lawsuits and business interruption.
https://www.helpnetsecurity.com/2026/04/23/cyber-insurance-claims-report/
Governance, Risk and Compliance
CISOs see gaps in their incident response playbooks | CIO Dive
SMEs say cyber resilience is lacking amid fears security is failing
Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security
CISOs reshape their roles as business risk strategists | CSO Online
Oil crisis? IT spending de-coupled from wider war shock • The Register
The AI era demands a different kind of CISO | CyberScoop
Cyber risks still getting lost in translation
Beyond awareness: Human risk management metrics for CISOs | TechTarget
Threats
Ransomware, Extortion and Destructive Attacks
Most Organizations Fail to Fully Recover After Ransomware Attacks
Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security
'The Gentlemen' Rapidly Rises to Ransomware Prominence
1 in 3 Ransomware Claims Started with SonicWall in 2025 as VPN Attacks Nearly Double in Two Years
Payouts King ransomware uses QEMU VMs to bypass endpoint security
SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation
The Gentlemen Ransomware Expands With Rapid Affiliate Growth - Infosecurity Magazine
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware
The Gentlemen ransomware now uses SystemBC for bot-powered attacks
Adaptavist Group breach: Ransomware crew claims mega-haul • The Register
Kyber ransomware gang toys with post-quantum encryption on Windows
'Thankful I Got Caught': FBI Arrests Teen Hacker After Massive PowerSchool Breach
Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft
Ransomware’s Next Phase: From Data Encryption to Business Extortion | Silicon UK Tech News
Third ransomware pro pleads guilty to cybercrime U-turn • The Register
Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security
Ex-FBI lead urges homicide charges against ransomware scum • The Register
Ransomware and Destructive Attack Victims
'Thankful I Got Caught': FBI Arrests Teen Hacker After Massive PowerSchool Breach
Hackers target US banking giants Frost Bank and Citizens Bank | Cybernews
Automotive Ransomware Attacks Double in a Year - Infosecurity Magazine
Ransomware Hits Automotive Data Expert Autovista - SecurityWeek
M&S one year on: turning anticipation into secure by design | Computer Weekly
French govt agency confirms breach as hacker offers to sell data
Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 - SecurityWeek
Phishing & Email Based Attacks
Surge in Silent Subject Phishing Campaigns Targets VIP Users - Infosecurity Magazine
Threat actors exploiting trust in everyday workflows - BetaNews
Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks - SecurityWeek
Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
Phishing and MFA exploitation: Targeting the keys to the kingdom
New iPhone phishing scam involves email sent from Apple servers | Macworld
Watch Out for Unexpected Apple Account Change Emails. It's a Phishing Scam
Cyberattack on French government agency triggers phishing alert - Help Net Security
Business Email Compromise (BEC)/Email Account Compromise (EAC)
Threat actors exploiting trust in everyday workflows - BetaNews
Other Social Engineering
Threat actors exploiting trust in everyday workflows - BetaNews
Microsoft: Teams increasingly abused in helpdesk impersonation attacks
Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks - SecurityWeek
Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
US nationals sentenced for aiding North Korea’s tech worker scheme | CyberScoop
North Korea targets macOS users in latest heist • The Register
New iPhone phishing scam involves email sent from Apple servers | Macworld
macOS ClickFix attacks deliver AppleScript stealers • The Register
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions | WIRED
Lazarus Group Uses Fake Meetings to Hijack Crypto Firms | CoinMarketCap
How to spot a North Korean fake in a job interview - Help Net Security
2FA/MFA
Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks - SecurityWeek
Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
Phishing and MFA exploitation: Targeting the keys to the kingdom
Artificial Intelligence
UK Government Sound Alarm Over AI Security Risk - IT Security Guru
HR Magazine - Government advises businesses about AI cyber threats
What is Anthopic's Claude Mythos and what risks does it pose? - BBC News
Insurance carriers quietly back away from covering AI outputs | CSO Online
New technology is increasing the speed and depth of cyber attacks
The AI cybersecurity boom may be creating a bigger problem than it solves | Ctech
Anthropic's Mythos AI model sparks fears of turbocharged hacking - Ars Technica
Russia uses AI to hack Europe, Dutch intelligence warns – POLITICO
Cybersecurity in the age of AI means bigger, faster threats | TechTarget
A tsunami of flaws: When frontier AI and Patch Tuesday collide | Computer Weekly
Anthropic’s Claude Is Pumping Out Vulnerable Code, Cyber Experts Warn
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions | WIRED
ECB to Quiz Bankers About Risks of Anthropic’s New AI Model, Source Says
Beyond Mythos: A Defining Moment for Cybersecurity
OpenClaw Exposes the Real Cybersecurity Risks of Agentic AI - Infosecurity Magazine
Anthropic's Mythos model accessed by unauthorized users, Bloomberg News reports | Reuters
OpenAI’s Codex agent fails as an investigator | Cybernews
House lawmakers get a chilling demo of ‘jailbroken’ AI - POLITICO
Time for government, business leaders to figure out AI cybersecurity regulation — Harvard Gazette
Mythos can find the vulnerability. It can't tell you what to do about it. | CyberScoop
Anthropic's Mythos AI System Might Actually Create More Cybersecurity Vulnerabilities
Every Old Vulnerability Is Now an AI Vulnerability
Commercial AI Models Show Rapid Gains in Vulnerability Research - Infosecurity Magazine
How AI companies are quietly becoming the world’s cybersecurity gatekeepers - The Hindu
New artificial intelligence bots could drain nation's cash machines | This is Money
Never put all your eggs in one basket, fintech CTO warns after Anthropic suspends 60+ accounts
UK to build ‘national cyber shield’ to protect against AI cyber threats | Computer Weekly
Bots/Botnets
The Gentlemen ransomware now uses SystemBC for bot-powered attacks
Attackers Exploit DVR Command Injection Flaw to Deploy Botnet - Infosecurity Magazine
New Mirai campaign exploits RCE flaw in EoL D-Link routers
New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security
Researchers link Smartproxy.org IPs to IPIDEA botnet network Google disrupted | Cybernews
Careers, Roles, Skills, Working in Cyber and Information Security
CYBERUK ’26: UK lagging on legal protections for cyber pros | Computer Weekly
What it takes to win that CSO role | CSO Online
CISOs reshape their roles as business risk strategists | CSO Online
The AI era demands a different kind of CISO | CyberScoop
Cloud/SaaS
EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions | WIRED
Lazarus Group Uses Fake Meetings to Hijack Crypto Firms | CoinMarketCap
KelpDAO suffers $290 million heist tied to Lazarus hackers
macOS ClickFix attacks deliver AppleScript stealers • The Register
Are Russian exchanges like Grinex targeted by hackers or spies? - Cryptopolitan
Grinex exchange blames "Western intelligence" for $13.7M crypto hack
Google warns quantum computers could break crypto encryption sooner than expected. | Mashable
China's Apple App Store infiltrated by crypto-stealing wallet apps
Dozens of Malicious Crypto Apps Land in Apple App Store - SecurityWeek
Cyber Crime, Organised Crime & Criminal Actors
Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft
Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process
The shadowy SIM farms behind those incessant scam texts - and how to stay safe | ZDNET
How Cybercrime Became a Leading Industry in ‘Scambodia’ - WSJ
Inside an Underground Guide: How Threat Actors Vet Stolen Credit Card Shops
Hackers who stole crime tip records now selling them | Cybernews
A single platform powers SIM farm proxy networks across 17 countries - Help Net Security
Data Breaches/Leaks
Hackers who stole crime tip records now selling them | Cybernews
Lovable denies data leak, cites 'intentional behavior' • The Register
Unsecured Perforce Servers Expose Sensitive Data From Major Orgs - SecurityWeek
Data breach at edtech giant McGraw Hill affects 13.5 million accounts
Man gets 30 months for selling thousands of hacked DraftKings accounts
Hacker Jeffrey Epstein claims 400K records stolen from Bol | Cybernews
WhatsApp Leaks User Metadata to Attackers
France's 'Secure' ID agency probes claimed 19M record breach • The Register
Cosmetics giant Rituals confirms data breach of customer membership records | TechCrunch
Crook claims to leak 'video surveillance footage' of firms • The Register
President of German parliament hit by Signal hack, report says – POLITICO
Data Protection
GDPR works, but only where someone enforces it - Help Net Security
Data/Digital Sovereignty
EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security
Denial of Service/DoS/DDoS
Four arrested in latest ‘PowerOFF’ DDoS-for-hire takedown | The Record from Recorded Future News
Europol launches Operation PowerOFF — warns 75,000 DDoS users and takes down 53 domains | TechRadar
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility
Mastodon says its flagship server was hit by a DDoS attack | TechCrunch
Encryption
Half of the 6 Million Internet-Facing FTP Servers Lack Encryption - SecurityWeek
Google warns quantum computers could break crypto encryption sooner than expected. | Mashable
Kyber ransomware gang toys with post-quantum encryption on Windows
The race to become quantum-safe | IT Pro
Fraud, Scams and Financial Crime
Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security
Inside Caller-as-a-Service Fraud: The Scam Economy Has a Hiring Process
The shadowy SIM farms behind those incessant scam texts - and how to stay safe | ZDNET
How cybercrime became a leading industry in ‘Scambodia’
Inside an Underground Guide: How Threat Actors Vet Stolen Credit Card Shops
A single platform powers SIM farm proxy networks across 17 countries - Help Net Security
How to spot a North Korean fake in a job interview - Help Net Security
Insider Risk and Insider Threats
How to spot a North Korean fake in a job interview - Help Net Security
Insurance
Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security
Insurance carriers quietly back away from covering AI outputs | CSO Online
Cyber risks still getting lost in translation
Internet of Things – IoT
Attackers Exploit DVR Command Injection Flaw to Deploy Botnet - Infosecurity Magazine
New Mirai campaign exploits RCE flaw in EoL D-Link routers
New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security
Law Enforcement Action and Take Downs
Four arrested in latest ‘PowerOFF’ DDoS-for-hire takedown | The Record from Recorded Future News
Europol launches Operation PowerOFF — warns 75,000 DDoS users and takes down 53 domains | TechRadar
Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft
British National Admits Hacking Companies and Stealing Millions in Virtual Currency
DraftKings hacker sentenced to prison, ordered to pay $1.4 Million
Man gets 30 months for selling thousands of hacked DraftKings accounts
'Thankful I Got Caught': FBI Arrests Teen Hacker After Massive PowerSchool Breach
Third ransomware pro pleads guilty to cybercrime U-turn • The Register
Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security
Linux and Open Source
Open source malware sees a 21 percent increase - BetaNews
Malvertising
When PUPs Bite: Huntress Uncovers “weaponised” Adware Exposing 25,000+ Systems
Malware
When PUPs Bite: Huntress Uncovers “weaponised” Adware Exposing 25,000+ Systems
Open source malware sees a 21 percent increase - BetaNews
Formbook Malware Campaign Uses Multiple Obfuscation Techniques - Infosecurity Magazine
Another npm supply chain worm hits dev environments • The Register
Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths - Security Boulevard
macOS ClickFix attacks deliver AppleScript stealers • The Register
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware
Bitwarden NPM Package Hit in Supply Chain Attack - SecurityWeek
New Checkmarx supply-chain breach affects KICS analysis tool
109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware
Mobile
China's Apple App Store infiltrated by crypto-stealing wallet apps
Dozens of Malicious Crypto Apps Land in Apple App Store - SecurityWeek
New iPhone phishing scam involves email sent from Apple servers | Macworld
Android Phones Shown to Have a Major Biometric Security Weakness - Tech Advisor
The History of iOS Exploits: Apple’s Flawed Security Paradigm
Models, Frameworks and Standards
GDPR works, but only where someone enforces it - Help Net Security
UK Commits £90m for Cybersecurity and Pushes for ‘Resilience Pledge’ - Infosecurity Magazine
Passwords, Credential Stuffing & Brute Force Attacks
No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks
What Makes Credential Stuffing Difficult to Detect? - Security Boulevard
NCSC heralds end of passwords for consumers and pushes secure passkeys | Computer Weekly
Regulations, Fines and Legislation
Social media bans might steer kids into riskier corners of the internet - Help Net Security
Time for government, business leaders to figure out AI cybersecurity regulation — Harvard Gazette
CISA Budget Cuts Could Push More Security Burden onto MSSPs | news | MSSP Alert
EU's New Age Verification App Can Be Hacked Within 2 Minutes, Researchers Claim
Ex-FBI lead urges homicide charges against ransomware scum • The Register
The surveillance law Congress can't quit — and can't explain | CyberScoop
Washington’s 2026 cyber strategy normalises offensive operations | The Strategist
CISA director pick Sean Plankey withdraws his nomination | CyberScoop
Social Media
Social media bans might steer kids into riskier corners of the internet - Help Net Security
Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility
Mastodon says its flagship server was hit by a DDoS attack | TechCrunch
UK probes Telegram, teen chat sites over CSAM sharing concerns
Supply Chain and Third Parties
Threat actors exploiting trust in everyday workflows - BetaNews
Another npm supply chain worm hits dev environments • The Register
Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths - Security Boulevard
Bitwarden NPM Package Hit in Supply Chain Attack - SecurityWeek
New Checkmarx supply-chain breach affects KICS analysis tool
109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware
Unsecured Perforce Servers Expose Sensitive Data From Major Orgs - SecurityWeek
Crook claims to leak 'video surveillance footage' of firms • The Register
The US NSA is using Anthropic's Claude Mythos despite supply chain risk
Why the Axios attack proves AI is mandatory for supply chain security | CyberScoop
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
U.K. Forces Counter Covert Russian Submarine Activities, Officials Say - USNI News
The scramble to protect Britain’s undersea cables from sabotage
New undersea cable cutter risks Internet’s backbone - Ars Technica
How Iran Has Excelled at 'Threat Projection' Using Cyber
UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
UK faces ‘perfect storm’ for cybersecurity, says cyber chief - UKTN
Sweden Sees Russia Intensifying Cyber Attacks on Infrastructure
Poland hit by record cyberattacks in 2025 as minister warns of 'digital war'
Government Can’t Win the Cyber War Without the Private Sector - SecurityWeek
Iran claims US used backdoors in networking equipment • The Register
The U.S. must defend the final frontier against cyberattacks - SpaceNews
Seeing the Cyber in Economic Statecraft
Nation State Actors
UK Says Iran, China Drive Regular Significant Cyberattacks
Iran, Russia and China behind most major cyberattacks on UK, security chief warns | The Independent
Cyber chief: UK faces "perfect storm" for cyber security | National Cyber Security Centre
UK intelligence: 100 nations have spyware that can hack Britain – POLITICO
Cheapskate cyber strategy won't stop Beijing's finest • The Register
UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
The U.S. must defend the final frontier against cyberattacks - SpaceNews
Seeing the Cyber in Economic Statecraft
China
UK Says Iran, China Drive Regular Significant Cyberattacks
Iran, Russia and China behind most major cyberattacks on UK, security chief warns | The Independent
Cheapskate cyber strategy won't stop Beijing's finest • The Register
The scramble to protect Britain’s undersea cables from sabotage
New undersea cable cutter risks Internet’s backbone - Ars Technica
UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
Chinese APT Targets Indian Banks, Korean Policy Circles
Russia
UK: Russian Hacking Reaches New Levels of Hostility
Iran, Russia and China behind most major cyberattacks on UK, security chief warns | The Independent
The scramble to protect Britain’s undersea cables from sabotage
U.K. Forces Counter Covert Russian Submarine Activities, Officials Say - USNI News
Russia uses AI to hack Europe, Dutch intelligence warns – POLITICO
Sweden Sees Russia Intensifying Cyber Attacks on Infrastructure
Poland hit by record cyberattacks in 2025 as minister warns of 'digital war'
Sanctioned Grinex halts after $13M crypto hack / The New Voice of Ukraine
Information Warfare: Russians Returning To landlines
North Korea
AI Tools Are Helping Mediocre North Korean Hackers Steal Millions | WIRED
Lazarus Group Uses Fake Meeting Hack
KelpDAO suffers $290 million heist tied to Lazarus hackers
North Korea targets macOS users in latest heist • The Register
UK Must Brace for Rise in State-Backed Cyberattacks, Security Chief Says
How to spot a North Korean fake in a job interview - Help Net Security
Iran
UK Says Iran, China Drive Regular Significant Cyberattacks
Iran, Russia and China behind most major cyberattacks on UK, security chief warns | The Independent
How Iran Has Excelled at 'Threat Projection' Using Cyber
Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility
The thin gray line: Handala, CyberAv3ngers and Iran’s proxy ops | CSO Online
Cybersecurity Risks Related to the Iran War | Dinsmore & Shohl LLP - JDSupra
Iran claims US used backdoors in networking equipment • The Register
Inside ZionSiphon: politically driven malware aims at Israeli water systems
Tools and Controls
Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security
What is Anthopic's Claude Mythos and what risks does it pose? - BBC News
New technology is increasing the speed and depth of cyber attacks
The AI cybersecurity boom may be creating a bigger problem than it solves | Ctech
Anthropic’s New Mythos A.I. Model Sets Off Global Alarms - The New York Times
1 in 3 Ransomware Claims Started with SonicWall in 2025 as VPN Attacks Nearly Double in Two Years
CISOs see gaps in their incident response playbooks | CIO Dive
CISOs reshape their roles as business risk strategists | CSO Online
The AI era demands a different kind of CISO | CyberScoop
Half of the 6 Million Internet-Facing FTP Servers Lack Encryption - SecurityWeek
ECB to Quiz Bankers About Risks of Anthropic’s New AI Model, Source Says
Commercial AI Models Show Rapid Gains in Vulnerability Research - Infosecurity Magazine
How AI companies are quietly becoming the world’s cybersecurity gatekeepers - The Hindu
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware
The Mythos Breach: Why Frontier Models Turn AI Safety Into A Fiduciary Responsibility
Oil crisis? IT spending de-coupled from wider war shock • The Register
Other News
Cyber attacks fuel surge in cargo theft across logistics industry
MacOS Native Tools Enable Stealthy Enterprise Attacks - Infosecurity Magazine
MSSPs Need to Move Beyond Reactive Security | perspective | MSSP Alert
Health care’s biggest cybersecurity vulnerability is structural | STAT
How hackers are helping criminal gangs hijack truck deliveries
Experts say telecoms should include internet security for free | News | ERR
Vulnerability Management
New technology is increasing the speed and depth of cyber attacks
The AI cybersecurity boom may be creating a bigger problem than it solves | Ctech
Anthropic's Mythos AI model sparks fears of turbocharged hacking - Ars Technica
A tsunami of flaws: When frontier AI and Patch Tuesday collide | Computer Weekly
What is Anthopic's Claude Mythos and what risks does it pose? - BBC News
ECB to Quiz Bankers About Risks of Anthropic’s New AI Model, Source Says
Anthropic's Mythos model accessed by unauthorized users, Bloomberg News reports | Reuters
Mythos can find the vulnerability. It can't tell you what to do about it. | CyberScoop
Every Old Vulnerability Is Now an AI Vulnerability
Commercial AI Models Show Rapid Gains in Vulnerability Research - Infosecurity Magazine
NIST to stop rating non-priority flaws due to volume increase
The History of iOS Exploits: Apple’s Flawed Security Paradigm
Vulnerabilities
Unpatched Microsoft Defender Flaw Lets Hackers Gain Admin Access on Windows | Extremetech
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks
PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability
Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster - SecurityWeek
More Cisco SD-WAN bugs battered in attacks • The Register
New RDP Alert After April 2026 Security Update Warns of Unknown Connections
Android Phones Shown to Have a Major Biometric Security Weakness - Tech Advisor
Microsoft releases emergency updates to fix Windows Server issues
Critical flaw in Protobuf library enables JavaScript code execution
Actively exploited Apache ActiveMQ flaw impacts 6,400 servers
Apple Patches iOS Flaw That Stored Deleted Signal Notifications in FBI Forensic Case
Apple releases important iOS and iPadOS security fix you need to install now - PhoneArena
Oracle Patches 450 Vulnerabilities With April 2026 CPU - SecurityWeek
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
New Firefox update patches a whopping 271 bugs with help from Claude Mythos | ZDNET
New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution
Microsoft issues emergency update for macOS and Linux ASP.NET threat - Ars Technica
Hackers exploit file upload bug in Breeze Cache WordPress plugin
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 17 April 2026
Black Arrow Cyber Threat Intelligence Briefing 17 April 2026:
-UK Financial Regulators Rush to Assess Risks of Anthropic Latest AI Model, FT Reports
-AI Adoption Is Outpacing the Safeguards Around It
-PwC: Cyber Security Risk Outpaces Corporate Ability to Manage
-New VENOM Phishing Attacks Steal Senior Executives’ Microsoft Logins
-Beyond Wipers: Iran-Backed Cyber Attacks and the Threat to Businesses
-Wiz: 80% of Cloud Breaches Are Caused by Basic Mistakes
-Ransomware Lives On, Blending Hacktivism and Crime, Fuelled by AI
-Security Leaders Overconfident About Ransomware Recovery
-‘It’s More Common Than You Think’: Experts Reveal How Hackers Are Trying to Hijack Your Inbox with These Clever Tactics
-From Awareness to Action: Closing the Human Risk Gap in Cyber Security
-How the Enterprise Supply Chain Has Created a Global Attack Surface
-UK Reliance on US Big Tech Companies Is ‘National Security Risk’, Claims Report
-The Most Important Cyber Security Trends in 2026 So Far
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
In our threat intelligence briefing last week, we described how Anthropic’s new AI model had identified thousands of new serious vulnerabilities in major operating systems and ways to exploit them; this week, we include details of how the UK financial regulators are working to quickly address these AI developments with similar activity in other countries. We also report on how the adoption of AI by organisations themselves has increased the need for business leaders to strengthen their understanding and management of the associated risks.
We include details this week of how AI and other attacker tactics have increased risks such as inbox compromise, ransomware and other destructive attacks. Our advice on how business leaders should manage the risks remains fundamentally unchanged. The leadership should ensure a strong understanding of cyber risks from impartial experts, to lead the conversation on risk management with their control providers through proportionate controls underpinned by credible governance. The focus is not just on security, to reduce the probability of a successful attack, but also on resilience to withstand a successful attack when it happens. Contact us to discuss a suitable approach to achieve this.
Top Cyber Stories of the Last Week
UK Financial Regulators Rush to Assess Risks of Anthropic Latest AI Model, FT Reports
UK financial regulators are urgently assessing the cyber security implications of a new artificial intelligence model after claims it identified thousands of serious weaknesses across widely used software, including operating systems and web browsers. The Bank of England, the Financial Conduct Authority, HM Treasury and the National Cyber Security Centre are working with major banks, insurers and exchanges to understand whether the model could expose risks in critical systems. The move reflects growing concern that advanced AI could strengthen cyber defence, but also increase the risk of more effective cyber attacks.
AI Adoption Is Outpacing the Safeguards Around It
AI is being adopted faster than the safeguards around it, creating new risks for organisations. Reported AI related incidents rose from 233 in 2024 to 362 in 2025, while separate monitoring showed monthly cases reaching 435 at the start of 2026. At the same time, major AI providers are giving less visibility into how their systems are built and tested, with transparency scores falling from 58 to 40 in a year. This leaves organisations relying more on their own testing, monitoring and supplier controls to manage systems whose behaviour can be harder to predict than traditional software.
https://www.helpnetsecurity.com/2026/04/14/ai-adoption-safety-transparency-report/
PwC: Cyber Security Risk Outpaces Corporate Ability to Manage
PwC’s latest survey of more than 600 US executives shows cyber security is a board-level business risk that most organisations do not feel equipped to deal with. While 60% rank it among their top three risks, only 6% say they can manage it effectively. The report also found 68% see cyber-attacks as a moderate or serious threat, while 38% have increased spending on technology and artificial intelligence since January 2025. Despite this investment, many firms remain on the back foot as fast-changing regulation and rapid advances in AI make threats harder to manage.
https://www.inforisktoday.com/pwc-cybersecurity-risk-outpaces-corporate-ability-to-manage-a-31405
New VENOM Phishing Attacks Steal Senior Executives’ Microsoft Logins
A previously undocumented phishing‑as‑a‑service platform known as VENOM is targeting C‑suite executives through highly personalised emails designed to look like internal Microsoft SharePoint messages. The campaign uses QR codes to move victims onto mobile devices, where attackers relay the victim’s login and multi‑factor authentication process to Microsoft in real time, allowing them to capture credentials and active session tokens. Active since at least November, VENOM appears closed to wider criminal use, limiting its visibility. The activity highlights how senior leadership accounts are being deliberately singled out using sophisticated, identity‑focused phishing techniques.
Beyond Wipers: Iran-Backed Cyber Attacks and the Threat to Businesses
Iran-linked cyber activity is posing a growing risk to UK and US organisations, particularly those in finance, healthcare, energy, transport and critical services. One recent attack reportedly disrupted a global medical technology firm and claimed to have wiped more than 200,000 devices using a legitimate remote management tool. Researchers have tracked 5,800 attacks from 50 Iran-linked groups. While the US faces the greatest direct exposure, UK businesses remain vulnerable through supply chains and cloud-based services. Business leaders should ensure foundational controls are in place, including patching systems, enforcing MFA, reviewing privileged access, resilient backups and having incident response plans ready.
Wiz: 80% of Cloud Breaches Are Caused by Basic Mistakes
Researchers report that 80% of cloud breaches in 2025 stemmed from basic mistakes such as poor system configuration, weak handling of passwords and access keys, and gaps in user security. 53% of malicious activity that occurred before an attack involved reconnaissance, where criminals quietly map systems and test access. Rapid AI adoption is widening the number of possible entry points, while attackers are also using AI to speed up phishing, automate tasks and scale operations. To address this, business leaders should focus on visibility of the organisation’s externally reachable assets, identities and attack paths, while reinforcing basic security hygiene.
Ransomware Lives On, Blending Hacktivism and Crime, Fuelled by AI
Ransomware continues to evolve despite law enforcement disruption, with groups adopting more aggressive extortion tactics and increasingly blending criminal and political motives. Artificial intelligence is being used to generate malicious code, improve social engineering and scale operations, lowering the barrier for less‑skilled actors. In 2025, ransomware groups extorted more than $724 million in cryptocurrency, highlighting the profitability of the model. Hybrid ransomware and hacktivist groups are also using ransomware tools for ideological impact alongside traditional financial extortion. Business leaders should ensure strong control over user identities and privileges, as ransomware and extortion attacks are only as effective as the access they are able to obtain.
Security Leaders Overconfident About Ransomware Recovery
Many organisations are overconfident about their ability to recover from ransomware. Research shows that while 90% of security leaders believe they can restore operations quickly, only 28% fully recover their data after an attack. On average, just 72% of affected data is restored, with many organisations still facing data loss, downtime and business disruption. The report also found that more than 40% of organisations hit by cyber incidents suffered customer disruption or financial loss. Rapid adoption of artificial intelligence is adding further risk, with 43% saying it is advancing faster than their ability to secure it.
https://www.itpro.com/security/security-leaders-overconfident-about-ransomware-recovery
‘It’s More Common Than You Think’: Experts Reveal How Hackers Are Trying to Hijack Your Inbox with These Clever Tactics
Proofpoint has warned that criminals are increasingly abusing a legitimate email feature called inbox rules to quietly maintain access to compromised accounts. These automated settings can hide security alerts, forward sensitive messages, and mark emails as read, allowing attackers to monitor communications and impersonate victims without drawing attention. In the final quarter of 2025, around 10% of breached accounts had a malicious rule created within seconds of the initial compromise. Senior leaders, finance teams and other outward-facing roles remain particularly attractive targets for this type of cyber attack.
From Awareness to Action: Closing the Human Risk Gap in Cyber Security
Human behaviour is one of the biggest drivers of cyber security incidents, yet most organisations are still not responding effectively. Mimecast reports that 96% of those surveyed believe their defences against people being deceived or misusing access are incomplete. Attacks are rising across email, messaging and collaboration tools, with 53% reporting more phishing, 48% more email fraud and 45% more attacks through workplace platforms. The report also found that just 8% of users account for 80% of incidents, highlighting the value of better oversight, targeted training and joined-up security controls.
How the Enterprise Supply Chain Has Created a Global Attack Surface
Modern organisations now face growing cyber security risk through their suppliers, not just their own systems. As businesses rely on more cloud services, software providers and outsourced partners, each relationship can create a route into sensitive data or critical operations. Recent disruption linked to the war in Ukraine showed how problems in one region can affect organisations far beyond it through indirect supplier connections. The most effective response is a practical one: focus greatest scrutiny on high-risk suppliers with access to important systems or data, and build security checks into procurement and access decisions from the start.
UK Reliance on US Big Tech Companies Is ‘National Security Risk’, Claims Report
A report backed by MPs warns that the UK’s heavy dependence on a small number of US technology providers for data centres, software and other critical digital services could become a national security risk. It argues that political tensions could disrupt essential services, while limited competition may also be driving up public sector cloud costs by as much as £500 million a year. The report calls for greater investment in UK-based providers, open standards and open-source software (publicly available code that organisations can inspect and adapt), to improve resilience, reduce lock-in and support innovation.
The Most Important Cyber Security Trends in 2026 So Far
Cyber security trends in early 2026 centre on artificial intelligence, ransomware and nation‑state attacks. AI is being used to detect threats and understand sensitive data environments, while at the same time attackers use it to scale phishing, social engineering and deepfake attacks. Identity and access management remains vulnerable where credentials are compromised, or insider threats occur. Ransomware continues to evolve, with some attacks focused on encrypting or wiping systems to disrupt operations. Business leaders should ensure their data is identified and protected wherever it is stored or accessed, apply clear classification, and scrutinise third‑party software and suppliers.
https://securityboulevard.com/2026/04/the-most-important-cybersecurity-trends-in-2026-so-far/
Governance, Risk and Compliance
PwC: Cybersecurity Risk Outpaces Corporate Ability to Manage
Businesses are paying the price for CISO burnout | Computer Weekly
The Most Important Cybersecurity Trends in 2026 So Far - Security Boulevard
Only a third of cybersecurity professionals plan to stay in their current role - BetaNews
Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report)
Threats
Ransomware, Extortion and Destructive Attacks
Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month - Infosecurity Magazine
Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI - Security Boulevard
Ransomware Groups Are Actively Disabling Your EDR Before You Even Know It - Security Boulevard
Security leaders overconfident about ransomware recovery | IT Pro
Ransomware scum, other crims exploit 4 old Microsoft bugs • The Register
Emulating the Persuasive NightSpire Ransomware - Security Boulevard
0APT ransomware gang extorts Krybit amid doxxing threat • The Register
Pay up for ransomware and they’ll be back for more - BetaNews
Crypto-exchange Kraken extorted by hackers after insider breach
Ransomware and Destructive Attack Victims
Beyond wipers: Iran-backed cyber attacks and the threat to businesses | IT Pro
Stolen Rockstar Games analytics data leaked by extortion gang
Hackers threaten to leak over 9M Amtrak records, including personal info | Cybernews
McGraw-Hill confirms data breach following extortion threat
Hallmark data breach escalates as hackers leak and sell customer records| Cybernews
All jobs lost as Scottish company forced into liquidation after cyber attack | The National
6-Year Ransomware Campaign Targets Turkish Homes & SMBs
Teenaged Boy Arrested After NI Schools Hacked | Silicon UK Tech
U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 | Trend Micro (US)
Phishing & Email Based Attacks
New VENOM phishing attacks steal senior executives' Microsoft logins
Poisoned "Office 365" search results lead to stolen paychecks - Help Net Security
Global phishing war targets smartphones in massive hack-for-hire espionage campaign - Times Kuwait
Other Social Engineering
From awareness to action: Closing the human risk gap in cybersecurity | resource | SC Media
Poisoned "Office 365" search results lead to stolen paychecks - Help Net Security
North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware
ClickFix campaign delivers Mac malware via fake Apple page - Help Net Security
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
Triad Nexus Expands Global Fraud Operations Despite US Sanctions - Infosecurity Magazine
Major Scam Network Triad Nexus Adapts Operations to Avoid U.S. Scrutiny - Security Boulevard
Artificial Intelligence
AI cyber threats: open letter to business leaders (HTML) - GOV.UK
Financial services regulators assess risks from Anthropic’s new AI model - FStech
The 'Vulnpocalypse': Why experts fear AI could tip the scales toward hackers
UK gov's Mythos AI tests help separate cybersecurity threat from hype - Ars Technica
Anthropic’s Mythos finds software flaws faster than companies can fix them | Fortune
Anthropic’s Mythos signals a structural cybersecurity shift | CSO Online
Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI - Security Boulevard
AI adoption is outpacing the safeguards around it - Help Net Security
The exploit gap is closing, and your patch cycle wasn't built for this - Help Net Security
AI and Cryptocurrency Scams are Costing Americans Billions, FBI Reports
How the explosion in machine identities is changing cyber defense | IT Pro
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud
CEOs are embracing AI agents as cyber risks grow | Semafor
Apple Intelligence AI Guardrails Bypassed in New Attack - SecurityWeek
Rethinking Insider Risk in the Age of AI and Autonomy - Silicon UK Expert Advice
What AI-Driven Attack Chains Mean for CFOs and CISOs
China Cracking Down on the Types of AI That Are Tearing America Apart
43% of AI-generated code changes need debugging in production, survey finds | VentureBeat
Enterprises are using AI for security but less than a third fully trust it - BetaNews
Bots/Botnets
Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
Careers, Roles, Skills, Working in Cyber and Information Security
Businesses are paying the price for CISO burnout | Computer Weekly
Only a third of cybersecurity professionals plan to stay in their current role - BetaNews
CISOs Urged to Innovate in Talent Retention as Job Satisfaction Declin - Infosecurity Magazine
UK Cyber Security Council Launches Associate Cyber Security Profession - Infosecurity Magazine
Cloud/SaaS
APT41 Delivers 'Undetectable' Backdoor to Steal Cloud Credentials
Wiz: 80% of cloud breaches are caused by basic mistakes | IT Pro
Microsoft 365 Tenant Security: How to Stay in Control of Your Data - Infosecurity Magazine
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
AI and Cryptocurrency Scams are Costing Americans Billions, FBI Reports
Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials
Over 20,000 crypto fraud victims identified in international crackdown
French cops free mother and son after crypto kidnapping • The Register
U.S. Treasury enlists crypto in national cyber defense push as digital asset hacks rise
Crypto-exchange Kraken extorted by hackers after insider breach
$12 million frozen, 20,000 victims identified in crypto scam crackdown - Help Net Security
Cyber Crime, Organised Crime & Criminal Actors
Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI - Security Boulevard
French cops free mother and son after crypto kidnapping • The Register
W3LL phishing service sold for $500 dismantled by the FBI - Help Net Security
Triad Nexus Expands Global Fraud Operations Despite US Sanctions - Infosecurity Magazine
Cybercriminal responsible for PowerSchool breach speaks out
Hacker Unknown now known, named on Europol’s most-wanted list | CSO Online
Data Breaches/Leaks
108 Chrome Extensions Linked to Data Exfiltration and Sessio...
Hack at Anodot leaves over a dozen breached companies facing extortion | TechCrunch
Over 100 Chrome extensions caught stealing Google and Telegram data: How to stay safe? | Mint
LiteLLM Supply Chain Attack Exposes Millions To Credential Theft
Hackers threaten to leak over 9M Amtrak records, including personal info | Cybernews
McGraw-Hill confirms data breach following extortion threat
Hallmark data breach escalates as hackers leak and sell customer records| Cybernews
300,000 People Impacted by Eurail Data Breach - SecurityWeek
Hims Breach Exposes the Most Sensitive Kinds of PHI
European Gym giant Basic-Fit data breach affects 1 million members
Nightclub Giant RCI Hospitality Reports Data Breach - SecurityWeek
Europe's Largest Gym Chain Says Data Breach Impacts 1 Million Members - SecurityWeek
Stolen Rockstar Games analytics data leaked by extortion gang
Hungary officials used weak passwords exposed in breach dump • The Register
Data Protection
Health insurance lead sites sell personal data within seconds of form submission - Help Net Security
Data/Digital Sovereignty
UK reliance on US big tech companies is ‘national security risk’, claims report | Computer Weekly
France to ditch Windows for Linux to reduce reliance on US tech | TechCrunch
Denial of Service/DoS/DDoS
Orgs Must Test Networks to Handle DDoS Attacks During Peak Loads
Cybercriminals are increasingly attacking digital services
Encryption
Why is the timeline to quantum-proof everything constantly shrinking? | CyberScoop
Preparing for 'Q-Day': Why Quantum Risk Management Is a Must
WhatsApp's 'End-to-End Encryption by Default' Claim Called Major Consumer Fraud by Pavel Durov
Fraud, Scams and Financial Crime
AI and Cryptocurrency Scams are Costing Americans Billions, FBI Reports
Over 20,000 crypto fraud victims identified in international crackdown
Triad Nexus Expands Global Fraud Operations Despite US Sanctions - Infosecurity Magazine
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud
Beyond wipers: Iran-backed cyber attacks and the threat to businesses | IT Pro
$12 million frozen, 20,000 victims identified in crypto scam crackdown - Help Net Security
FBI and Indonesian Police Dismantle W3LL Phishing Network Behind $20M Fraud Attempts
Identity and Access Management
How the explosion in machine identities is changing cyber defense | IT Pro
Your Next Breach Will Look Like Business as Usual
Insider Risk and Insider Threats
Crypto-exchange Kraken extorted by hackers after insider breach
From awareness to action: Closing the human risk gap in cybersecurity | resource | SC Media
Rethinking Insider Risk in the Age of AI and Autonomy - Silicon UK Expert Advice
The Quiet Revolt: What The World Happiness Report 2026 Tells Security Professionals
Internet of Things – IoT
The Tech Of The Iran War: Hacking Traffic Cameras & Cyberpunk Surveillance Ops
Law Enforcement Action and Take Downs
Teenaged Boy Arrested After NI Schools Hacked | Silicon UK Tech
$12 million frozen, 20,000 victims identified in crypto scam crackdown - Help Net Security
Hacker Unknown now known, named on Europol’s most-wanted list | CSO Online
Linux and Open Source
France to ditch Windows for Linux to reduce reliance on US tech | TechCrunch
Distributed Risk: Open-Source Software as Strategic Infrastructure | Geopolitical Monitor
Microsoft locks out top open source devs, blames process • The Register
Malvertising
Poisoned "Office 365" search results lead to stolen paychecks - Help Net Security
'Harmless' Global Adware Transforms Into an AV Killer
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
Signed software abused to deploy antivirus-killing scripts
Malware
'Harmless' Global Adware Transforms Into an AV Killer
APT41 Delivers 'Undetectable' Backdoor to Steal Cloud Credentials
North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware
Yes, you can get malware just by visiting a website
Renovate & Dependabot: The New Malware Delivery System - Security Boulevard
The silent “Storm”: New infostealer hijacks sessions, decrypts server-side
Signed software abused to deploy antivirus-killing scripts
ClickFix campaign delivers Mac malware via fake Apple page - Help Net Security
GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
Fake Claude Website Distributes PlugX RAT - SecurityWeek
Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites | TechCrunch
New ‘LucidRook’ malware used in targeted attacks on NGOs, universities
JanelaRAT Malware Targets Latin American Banks with 14,739 Attacks in Brazil in 2025
New AgingFly malware used in attacks on Ukraine govt, hospitals
Misinformation, Disinformation and Propaganda
War Game Exercise Shows How Social Media Manipulation Works
Mobile
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
Users lose $9.5 million to fake Ledger wallet app on the Apple App Store
Global phishing war targets smartphones in massive hack-for-hire espionage campaign - Times Kuwait
WhatsApp's 'End-to-End Encryption by Default' Claim Called Major Consumer Fraud by Pavel Durov
Musk, Durov attack WhatsApp encryption | Cybernews
iPhone forensics expose Signal messages after app removal in U.S. case
Models, Frameworks and Standards
EU cybersecurity standards are at risk if supplier ban passes - Help Net Security
Outages
Kremlin tells Russians internet shutdowns are temporary after crackdown ruffles elite | Reuters
Passwords, Credential Stuffing & Brute Force Attacks
APT41 Delivers 'Undetectable' Backdoor to Steal Cloud Credentials
Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials
New VENOM phishing attacks steal senior executives' Microsoft logins
Your Next Breach Will Look Like Business as Usual
Are Rainbow Tables Still Relevant in 2026? - Infosecurity Magazine
Raspberry Pi OS 6.2 disables passwordless sudo by default - Help Net Security
Regulations, Fines and Legislation
AI security officials warn on Anthropic model as Bank to hold meeting
Bessent, Powell Summon Bank CEOs to Urgent Meeting Over Anthropic's New AI Model - Bloomberg
EU cybersecurity standards are at risk if supplier ban passes - Help Net Security
What the EU AI Act requires for AI agent logging - Help Net Security
Netherlands won't ban ransom payments to hackers | Cybernews
The FCC just saved Netgear from its router ban for no obvious reason | The Verge
FCC just handed Netgear a de facto router monopoly in the US
Social Media
North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware
The Quiet Revolt: What The World Happiness Report 2026 Tells Security Professionals
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads
War Game Exercise Shows How Social Media Manipulation Works
BrowserGate: Claims of LinkedIn ‘Spying’ Clash With Security Research Findings - SecurityWeek
Software Supply Chain
CPUID Hacked to Serve Trojanized CPU-Z and HWMonitor Downloads - SecurityWeek
Supply Chain and Third Parties
Two different attackers poisoned popular open source tools • The Register
How the enterprise supply chain has created a global attack surface - IT Security Guru
Hack at Anodot leaves over a dozen breached companies facing extortion | TechCrunch
Google Warns of New Threat Group Targeting BPOs and Helpdesks - Infosecurity Magazine
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Beyond wipers: Iran-backed cyber attacks and the threat to businesses | IT Pro
Do Ceasefires Slow Cyberattacks? History Suggests Not
Cyberattacks, Tariffs, Geopolitics Loom Over Business Executives
The Tech Of The Iran War: Hacking Traffic Cameras & Cyberpunk Surveillance Ops
Global phishing war targets smartphones in massive hack-for-hire espionage campaign - Times Kuwait
We should be more worried about cyber warfare targeting the civilian economy
Cybersecurity in an Age of Geopolitical Fracture
Nation State Actors
U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 | Trend Micro (US)
China
APT41 Delivers 'Undetectable' Backdoor to Steal Cloud Credentials
U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026 | Trend Micro (US)
China Cracking Down on the Types of AI That Are Tearing America Apart
Russia
Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ | CyberScoop
Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now | ZDNET
Russia's 'Fancy Bear' APT Continues Its Global Onslaught
The cables powering the internet are under the ocean – and under threat | TechSpot
New AgingFly malware used in attacks on Ukraine govt, hospitals
With Russia already 'at war with us', UK must urgently defend key North Sea energy infrastructure
Kremlin tells Russians internet shutdowns are temporary after crackdown ruffles elite | Reuters
Russian-Linked Hackers Breach Emails of the Romanian Army - The Romania Journal
North Korea
Two different attackers poisoned popular open source tools • The Register
North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware
Iran
Beyond wipers: Iran-backed cyber attacks and the threat to businesses | IT Pro
Do Ceasefires Slow Cyberattacks? History Suggests Not
The Tech Of The Iran War: Hacking Traffic Cameras & Cyberpunk Surveillance Ops
Iran Planning Cyberattack on US Infrastructure, Intelligence Community Warns - The National Interest
Iran-linked group Handala claims to have breached three major UAE organizations
Sweden reports cyberattack attempt on heating plant amid rising energy threats
Industrial Devices Still Vulnerable As Conflicts Move to Cyber
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI - Security Boulevard
Global phishing war targets smartphones in massive hack-for-hire espionage campaign - Times Kuwait
Tools and Controls
Enterprises are using AI for security but less than a third fully trust it - BetaNews
Ransomware Groups Are Actively Disabling Your EDR Before You Even Know It - Security Boulevard
PwC: Cybersecurity Risk Outpaces Corporate Ability to Manage
'Harmless' Global Adware Transforms Into an AV Killer
Microsoft locks out top open source devs, blames process • The Register
From awareness to action: Closing the human risk gap in cybersecurity | resource | SC Media
UK financial regulators rush to assess risks of Anthropic’s latest AI model
Financial services regulators assess risks from Anthropic’s new AI model - FStech
Mythos testing begins as governments raise cyber concerns
The Vuln Surge is Coming. CSA is Telling Us How to Survive It - Security Boulevard
The 'Vulnpocalypse': Why experts fear AI could tip the scales toward hackers
Testing reveals Claude Mythos's offensive capabilities and limits - Help Net Security
Claude Mythos Preview completes full cyberattack simulation for the first time - The New Stack
Anthropic’s Mythos finds software flaws faster than companies can fix them | Fortune
The exploit gap is closing, and your patch cycle wasn't built for this - Help Net Security
Security leaders overconfident about ransomware recovery | IT Pro
How AI is getting better at finding security holes : NPR
Most organizations make a mess of handling digital disruption | IT Pro
Signed software abused to deploy antivirus-killing scripts
Incident response for AI: Same fire, different fuel | Microsoft Security Blog
43% of AI-generated code changes need debugging in production, survey finds | VentureBeat
GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
Network segmentation projects fail in predictable patterns - Help Net Security
What vibe hunting gets right about AI threat hunting, and where it breaks down - Help Net Security
Other News
Fortinet report: cyberattacks against banks increasing
From Somerset to New York: Why are undersea cables so important? - BBC News
The cables powering the internet are under the ocean – and under threat | TechSpot
Mailbox Rule Abuse Emerges as Stealthy Post-Compromise Threat - Infosecurity Magazine
Cybercriminals are increasingly attacking digital services
Comms Business - One fifth of telcos' websites wide open to cyber attacks
Healthcare IT under siege: CloudWave is fighting back - SiliconANGLE
The Dumbest Hack of the Year Exposed a Very Real Problem | WIRED
Vulnerability Management
NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
AI security officials warn on Anthropic model as Bank to hold meeting
Bessent, Powell Summon Bank CEOs to Urgent Meeting Over Anthropic's New AI Model - Bloomberg
UK financial regulators rush to assess risks of Anthropic’s latest AI model
Mythos testing begins as governments raise cyber concerns
Testing reveals Claude Mythos's offensive capabilities and limits - Help Net Security
The exploit gap is closing, and your patch cycle wasn't built for this - Help Net Security
How AI is getting better at finding security holes : NPR
Vulnerabilities
Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities
Microsoft drops its second-largest monthly batch of defects on record | CyberScoop
Privilege Elevation Dominates Massive Microsoft Patch Update
Windows BitLocker Vulnerability Allows Attacker to Bypass Security Feature
Cisco says critical Webex Services flaw requires customer action
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Ransomware scum, other crims exploit 4 old Microsoft bugs • The Register
Mac users, update your ChatGPT app immediately: OpenAI issues urgent security warning | Mint
Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 - SecurityWeek
Juniper Networks Patches Dozens of Junos OS Vulnerabilities - SecurityWeek
Adobe Patches Exploited Zero-Day That Lingered for Months
Adobe Patches 55 Vulnerabilities Across 11 Products - SecurityWeek
Recently leaked Windows zero-days now exploited in attacks
Vindictive hacker drops second Windows Defender exploit | Cybernews
SAP Patches Critical ABAP Vulnerability - SecurityWeek
Critical Fortinet sandbox bugs allow auth bypass and RCE • The Register
OpenSSL 4.0.0 release cuts deprecated protocols and gains post-quantum support - Help Net Security
Attackers target unpatched ShowDoc servers via CVE-2025-0520
DavMail 6.6.0 patches a regex flaw and advances its Microsoft Graph backend - Help Net Security
New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
Two Vulnerabilities Patched in Ivanti Neurons for ITSM - SecurityWeek
Microsoft: April Windows Server 2025 update may fail to install
Splunk Enterprise Update Patches Code Execution Vulnerability - SecurityWeek
Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face
Critical flaw in wolfSSL library enables forged certificate use
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 10 April 2026
Black Arrow Cyber Threat Intelligence Briefing 10 April 2026:
-Anthropic’s New AI Model Finds and Exploits Zero-Days Across Every Major OS and Browser
-Hundreds of Orgs Compromised Daily in Microsoft Device Code Phishing Attacks
-Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor’s EDR Solutions
-More than Half of Enterprises Are Using Devices with Out-of-Date Operating Systems – and It’s Leaving Them Wide Open to Attacks
-Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack
-Why Britain’s Most Common Crime Has Been Poorly Investigated for Decades
-Mobile Attack Surface Expands as Enterprises Lose Control
-FBI: Cyber Fraud Surges to $17.6 Billion in Losses as Scams, Crypto Theft Soar
-Boards Are Falling Short on Cyber Security
-72% of Workers Say AI Is Giving Phishing a Dangerous New Edge, Sagiss Managed Security Survey Finds
-The Rise of Proactive Cyber: Why Defence Is No Longer Enough
-Better Prepare for a Cyber Breach
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
There are two big headlines for business leaders this week in our review of cyber security in the specialist and public media.
Anthropic’s AI model has identified thousands of new serious vulnerabilities in major operating systems and quickly established ways to exploit them. This is a ground-shift, because AI models used by attackers will likely be able to do the same soon, and many of these vulnerabilities had been undiscovered by human security researchers for decades. The second headline is the escalating use of a new type of phishing attack that can bypass controls. We published advisories on our website last week, with recommended actions that business leaders should focus on in response to these developments; see below for links to the advisories.
Other developments this week include ransomware attackers who disable security monitoring tools, Russian attackers gaining access to home and small-office routers, and research into organisations using Mac devices with out-of-date operating systems.
Our advice for business leaders remains consistent: ensure you have an unbiased understanding of your risks and how effectively those risks are addressed through your controls. This is achieved by upskilling on cyber security from a business perspective, and implementing proportionate governance enhanced by working with specialists in cyber risk management. Contact us to discuss how you can achieve this to help protect your business.
Top Cyber Stories of the Last Week
Anthropic’s New AI Model Finds and Exploits Zero-Days Across Every Major OS and Browser
Anthropic has reported a sharp leap in the ability of advanced AI to find and exploit previously unknown software flaws across major operating systems and web browsers. In testing, its new model uncovered thousands of serious weaknesses and produced working attack methods far more often than earlier versions. It also turned known flaws into usable exploits in less than a day at relatively low cost. The findings suggest the window between a vulnerability being discovered and weaponised is shrinking. This increases pressure on organisations to patch faster and strengthen their preparations for incident response.
https://www.helpnetsecurity.com/2026/04/08/anthropic-claude-mythos-preview-identify-vulnerabilities/
Hundreds of Orgs Compromised Daily in Microsoft Device Code Phishing Attacks
Microsoft has reported a large-scale phishing campaign that is compromising hundreds of organisations each day by abusing a legitimate sign in process designed for devices such as smart TVs and printers. The attackers use AI to create convincing, highly personalised emails and automate much of the attack, helping them evade detection and bypass multi-factor authentication. Once inside, they focus on finance related accounts, stealing sensitive emails and financial information. The campaign underlines the need for business leaders to restrict unnecessary sign‑in methods, reinforce employee phishing awareness, and ensure unusual authentication activity is monitored.
https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor’s EDR Solutions
Researchers have uncovered how the ransomware group Qilin is using a sophisticated attack chain designed to disable more than 300 security monitoring tools before launching encryption. The group hides malware inside trusted software, runs it largely in memory to avoid detection, and installs software to interfere with core Windows security functions. The campaign shows how attackers are neutralising defences first to extend their time undetected. For business leaders, this underlines the need for layered security and oversight of unusual system changes, and avoiding reliance on a single protective tool.
https://cybersecuritynews.com/qilin-ransomware-kill-edr/
More than Half of Enterprises Are Using Devices with Out-of-Date Operating Systems – and It’s Leaving Them Wide Open to Attacks
A review of more than 150,000 Mac devices shows weak device management is leaving many organisations exposed to cyber security risks. 53% of organisations had at least one device running a critically out of date operating system, while 95% of assessed applications had at least one medium severity weakness. The findings also show growing risks on Mac devices, with 44% seeing malicious network activity and 26% affected by cryptojacking, where attackers misuse devices to generate cryptocurrency.
Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack
A Russian state-linked hacking group has compromised more than 200 organisations and 5,000 consumer devices by targeting home and small office routers since at least August 2025. By changing internet settings on these devices, the group was able to monitor web traffic and, in some cases, intercept sensitive information such as emails, login details and cloud data. Sectors affected include government, technology, telecoms and energy. The campaign highlights how poorly secured home networks used by remote and hybrid staff can create a serious cyber security risk for organisations.
https://cybersecuritynews.com/russian-hackers-exploiting-routers/
Why Britain’s Most Common Crime Has Been Poorly Investigated for Decades
Fraud remains the most common crime in Britain, with an estimated 4.2 million cases recorded in the year to September 2025, yet only a small share result in prosecution. For years, victims have faced poor support, weak investigations and outdated reporting systems, with some police forces taking no action on most cases. Reviews have also found too few specialist investigators, limited investment and inadequate technology. The UK Government has launched a new strategy focused on better victim support, reimbursement, stronger justice outcomes and a renewed reporting system.
Mobile Attack Surface Expands as Enterprises Lose Control
Jamf’s review of more than 1.7 million mobile devices shows many organisations are losing control of a rapidly expanding mobile risk. Over half had at least one device running a critically outdated operating system, 18% had users connecting to risky public Wi‑Fi, and 8% had clicked phishing links designed to steal credentials or sensitive data. The report also found 86% of widely used mobile apps carried known security weaknesses, with “shadow AI” in everyday apps creating new exposure. For business leaders, this underlines the importance of knowing what devices and apps are accessing corporate data, enforcing basic hygiene such as updates and secure connections, and maintaining visibility over how mobile tools are actually being used.
https://www.securityweek.com/mobile-attack-surface-expands-as-enterprises-lose-control/
FBI: Cyber Fraud Surges to $17.6 Billion in Losses as Scams, Crypto Theft Soar
The FBI’s latest figures show $17.6 billion in cyber‑enabled fraud losses in 2025, with over one million complaints filed. Investment scams caused the greatest financial harm, while business email compromise exceeded $3 billion in losses. Cryptocurrency was linked to more than $11.3 billion stolen, and reports involving AI‑enabled fraud are rising. For business leaders, the figures highlight growing financial exposure from impersonation, payment fraud, and emerging technologies, not just technical cyber incidents.
https://therecord.media/cyber-fraud-surges-to-17-billion-fbi-ic3
Boards Are Falling Short on Cyber Security
Board attention to cyber security is rising, but progress in reducing risk remains slow. Recent data shows cybercrime losses increased by 33% year on year, underlining the scale of the challenge. A common weakness is that boards often lack the expertise to judge whether senior cyber security leaders are effective, treat artificial intelligence mainly as a growth issue rather than a security and governance risk, and confuse regulatory compliance with genuine protection. Stronger outcomes come when cyber security is overseen as a business resilience issue tied to leadership accountability, operational continuity and competitive strength.
https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity
72% of Workers Say AI Is Giving Phishing a Dangerous New Edge, Sagiss Managed Security Survey Finds
A Sagiss survey of 500 desk-based workers found that AI is making phishing emails and chat messages more polished, convincing and harder to recognise. Nearly three quarters of respondents said these messages are more believable than a year ago, while 64% said AI could plausibly imitate a colleague. The risk is heightened by pressured working habits: 63% admitted clicking a work link before properly checking it, 57% verified a request only after acting, and 68% review work messages outside normal hours. The findings show that speed and fatigue are now amplifying phishing risk as much as technical deception.
The Rise of Proactive Cyber: Why Defence Is No Longer Enough
Cyber attacks are moving too quickly for a purely reactive approach to keep pace. The time between an attacker gaining access and passing that access to a second criminal group has fallen from eight hours in 2022 to just 22 seconds in 2025, showing how coordinated and fast moving the threat has become. In response, governments and major technology providers are stepping up efforts to disrupt attackers earlier through legal action, infrastructure takedowns and stronger product security. For most organisations, however, the priority remains strong internal resilience, rapid evidence sharing and well rehearsed incident response.
Better Prepare for a Cyber Breach
Mid-market organisations face growing exposure to cyber attacks as a breach at one supplier or technology provider can quickly disrupt operations, deliveries and customer service across an entire business network. At the same time, 77% of organisations still lack the basic controls needed to protect artificial intelligence systems, data and cloud environments. The priority is stronger oversight of how AI tools are used, tighter access controls, clearer rules for staff and suppliers, and better governance so businesses can spot threats earlier, limit disruption and protect long term value.
https://professionalsecurity.co.uk/products/cyber/better-prepare-for-a-cyber-breach/
Advisories Published in the Last Week
Black Arrow Cyber Advisory 10 April 2026 – Frontier AI and the Changing Cyber Threat Landscape
https://www.blackarrowcyber.com/blog/advisory-10-april-2026-frontier-ai-changing-threat-landscape
Black Arrow Cyber Advisory - 10 April 2026 - Microsoft device code phishing campaigns targeting Microsoft 365 users
https://www.blackarrowcyber.com/blog/advisory-10-april-2026-microsoft-device-code-phishing
Governance, Risk and Compliance
Cyber threats need to be embedded in corporate culture – report
Most Organizations Do Not Fully Trust Their Cybersecurity Vendors
The rise of proactive cyber: Why defense is no longer enough | CSO Online
Better prepare for a cyber breach | Professional Security Magazine
Boards Are Falling Short on Cybersecurity
How to know you’re a real-deal CSO — and whether that job opening truly seeks one | CSO Online
Meaningful metrics demonstrate the value of cyber-resiliency | TechTarget
Cyberattacks On Law Firms Are Rising. Here’s What’s Driving It. - Above the Law
Threats
Ransomware, Extortion and Destructive Attacks
Qilin Ransomware Uses Malicious DLL to Kill Almost Every Vendor's EDR Solutions
Qilin EDR killer infection chain
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
Ransomware Will Hit Hospitals. Rehearsals Are Key to Defense
Evolution of Ransomware: Multi-Extortion Ransomware Attacks
Man admits to locking thousands of Windows devices in extortion plot
German authorities identify REvil and GandCrab ransomware bosses
Ransomware reimagined: Why containment alone is no longer enough | resource | SC Media
Emulating the Concealed Sinobi Ransomware - Security Boulevard
Ransomware and Destructive Attack Victims
Die Linke German political party confirms data stolen by Qilin ransomware
Dutch hospitals hit after patient software cyberattack | Cybernews
Ransomware knocks Dutch healthcare software vendor offline • The Register
Signature Healthcare hit by cyberattack, services and pharmacies impacted
Ransomware attack on company that manages Dutch hospitals' patient files | NL Times
Phishing & Email Based Attacks
72% of Workers Say AI Is Giving Phishing a Dangerous New Edge, Sagiss Managed Security Survey Finds
Hundreds compromised daily in Microsoft device code phishes • The Register
Inside an AI‑enabled device code phishing campaign | Microsoft Security Blog
New Phishing Platform Used in Credential Theft Campaigns - Infosecurity Magazine
Device code phishing attacks surge 37x as new kits spread online
Phishers sneak through using GitHub and Jira’s own mail delivery infrastructure - Help Net Security
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
How a burner email can protect your inbox - setting one up one is easy and free | ZDNET
Business Email Compromise (BEC)/Email Account Compromise (EAC)
Other Social Engineering
Hundreds compromised daily in Microsoft device code phishes • The Register
Inside an AI‑enabled device code phishing campaign | Microsoft Security Blog
Device code phishing attacks surge 37x as new kits spread online
Axios Attack Shows Social Complex Engineering Is Industrialized
I knew about North Korean hackers—they still tricked me and got into my computer | Fortune
Traffic violation scams switch to QR codes in new phishing texts
That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords | Malwarebytes
New macOS stealer campaign uses Script Editor in ClickFix attack
Social engineering attacks on open source developers are escalating - Help Net Security
Artificial Intelligence
72% of Workers Say AI Is Giving Phishing a Dangerous New Edge, Sagiss Managed Security Survey Finds
Inside an AI‑enabled device code phishing campaign | Microsoft Security Blog
Threat actor abuse of AI accelerates from tool to cyberattack surface | Microsoft Security Blog
Claude Code's innards revealed as source code leaked online • The Register
The New Rules of Engagement: Matching Agentic Attack Speed - SecurityWeek
CISOs grapple with AI demands within flat budgets - Help Net Security
Most Organisations Face an Unsecured API Surge As AI Agents Outpace Security - IT Security Guru
Anthropic Issues Copyright Takedowns to Scrub Claude Code Leak | PCMag
A.I. Is on Its Way to Upending Cybersecurity - The New York Times
Agentic AI's role in amplifying and creating insider risks | TechTarget
The AI Revolution in Cyber Conflict | Lawfare
How Security Leaders Can Safeguard Against Vibe Coding Security Risks - Infosecurity Magazine
Bots/Botnets
Cybercriminals move deeper into networks, hiding in edge infrastructure - Help Net Security
Residential proxies evaded IP reputation checks in 78% of 4B sessions
Residential proxies make a mockery of IP-based defenses - Help Net Security
Careers, Roles, Skills, Working in Cyber and Information Security
How to know you’re a real-deal CSO — and whether that job opening truly seeks one | CSO Online
ISC2 Publishes Guidance on the Inclusion of AI Security Concepts Across all its Certifications
The cybersecurity boom hiding a growing privacy skills shortage | TechRadar
Why modern cyber conflict is partly a global skills challenge | TechRadar
Cloud/SaaS
Trivy supply chain attack enabled European Commission cloud breach - Help Net Security
The EU is suffering a hacking crisis. Here’s what we know. – POLITICO
Snowflake customers hit in data theft attacks after SaaS integrator breach
Chaos malware expands from routers to Linux cloud servers - Help Net Security
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
Act-of-War Clauses Cloud Cyber Insurance Coverage - DataBreaches.Net
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK
New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
Hackers steal $3.6 million from crypto ATM giant Bitcoin Depot
Cryptographers place $5,000 bet whether quantum will matter • The Register
Cyber Crime, Organised Crime & Criminal Actors
Cybercriminals move deeper into networks, hiding in edge infrastructure - Help Net Security
Don't glamorize cybercrims, roast them instead • The Register
Adversaries Exploit Vacant Homes to Intercept Mail in Hybrid Cybercrime
Threat Actors Get Crafty With Emojis to Escape Detection
Security lapse lets researchers view React2Shell hackers’ dashboard | CSO Online
Criminal wannabes even more dangerous than the pros • The Register
Data Breaches/Leaks
European Commission breach exposed data of 30 EU entities, CERT-EU says
Trivy supply chain attack enabled European Commission cloud breach - Help Net Security
The EU is suffering a hacking crisis. Here’s what we know. – POLITICO
Snowflake customers hit in data theft attacks after SaaS integrator breach
Jones Day Law Firm Says Hackers Accessed Some Clients’ Data (1)
FBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident’ - POLITICO
Claude Code's innards revealed as source code leaked online • The Register
Adobe Breach - Threat Actor Allegedly Claims Leak of 13 Million Support Tickets and Employee Records
Hundreds of UK soldiers exposed at military bases… by their Strava workouts
Anthropic Issues Copyright Takedowns to Scrub Claude Code Leak | PCMag
Die Linke German political party confirms data stolen by Qilin ransomware
Better prepare for a cyber breach | Professional Security Magazine
Google: New UNC6783 hackers steal corporate Zendesk support tickets
Hims & Hers warns of data breach after Zendesk support ticket breach
Denial of Service/DoS/DDoS
Major outage cripples Russian banking apps and metro payments nationwide
Why DDoS Mitigation Fails: 5 Gaps That Testing Reveals - Security Boulevard
Pro-Iran Group Takes Credit for Cyberattacks on Chime, Pinterest
Encryption
‘It’s a real shock’: quantum-computing breakthroughs pose imminent risks to cybersecurity
Cryptographers place $5,000 bet whether quantum will matter • The Register
Fraud, Scams and Financial Crime
Why Britain's most common crime has been poorly investigated for decades | UK News | Sky News
Nigerian romance scammer jailed after being caught out by fellow fraudster
Websites suffering from subscription bombing attacks | Cybernews
Life imprisonment for Cambodian scam compound operators - but will it make a difference?
Your marketing stack is an attack surface – is security watching? | TechRadar
Your customer passed authentication. So why are they sending money to a scammer? - Help Net Security
Hidden scammer arms race every business now faces - Insurance Post
Identity and Access Management
The Hidden Cost of Recurring Credential Incidents
MSSPs Are the New Target in Login-Based Attacks – Blackpoint Cyber | news | MSSP Alert
Insider Risk and Insider Threats
Agentic AI's role in amplifying and creating insider risks | TechTarget
Insurance
Act-of-War Clauses Cloud Cyber Insurance Coverage - DataBreaches.Net
Internet of Things – IoT
Internet-Connected Coffee Machine Reportedly Led to Corporate Data Breach - Security Boulevard
Law Enforcement Action and Take Downs
Man admits to locking thousands of Windows devices in extortion plot
Police Are Using Cookies To Catch Criminals - Here's How
Why Britain's most common crime has been poorly investigated for decades | UK News | Sky News
Nigerian romance scammer jailed after being caught out by fellow fraudster
Life imprisonment for Cambodian scam compound operators - but will it make a difference?
BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
German authorities identify REvil and GandCrab ransomware bosses
Linux and Open Source
Social engineering attacks on open source developers are escalating - Help Net Security
The State of Trusted Open Source Report
Chaos malware expands from routers to Linux cloud servers - Help Net Security
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
Microsoft suspends dev accounts for high-profile open source projects
Malvertising
Your marketing stack is an attack surface – is security watching? | TechRadar
Malware
Chaos malware expands from routers to Linux cloud servers - Help Net Security
New macOS stealer campaign uses Script Editor in ClickFix attack
Hackers use pixel-large SVG trick to hide credit card stealer
Malware Threat to Critical Infrastructure Raises Alarms
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
Mobile
Mobile Attack Surface Expands as Enterprises Lose Control - SecurityWeek
Android Malware Infects Over 2.3 Million Devices - Is Yours One? - Tech Advisor
Your phone is shouting your identity to every Wi-Fi network — fix it now
New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
Outages
‘Skipping a beat on resilience investment isn’t an option any more’ as IT outage costs soar | IT Pro
Passwords, Credential Stuffing & Brute Force Attacks
New Phishing Platform Used in Credential Theft Campaigns - Infosecurity Magazine
React2Shell Exploited in Large-Scale Credential Harvesting Campaign - SecurityWeek
MSSPs Are the New Target in Login-Based Attacks – Blackpoint Cyber | news | MSSP Alert
That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords | Malwarebytes
Regulations, Fines and Legislation
Old laws treat whitehats like criminals and pose risks | Cybernews
Trump wants to slash $707M from CISA's budget • The Register
Social Media
Software Supply Chain
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack | CSO Online
Supply Chain and Third Parties
Axios Attack Shows Social Complex Engineering Is Industrialized
MSSPs Are the New Target in Login-Based Attacks – Blackpoint Cyber | news | MSSP Alert
Trivy supply chain attack enabled European Commission cloud breach - Help Net Security
Snowflake customers hit in data theft attacks after SaaS integrator breach
Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting
MSSPs Caught in the Middle of Iran’s Cyber Escalation | perspective | MSSP Alert
Google: New UNC6783 hackers steal corporate Zendesk support tickets
Hims & Hers warns of data breach after Zendesk support ticket breach
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
The New Rules of Engagement: Matching Agentic Attack Speed - SecurityWeek
Cyber threat must be recognised despite geopolitical tensions
Iranian cyber activity hits US energy, water, and government networks - Help Net Security
The AI Revolution in Cyber Conflict | Lawfare
Act-of-War Clauses Cloud Cyber Insurance Coverage - DataBreaches.Net
Why modern cyber conflict is partly a global skills challenge | TechRadar
Microsoft hints at bit bunkers for war zones • The Register
Fiber Optic Cables Turned Into Hidden Microphones to Secretly Spy on Your Conversations
Nation State Actors
The New Rules of Engagement: Matching Agentic Attack Speed - SecurityWeek
Cyber threat must be recognised despite geopolitical tensions
China
FBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident’ - POLITICO
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
Russia
Russian military hackers reroute British internet users’ traffic
FBI Disrupts Russian Router Hijacking Operation Compromised Thousands of Users
Feds quash widespread Russia-backed espionage network spanning 18,000 devices | CyberScoop
Your router could be Russian spy — Ukraine and FBI just exposed how Moscow did it - Euromaidan Press
Russian Hackers Exploiting Home and Small-office Routers in Massive DNS hijacking Attack
APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies
Russia's attempt to block VPNs is causing widespread banking outages | TechSpot
Major outage cripples Russian banking apps and metro payments nationwide
North Korea
Axios Attack Shows Social Complex Engineering Is Industrialized
How North Korean hackers turn legitimate infrastructure into an attack surface | TechFinitive
I knew about North Korean hackers—they still tricked me and got into my computer | Fortune
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack | CSO Online
Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK
North Korea–linked hackers drain $285M from Drift in sophisticated attack
Iran
Iranian cyber activity hits US energy, water, and government networks - Help Net Security
MSSPs Caught in the Middle of Iran’s Cyber Escalation | perspective | MSSP Alert
Pro-Iran Group Takes Credit for Cyberattacks on Chime, Pinterest
News brief: Iran cyberattacks escalate, U.S. targets named | TechTarget
Cyber Agency Issues First Iran Threat Amid Government Shutdown
Pro-Iran Handala group breached Israeli defence contractor PSK Wind Technologies
How Iranian hackers pose a threat to US critical infrastructure
Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure
Iran digital repression surged amid war and protests: rights group
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Cyber threat must be recognised despite geopolitical tensions
The Hack That Exposed Syria’s Sweeping Security Failures | WIRED
Hack-for-hire spyware campaign targets journalists in Middle East, North Africa | CyberScoop
Tools and Controls
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
Most Organizations Do Not Fully Trust Their Cybersecurity Vendors
Anthropic withholds Mythos Preview model because its hacking is too powerful
Better prepare for a cyber breach | Professional Security Magazine
Cybercriminals move deeper into networks, hiding in edge infrastructure - Help Net Security
The rise of proactive cyber: Why defense is no longer enough | CSO Online
‘Skipping a beat on resilience investment isn’t an option any more’ as IT outage costs soar | IT Pro
Social engineering attacks on open source developers are escalating - Help Net Security
Microsoft suspends dev accounts for high-profile open source projects
The Hidden Cost of Recurring Credential Incidents
Why DDoS Mitigation Fails: 5 Gaps That Testing Reveals - Security Boulevard
CISOs grapple with AI demands within flat budgets - Help Net Security
Why risk alone doesn't get you to yes - Help Net Security
How Security Leaders Can Safeguard Against Vibe Coding Security Risks - Infosecurity Magazine
Security Bosses Are All-In on AI, Here's Why
Proactive Threat Hunting - Security Boulevard
Russia's attempt to block VPNs is causing widespread banking outages | TechSpot
Act-of-War Clauses Cloud Cyber Insurance Coverage - DataBreaches.Net
Meaningful metrics demonstrate the value of cyber-resiliency | TechTarget
Other News
Cyberattacks On Law Firms Are Rising. Here’s What’s Driving It. - Above the Law
Threat Actors Get Crafty With Emojis to Escape Detection
Even cybersecurity experts make simple mistakes. Here's the real lesson | PCWorld
Most CNI Firms Face Up to £5m in Downtime from OT Attacks - Infosecurity Magazine
Click, wait, repeat: Digital trust erodes one login at a time - Help Net Security
Why Cybersecurity Is the First Step in Preparing Your Company for an IPO - Security Boulevard
Vulnerability Management
Anthropic withholds Mythos Preview model because its hacking is too powerful
‘BlueHammer’ Windows Exploit Signals Microsoft Disclosure Issues
AI Vulnerability Detection With Anthropic Glasswing - Futurum
Is Anthropic’s New Claude Model a Cybersecurity Disaster?
Why Microsoft is forcing Windows 11 25H2 update on all eligible PCs | ZDNET
Vulnerabilities
React2Shell Exploited in Large-Scale Credential Harvesting Campaign - SecurityWeek
OpenClaw gives users yet another reason to be freaked out about security - Ars Technica
Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploit - Infosecurity Magazine
Multiple TP-Link Vulnerabilities Let Attackers Trigger DoS and Crash Routers
New FortiClient EMS flaw exploited in attacks, emergency patch released
Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit
Hackers exploit critical flaw in Ninja Forms WordPress plugin
GPU Rowhammer Attack Enables Privilege Escalation - Infosecurity Magazine
Acrobat Reader zero-day exploited in the wild for many months - Help Net Security
Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities - SecurityWeek
New Progress ShareFile Bugs Let Attackers Take Over Servers Without Logging In - Security Boulevard
OpenSSL 3.6.2 lands with eight CVE fixes - Help Net Security
Severe StrongBox Vulnerability Patched in Android - SecurityWeek
Flatpak 1.16.4 fixes sandbox escape and three other security flaws - Help Net Security
Critical Flowise Vulnerability in Attacker Crosshairs - SecurityWeek
Grafana Patches AI Bug That Could Have Leaked User Data
Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access
Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users - SecurityWeek
13-year-old bug in ActiveMQ lets hackers remotely execute commands
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Advisory 10 April 2026 – Frontier AI and the Changing Cyber Threat Landscape
Black Arrow Cyber Advisory 10 April 2026 – Frontier AI and the Changing Cyber Threat Landscape
Executive summary
Anthropic’s new Mythos AI model and Project Glasswing initiative are an important moment for the cyber security of all organisations across the globe. Anthropic says the model has identified large numbers of serious software vulnerabilities and has chosen not to make the model generally available. Instead, access is being tightly controlled while selected organisations work to address weaknesses in critical software and infrastructure.
For most organisations, the main point is not Anthropic or the Mythos model itself. It is that AI is making advanced vulnerability discovery and exploit development exponentially faster and more broadly accessible. As those capabilities spread, firms should expect less time between a serious weakness being identified and attackers trying to use it, as well as a sharp increase in the number of zero-day vulnerabilities that require organisations to prioritise resilience and defence-in-depth.
This does not mean every business is suddenly facing a completely new threat overnight. It does require that organisations have good visibility of their exposure through internet-facing systems, fast patching, strong identity controls, and deeper oversight of key suppliers.
Black Arrow Cyber’s view is that this should be treated as an imminent warning. This is not a reason to panic. It is a reason to make sure the basics are strong and that your organisation can move quickly and effectively when a serious issue emerges.
What’s the risk to me or my business?
The biggest change here is speed. AI reduces the time and effort needed to find and validate vulnerabilities, so organisations may have less time to understand whether they are exposed and put protections in place before attacker’s act.
That risk is not limited to software you build yourself. It can sit in technology your business depends on every day, including operating systems, browsers, identity platforms, remote access tools, cloud services, open-source components, and third-party applications. In practice, this means cyber risk may increasingly come from shared dependencies that, until now, have been secure, as much as from your own internal environment.
It is also worth noting that attackers do not need entirely new types of weaknesses for this to matter. A more likely concern is that existing bugs, misconfigurations, weak access controls, and poorly managed dependencies become easier to find and combine in new ways. Organisations that already struggle with asset visibility, patching discipline, or privileged access management are likely to be the most exposed.
From a leadership perspective, this is not just a technical issue. It is a governance issue. The organisations that respond well will be the ones that know what assets they have, know what is exposed, know who owns important systems, and can make decisions quickly when a serious vulnerability affects the business.
What can I do?
Review patching timelines for your most important systems. Internet-facing services, identity platforms, remote access tools, and systems used to administer the environment should be treated as priorities. Where quick patching is not possible, there should be clear compensating controls and clear ownership.
Improve visibility of exposed assets and key dependencies. Most organisations still do not have a complete picture of internet-facing systems, inherited software dependencies, privileged accounts, and unmanaged or shadow technology. That becomes more dangerous if attackers can move faster.
Strengthen identity and privilege controls. Phishing-resistant multi-factor authentication, least privilege, admin segregation, and rapid removal of access all matter even more if a vulnerability can be exploited quickly.
Make sure there is a clear process for triaging and escalating serious vulnerabilities. This should include technical ownership, business decision-making, supplier engagement, and communications where needed. If a critical weakness emerges, the organisation should not be working this out for the first time under pressure.
Test and strengthen incident response resilience through regular exercises. Run scenario‑based exercises to validate roles, decision‑making, communications, and escalation under pressure. These exercises help identify gaps in preparedness, improve coordination between technical and leadership teams, and ensure the organisation can respond quickly and effectively when a serious incident occurs.
Questions leadership teams should be asking
Do we know which internet-facing and critical systems would create the most risk if a serious vulnerability were exploited quickly?
How quickly can we confirm whether we are affected by a newly disclosed high-severity issue?
Do we have clear visibility of key suppliers and software dependencies?
Are our identity and privileged access controls strong enough to limit damage if an attacker gets in?
Do we have a clear process for making decisions quickly when a serious software weakness affects the business?
Black Arrow Cyber’s assessment
Mythos and Project Glasswing should be viewed as a sign of where the threat landscape is heading rather than as a single vendor story. The main risk for most organisations is not one model on its own. It is the wider direction of travel: advanced AI capabilities are quickly becoming more accessible, making sophisticated cyber activity faster and cheaper.
The most effective response is operational discipline: know what you have, know what is exposed, reduce time to remediate, tighten identity controls, understand your key dependencies, and make sure the organisation can respond at speed when it matters.
Further details and references
Anthropic Project Glasswing announcement: https://www.anthropic.com/project/glasswing
Anthropic Mythos Preview research note: https://red.anthropic.com/2026/mythos-preview/
UK NCSC guidance on frontier AI and cyber defence: https://www.ncsc.gov.uk/blogs/why-cyber-defenders-need-to-be-ready-for-frontier-ai
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Advisory - 10 April 2026 - Microsoft device code phishing campaigns targeting Microsoft 365 users
Black Arrow Cyber Advisory - 10 April 2026 - Microsoft device code phishing campaigns targeting Microsoft 365 users
Executive summary
Microsoft and other researchers are reporting a sharp rise in device code phishing aimed at Microsoft 365 users. Public reporting says detected device code phishing pages are up nearly 40 percent this year, while Microsoft says it has seen 10 to 15 campaigns every 24 hours with hundreds of compromises daily since mid-March. We have been involved in helping organisations respond to these types of attacks. Device code authentication is enabled by default in Microsoft 365.
In these attacks, the victim is not usually sent to a fake Microsoft sign-in page designed to steal their password, as we have seen with other attacks of this type. Instead, they are tricked into entering a short code into Microsoft’s legitimate device login process, which authorises the attacker’s session. Once in, attackers have been seen reading mailboxes, creating malicious inbox rules, registering devices for persistence, and focusing on finance, executive, and administrative users.
For organisations that do not use device code authentication for a genuine business case, blocking the flow in Conditional Access is one of the clearest and most effective mitigations. Microsoft now explicitly recommends blocking device code flow wherever possible.
We have attached example screenshots from our own investigations showing what the landing page and follow-on Microsoft prompts may look like to an end user. It is important to note that, if a user is already signed in to Microsoft in their browser, they may not be asked to enter their credentials after submitting the code.
What is the risk to me or my business?
For most organisations, the immediate risk is an identity compromise inside Microsoft 365. A successful device code phish can give the attacker valid tokens, mailbox access, and a foothold for data theft, payment diversion, and ongoing surveillance of sensitive conversations. Attackers in the current campaigns have been observed creating inbox rules, using Microsoft Graph for reconnaissance, and targeting users with financial authority.
This is also easy for users to misread as genuine because the sign-in can happen through Microsoft’s real device login experience. That means ordinary “check the URL” advice is not enough on its own.
Technical Summary
Device code flow is a legitimate OAuth sign-in method designed for devices with limited input capability, such as smart TVs, printers, shared devices, and digital signage. In this abuse case, the attacker initiates the flow, sends the code to the victim in a lure, and relies on the victim completing the Microsoft sign-in on the attacker’s behalf. Once approved, the attacker can obtain tokens and access Microsoft 365 resources without needing the user’s password on a fake site.
What makes the current wave more effective is the level of automation and the visibility gap it creates for defenders. Microsoft says the campaigns are using AI-personalised lures, redirect chains on trusted cloud services, and dynamic code generation so the 15-minute validity window only starts when the victim reaches the final page. Detection is further complicated because the resulting activity can appear in Entra as non-interactive sign-in activity rather than a classic user-driven login, making it easier to blend into normal background authentication traffic and harder to spot quickly during routine sign-in review.
What types of organisations are most likely to be affected?
Any organisation using Microsoft 365 or Microsoft Entra ID is a potential target. Risk is highest where finance, payroll, procurement, executive support, or administrative users can be lured into approving access, and where device code flow remains enabled despite having no genuine operational requirement. Microsoft notes that device code flow is rarely used by most customers but is frequently used by attackers.
Organisations may also be more exposed where inbound email controls are weak against rare senders, new domains, or convincing external document-sharing lures. Microsoft has published detections for device code authentication occurring after a user clicks a link in an email from a non-prevalent sender.
What can I do?
1. Block device code flow where you do not need it
Create a Conditional Access policy for all users and all resources, set Authentication Flows to Device code flow, start in report-only mode, exclude emergency access accounts and documented exceptions, then move to block once you have confirmed there is no legitimate dependency. If you do need it for specific cases such as conference room devices or other shared devices, restrict it tightly rather than leaving it broadly available. Microsoft also offers a managed policy to help block device code flow.
2. Reset user expectations
Tell users never to enter a short Microsoft sign-in code unless they initiated the sign-in themselves from a known device or business process. Current lures include invoices, RFPs, shared documents, e-signature requests, and voicemail or secure message themes.
3. Tighten email controls
Review anti-phishing policies and Safe Links or equivalent controls. As an additional measure, where your email security tooling supports it, quarantine or heavily score inbound messages from newly registered or previously unseen domains, especially where they use external document-sharing, Adobe, Microsoft 365, DocuSign, or file-access themes.
4. Hunt for signs of compromise
Review Entra sign-in logs for device code authentication, unusual IP addresses, anonymous IP use, rare sender correlations, suspicious token use, and new device registrations. If you suspect compromise, revoke sign-in sessions, force reauthentication, review inbox rules, and check for unusual mailbox access or forwarding behaviour.
Further details and references
Microsoft Security Blog coverage and Microsoft mitigation guidance: https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
Microsoft Learn guidance on Conditional Access authentication flow controls and blocking device code flow: https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
Recent public reporting on campaign scale and adoption: https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
Need help understanding your gaps, or just want some advice? Get in touch with us.
Black Arrow Cyber Threat Intelligence Briefing 03 April 2026
Black Arrow Cyber Threat Intelligence Briefing 03 April 2026:
-Iran Targets M365 Accounts with Password-Spraying Attacks
-Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations
-North Korea Hackers Suspected of Attack on Widely Used Software Tool
-Most Businesses Couldn’t Survive Three Days Downtime
-Cyber Security and Operational Resilience: A Board-Level Imperative
-95% of Organisations Don’t Trust Their Cyber Security Vendors
-3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
-The Company’s Biggest Security Hole Lived In the Breakroom
-The Next Cyber Security Crisis Isn’t Breaches - It’s Data You Can’t Trust
-New Criminal Service Plans to Monetise Data Stolen by Ransomware Gangs
-Nearly Half a Million Mobile Customers of Lloyds Banking Group Affected by Security Incident
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
We have reviewed the specialist and general media over the past week to help raise the awareness of business leaders regarding evolving cyber security risks. We start with heightened activity by Iran-aligned attackers who use password-spraying to gain access to Microsoft 365 accounts, and use various techniques to deploy destructive malware. In separate news, North Korean attackers gained access to a widely used business software to establish long-term access to multiple organisations. We also highlight the need for business leaders to review their approach to removing legitimate tools that are not required by the organisation, and reducing the opportunity for attackers to misuse them.
Research on the impact of a cyber incident highlights that most businesses believe they could not survive more than three days of downtime, while other research finds that most organisations do not trust their cyber security vendors. This underlines the need for business leaders to upskill on cyber security, and to use that knowledge to ensure that their risks and controls are appropriately addressed. We recommend the upskilling should be through an impartial specialist source to reduce the risks of shared blind spots; contact us to find out how we support business leaders to be confident in governing their own security.
Top Cyber Stories of the Last Week
Iran Targets M365 Accounts with Password-Spraying Attacks
Check Point Research has identified a campaign of password spraying against Microsoft 365 accounts, affecting more than 300 organisations in Israel and more than 25 in the UAE, with activity also seen in the US, Europe and Saudi Arabia. Password spraying is a technique where attackers try common or weak passwords across many accounts to gain access. The activity came in three waves during March and focused heavily on infrastructure in cities recently hit by missile attacks, suggesting an effort to gather sensitive information linked to missile strike response and damage assessment.
https://www.theregister.com/2026/03/31/iran_password_spraying_m365/
Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations
Iran is increasingly blending state-backed operations with criminal tactics, using the revived Pay2Key ransomware group to target high impact US organisations. Researchers say some attacks are not true extortion attempts but destructive campaigns disguised as ransomware, making them harder to identify and respond to. Iran is also reportedly offering cyber criminals a larger share of profits, raising payouts from 70% to 80% for attacks aligned to its political aims. This mix of disruption, financial crime and political intent increases legal, financial and operational risk for organisations, particularly where sanctions exposure may be involved. Business leaders should, as part of their governance, ensure appropriate security controls are maintained to help prevent and detect such attacks.
https://www.darkreading.com/threat-intelligence/iran-pseudo-ransomware-pay2key-operations
North Korea Hackers Suspected of Attack on Widely Used Software Tool
Hackers linked to North Korea are suspected of compromising Axios, a widely used software package with tens of millions of weekly downloads. Google analysts said the breach could have far‑reaching implications because other popular packages rely on Axios, warning that hundreds of thousands of stolen secrets may now be circulating and could enable further ransomware, extortion and cryptocurrency‑theft operations. The attackers gained control of a maintainer account and published two backdoored versions of the package, prompting security firms to advise developers that systems using those versions should be considered compromised. The incident underlines how a compromise in a widely used software package can have broad, ripple‑effect consequences across many organisations.
https://techxplore.com/news/2026-04-north-korea-hackers-widely-software.html
Most Businesses Couldn’t Survive Three Days Downtime
Veeam reports that business resilience remains fragile, with 76% of organisations saying they could not survive more than three days of downtime. Although 47% expect a serious data breach or cyber attack, only 32% believe they are very likely to fully recover critical data and operations. Ransomware tops the list of feared threats at 67%, while 38% of boards have never formally discussed newer AI related risks such as data leaks or unsafe automation. The impact is not only financial, with 57% of leaders reporting burnout or resignations after major incidents.
https://betanews.com/article/most-businesses-couldnt-survive-three-days-downtime/
Cyber Security and Operational Resilience: A Board-Level Imperative
Cyber security and operational resilience are now core boardroom issues as attacks become more frequent, more disruptive and more costly. Since the pandemic, cyber attacks have more than doubled, and average losses from major incidents have risen fourfold since 2017 to $2.5 billion. In one recent case, a ransomware attack on a major healthcare payments provider caused nationwide disruption and more than $1.5 billion in costs. At the same time, tougher rules in the EU, UK and US are making boards more directly accountable for oversight, response planning, third party risk and accurate public reporting.
https://www.jdsupra.com/legalnews/cybersecurity-and-operational-2897791/
95% of Organisations Don’t Trust Their Cyber Security Vendors
Sophos reports a widespread trust gap in the cyber security market, with 95% of organisations saying they do not fully trust their cyber security vendors. The research also found that 79% struggle to judge the trustworthiness of new suppliers, while 62% find it difficult even with existing providers. This lack of confidence is having a business impact, with 51% reporting greater anxiety about the risk of a serious cyber incident. Independent checks, certifications and clear communication during incidents were identified as the strongest foundations for building trust.
https://betanews.com/article/95-percent-of-organizations-dont-trust-their-cybersecurity-vendors/
3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
Attackers are increasingly avoiding malicious software and instead misusing the trusted tools already built into an organisation’s systems, making harmful activity much harder to spot. Analysis of more than 700,000 serious incidents found that 84% involved legitimate tools being used in this way. On a standard Windows 11 device, hundreds of built in tools may be available, with research suggesting up to 95% of access to higher risk tools is unnecessary. This leaves organisations exposed because security monitoring alone can struggle to separate normal administrative activity from an active cyber attack. Organisations should review their approach to hardening their systems, to reduce the opportunity for attackers to misuse legitimate tools that are not required by the organisation.
https://thehackernews.com/2026/04/3-reasons-attackers-are-using-your.html
The Company’s Biggest Security Hole Lived In the Breakroom
An apparently low risk connected coffee machine became the entry point for a serious data breach after being placed on a secure corporate network with its default password unchanged, outdated software and no basic protections. Investigators found the device was quietly sending data to attackers whenever it was used. The incident reflects a wider pattern, with researchers warning that internet connected devices are increasingly linked to breaches because they are often overlooked, poorly monitored and treated as harmless. A similar case at a North American casino led to 10GB of data being stolen through a connected fish tank.
https://www.theregister.com/2026/04/02/pwned/
The Next Cyber Security Crisis Isn’t Breaches - It’s Data You Can’t Trust
As organisations rely more heavily on data and AI to guide financial, operational and strategic decisions, the greater risk may be not stolen data, but data that is inaccurate, altered or no longer reliable. Even small changes can lead to flawed outcomes, while weak ownership, poor access controls and inconsistent handling of sensitive information can blur the line between trusted and compromised data. Stronger governance, clear accountability and better tracking of changes are becoming essential, not just for security teams but for leadership, as regulators and cyber insurers raise expectations.
https://www.securityweek.com/the-next-cybersecurity-crisis-isnt-breaches-its-data-you-cant-trust/
New Criminal Service Plans to Monetise Data Stolen by Ransomware Gangs
A new criminal service is aiming to turn data stolen in ransomware incidents into a more valuable asset by organising large, unstructured datasets into searchable information for sale or extortion. This could increase pressure on organisations, support follow-on crimes such as fraud and business email compromise where attackers impersonate trusted contacts, and potentially enable direct blackmail of individuals. Experts say the model is not yet proven at scale, as cyber criminals still favour high-volume attacks that deliver quicker returns, but it signals continued innovation in the cyber crime economy.
https://therecord.media/new-criminal-service-plans-to-monetize-ransomware-data
Nearly Half a Million Mobile Customers of Lloyds Banking Group Affected by Security Incident
A software error at Lloyds Banking Group briefly exposed transaction details for up to 447,936 mobile banking customers across Lloyds, Halifax and Bank of Scotland. The issue lasted for less than five hours on 12 March and affected customers who viewed their transaction lists at almost exactly the same time. In some cases, exposed information included payment amounts, dates, references and National Insurance numbers. Lloyds said no unauthorised transactions were possible and no financial losses have been identified, although £139,000 has been paid to 3,625 customers for distress and inconvenience. The incident is a reminder that business leaders should ensure robust testing of software and also maintain strong incident‑response readiness to prevent and manage data exposure during faults.
Governance, Risk and Compliance
Cyberthreat level remains high – attacks becoming more targeted and complex
Most businesses couldn’t survive three days downtime - BetaNews
More Confident, More Tooled, More Breached: The Security Gap Isn’t Closing | news | MSSP Alert
Attackers Are Scaling. Defenders Are Still Missing the Basics | perspective | MSSP Alert
Meta Lawsuit Dismissal: WhatsApp Security Chief Not Done Fighting - Business Insider
Why silence is no longer a security strategy | TechRadar
Trust, friction, and ROI: A CISO's take on making security work for the business - Help Net Security
Threats
Ransomware, Extortion and Destructive Attacks
Iran-Linked Pay2Key Ransomware Group Re-Emerges - Infosecurity Magazine
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Trend Micro (US)
Ransomware in 2025: Blending in is the strategy
Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware
Ransomware and Destructive Attack Victims
European Commission Confirms Cloud Data Breach - Infosecurity Magazine
ShinyHunters claims the hack of the European Commission
Co-Op Chief Steps Down As Hack Leads To £125m Loss
St Anne's School in Southampton closed after cyber attack - BBC News
Qilin Ransomware allegedly breached chemical manufacturer giant Dow Inc
Marquis bank data breach exposes 672,000 in ransomware attack | Fox News
Ransomware group claims it stole data from Monmouth University | EdScoop
Hasbro cyberattack delays orders, weeks-long recovery | Cybernews
Phishing & Email Based Attacks
Dutch Police discloses security breach after phishing attack
New Wave of AiTM Phishing Targets TikTok for Business - Infosecurity Magazine
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
New EvilTokens service fuels Microsoft device code phishing attacks
How businesses can defend themselves against the rise of ‘phishing as a service’ | TechRadar
Cybercriminals Exploit Tax Season With New Phishing Tactics - Infosecurity Magazine
Other Social Engineering
New ClickFix Variant Uses Rundll32 and WebDAV to Evade PowerShell Detection
New EvilTokens service fuels Microsoft device code phishing attacks
Don't open that WhatsApp message, Microsoft warns • The Register
New macOS Infinity Stealer uses Nuitka Python payload and ClickFix
Another worrying macOS malware scheme has been discovered — here's how to stay safe | TechRadar
3 red flags that job posting is a scam - and how to verify safely | ZDNET
Invoice Fraud Costs UK Construction Sector Millions, NCA Warns - Infosecurity Magazine
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
UK sanctions Xinbi marketplace linked to Asian scam centers
Artificial Intelligence
AI is the Top Cyber Priority for Defenders as Criminals Exploit it - Infosecurity Magazine
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Trend Micro (US)
Breaking out: Can AI agents escape their sandboxes? - Help Net Security
Critical Flaw in Langflow AI Platform Under Attack
AI Shrinks Cyberattack Exploit Time From Years to Days
Security leaders say the next two years are going to be 'insane' | CyberScoop
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust - SecurityWeek
AI Cyberattacks Call for Company Preparation to Limit Fallout
Why 'Emerging Threats' Are Harder to Prioritize in the AI Era
The Real Risk of Vibecoding | Trend Micro (US)
Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Shadow AI 'double agents' are outpacing security visibility | TechRadar
Mercor says it was 'one of thousands' hit in LiteLLM attack • The Register
Claude Code leak used to push infostealer malware on GitHub
MP victim of AI deepfake fails to get answers from Big Tech • The Register
Latest Anthropic Miscue Puts AI and Cyber Firms at Odds
Bots/Botnets
4 IoT botnets generated attack traffic exceeding 30Tbps - Mobile Europe
Reddit declares war on bad bot activity - Help Net Security
Careers, Roles, Skills, Working in Cyber and Information Security
The human cost of cybersecurity and what we should do about it | TechRadar
Meta Lawsuit Dismissal: WhatsApp Security Chief Not Done Fighting - Business Insider
Are hackers better off staying legal? The answer may surprise you | Cybernews
How to Grow Your Cybersecurity Skills, According to Experts | Security Magazine
How dyslexic thinking strengthens cyber security | BCS
Cloud/SaaS
European Commission Confirms Cloud Data Breach - Infosecurity Magazine
ShinyHunters claims the hack of the European Commission
Iran targets M365 accounts with password-spraying attacks • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
GitHub Used as Covert Channel in Multi-Stage Malware Campaign - Infosecurity Magazine
Maryland Man Charged Over $53m Uranium Finance Crypto Hack - Infosecurity Magazine
Cyber Crime, Organised Crime & Criminal Actors
Are hackers better off staying legal? The answer may surprise you | Cybernews
UK sanctions Xinbi marketplace linked to Asian scam centers
Russia arrests suspected owner of LeakBase cybercrime forum
Data Breaches/Leaks
48 Hours: The Window Between Infostealer Infection and Dark Web Sale - Security Boulevard
European Commission suffered a cyberattack - hackers stole data | УНН
Hackers steal EU Commission cloud data | Cybernews
Dutch Police discloses security breach after phishing attack
Lloyds IT Glitch Exposed Data of Nearly 500,000 Banking Customers - Infosecurity Magazine
Mercor says it was 'one of thousands' hit in LiteLLM attack • The Register
OkCupid settles claims it shared user photos with a facial recognition company | The Verge
Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms
Marquis bank data breach exposes 672,000 in ransomware attack | Fox News
Hightower Holding Data Breach Impacts 130,000 - SecurityWeek
Smith & Co Solicitors in Ipswich faces data breach | Ipswich Star
Ajax silenced hacker who found 2017 data breach| Cybernews
Healthcare tech firm CareCloud says hackers stole patient data
Ajax football club hack exposed fan data, enabled ticket hijack
Denial of Service/DoS/DDoS
4 IoT botnets generated attack traffic exceeding 30Tbps - Mobile Europe
Fraud, Scams and Financial Crime
Inside a Modern Fraud Attack: From Bot Signups to Account Takeovers
UK sanctions Xinbi marketplace linked to Asian scam centers
Financial groups lay out a plan to fight AI identity attacks - Help Net Security
ICO Fines UK Nuisance Call Scammers £100,000 - Infosecurity Magazine
3 red flags that job posting is a scam - and how to verify safely | ZDNET
Invoice Fraud Costs UK Construction Sector Millions, NCA Warns - Infosecurity Magazine
Identity and Access Management
Internet of Things – IoT
4 IoT botnets generated attack traffic exceeding 30Tbps - Mobile Europe
Vehicle Cybersecurity Threats Grow in Era of Connected Vehicles
Don’t count on government guidance after a smart home breach - Help Net Security
The company's biggest security hole lived in the breakroom • The Register
Your Streaming Device Could Be Spying For Hackers, According To The FBI
India Set to Ban Sale of Hikvision, TP-Link, CCTV Products From April
Law Enforcement Action and Take Downs
Alleged RedLine malware developer extradited to United States
Russia arrests suspected owner of LeakBase cybercrime forum
Linux and Open Source
How AI has suddenly become much more useful to open-source developers | ZDNET
Malware
48 Hours: The Window Between Infostealer Infection and Dark Web Sale - Security Boulevard
Fake Claude Code source downloads actually delivered malware • The Register
North Korean hackers compromise major software used by thousands of companies | NK News
Backdooring of JavaScript Library Axios Tied to North Korea
Hackers Hijack Axios npm Package to Spread RATs - Infosecurity Magazine
New Venom Stealer MaaS Platform Automates Continuous Data Theft - Infosecurity Magazine
GitHub Used as Covert Channel in Multi-Stage Malware Campaign - Infosecurity Magazine
New macOS Infinity Stealer uses Nuitka Python payload and ClickFix
New ClickFix Variant Uses Rundll32 and WebDAV to Evade PowerShell Detection
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
Malware Is Sleeping on the Blockchain, and It's Already Infected Dozens of Global Targets
The FBI Just Named 18 Popular Routers Targeted By A Massive Malware Operation
Phantom Project Bundles Infostealer, Crypter and RAT For Sale - Infosecurity Magazine
Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries
Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
New 'Storm' Infostealer Remotely Decrypts Stolen Credentials - Infosecurity Magazine
vSphere and BRICKSTORM Malware: A Defender's Guide | Google Cloud Blog
Alleged RedLine malware developer extradited to United States
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
New CrystalRAT malware adds RAT, stealer and prankware features
Huge numbers of web stores are facing attack from this dangerous new malware | TechRadar
Mobile
Nearly half a Million mobile customers of Lloyds Banking Group affected by a security incident
FBI Warns of Data Security Risks From China-Made Mobile Apps - SecurityWeek
'NoVoice' Android malware on Google Play infected 2.3 million devices
Coruna iOS exploit framework linked to Triangulation attacks
Android Developer Verification Rollout Begins Ahead of September Enforcement
WhatsApp warns users of fake app used to distribute spyware | The Record from Recorded Future News
Passwords, Credential Stuffing & Brute Force Attacks
48 Hours: The Window Between Infostealer Infection and Dark Web Sale - Security Boulevard
Iran targets M365 accounts with password-spraying attacks • The Register
Regulations, Fines and Legislation
UK defining stronger energy cybersecurity rules after Poland attack – pv magazine International
ICO Fines UK Nuisance Call Scammers £100,000 - Infosecurity Magazine
FCC's Router Ban Quietly Places an Expiration Date on Home Internet Security | PCMag
US router ban is ‘industrial policy' not better infosec • The Register
If You Buy a New Router, It Might ‘Turn Into a Pumpkin’ Next Year - CNET
Former NSA chiefs worry American offensive edge in cybersecurity is slipping | CyberScoop
Home router ban is unserious political manoeuvring - Verdict
Social Media
New Wave of AiTM Phishing Targets TikTok for Business - Infosecurity Magazine
Meta Lawsuit Dismissal: WhatsApp Security Chief Not Done Fighting - Business Insider
Reddit declares war on bad bot activity - Help Net Security
Software Supply Chain
North Korean hackers compromise major software used by thousands of companies | NK News
North Korean Attackers Compromise Popular Web Tool | Silicon UK
The Hidden Blast Radius of the Axios Compromise - Socket
Hackers Hijack Axios npm Package to Spread RATs - Infosecurity Magazine
Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069
Supply Chain and Third Parties
The external pressures redefining cybersecurity risk | CSO Online
North Korean hackers compromise major software used by thousands of companies | NK News
Backdooring of JavaScript Library Axios Tied to North Korea
The Hidden Blast Radius of the Axios Compromise - Socket
Hackers Hijack Axios npm Package to Spread RATs - Infosecurity Magazine
Famous Telnyx Pypi Package compromised by TeamPCP - Security Boulevard
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
TeamPCP’s attack spree slows, but threat escalates with ransomware pivot - Help Net Security
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM | Trend Micro (US)
Mercor says it was 'one of thousands' hit in LiteLLM attack • The Register
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Wartime Usage of Compromised IP Cameras Highlight Their Danger
Information sharing of cyber threats vital to national security - Defence Connect
Europe's Power Grid Faces Hybrid Warfare Threat
National Cyber Resilience Demands Unified Defense
'Cyber Power' Drives Modern Geopolitical Conflict
Iran's hackers are on the offensive against the US and Israel - Ars Technica
European-Chinese geopolitical issues drive renewed cyberespionage campaign | CyberScoop
Telecom Sleeper Cells: Nation-State Threats Below the Radar
How History Shapes Nation-State Cyber Conflict
Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains
Former NSA chiefs worry American offensive edge in cybersecurity is slipping | CyberScoop
The Perils of Privatized Cyberwarfare | Lawfare
Nation State Actors
Information sharing of cyber threats vital to national security - Defence Connect
China
FBI Warns of Data Security Risks From China-Made Mobile Apps - SecurityWeek
Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure - SecurityWeek
China-linked Red Menshen APT deploys stealthy BPFDoor implants in telecom networks
European-Chinese geopolitical issues drive renewed cyberespionage campaign | CyberScoop
FCC's Router Ban Quietly Places an Expiration Date on Home Internet Security | PCMag
NCSC warns of messaging app targeting public sector | UKAuthority
Telcos targeted by threat actor ‘sleeper cells’ – report | TelecomTV
Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains
If You Buy a New Router, It Might ‘Turn Into a Pumpkin’ Next Year - CNET
Home router ban is unserious political manoeuvring - Verdict
Three China-Linked Clusters Target Southeast Asian Government in 2025 Cyber Campaign
India Set to Ban Sale of Hikvision, TP-Link, CCTV Products From April
Russia
NCSC warns of messaging app targeting public sector | UKAuthority
CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails
Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
Russia targets VPNs used by millions in Putin’s latest internet crackdown | The Independent
Top EU officials’ Signal group chat shut down over hacking fears – POLITICO
Russia arrests suspected owner of LeakBase cybercrime forum
Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware
North Korea
North Korean hackers compromise major software used by thousands of companies | NK News
Backdooring of JavaScript Library Axios Tied to North Korea
The Hidden Blast Radius of the Axios Compromise - Socket
Hackers Hijack Axios npm Package to Spread RATs - Infosecurity Magazine
Iran
Europe's Power Grid Faces Hybrid Warfare Threat
Iranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data | CyberScoop
Iran-Linked Pay2Key Ransomware Group Re-Emerges - Infosecurity Magazine
Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations
NCSC warns of messaging app targeting public sector | UKAuthority
Wartime Usage of Compromised IP Cameras Highlight Their Danger
Iran's hackers are on the offensive against the US and Israel - Ars Technica
Iran targets M365 accounts with password-spraying attacks • The Register
FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for Hackers - SecurityWeek
Iranian hackers breach FBI director's personal email, and post his CV and photos online
Hidden Battle…Iran Conflict Shows How Digital Fight is Ingrained in Warfare
Why U.S. Special Operations Forces Will Focus More On The Cyber Domain
Cyber Warfare 101: Bluff Don’t Tell - CEPA
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Information sharing of cyber threats vital to national security - Defence Connect
The Perils of Privatized Cyberwarfare | Lawfare
A New Cyber Service is Not the Answer > The Cyber Defense Review > Article View
Former NSA chiefs worry American offensive edge in cybersecurity is slipping | CyberScoop
Why U.S. Special Operations Forces Will Focus More On The Cyber Domain
Tools and Controls
More Confident, More Tooled, More Breached: The Security Gap Isn’t Closing | news | MSSP Alert
95 percent of organizations don’t trust their cybersecurity vendors - BetaNews
Security boffins harvest bumper crop of API keys from web • The Register
The Forgotten Endpoint: Security Risks of Dormant Devices
Russia targets VPNs used by millions in Putin’s latest internet crackdown | The Independent
Security leaders say the next two years are going to be 'insane' | CyberScoop
The Real Risk of Vibecoding | Trend Micro (US)
DMARC Policies in the Age of AI-Driven Impersonation | Proofpoint US
AI agents are about to overtake cybersecurity - for better, or worse? - SiliconANGLE
This privacy-first chatbot is taking off - here's why and how to try it | ZDNET
Germany urges citizens to back up data on World Backup Day | Cybernews
Enterprises are all in on AI for security but budgets aren’t keeping pace - Verdict
How AI has suddenly become much more useful to open-source developers | ZDNET
Leak reveals Anthropic’s ‘Mythos,’ a powerful AI model aimed at cybersecurity use cases | CSO Online
Trust, friction, and ROI: A CISO's take on making security work for the business - Help Net Security
Agentic GRC: Teams Get the Tech. The Mindset Shift Is What's Missing.
GPT Can’t Trace an Attack Chain. A Purpose-Built Cybersecurity LLM Can. - Security Boulevard
Free VPNs leak your data while claiming privacy
Malware detectors trained on one dataset often stumble on another - Help Net Security
Other News
3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)
Cyberthreat level remains high – attacks becoming more targeted and complex
Your router is about to stop getting security updates - here's what to do
Security precautions to consider while traveling through airports
Critical Infrastructure at Risk | Security Insider
The House Article | Government needs to take cyber security in our energy system seriously
Have telcos invested enough in security? | TelecomTV
UK manufacturers under cyber fire with 80% reporting attacks • The Register
Eight in 10 UK Manufacturers Hit by Cyber Incident in a Year - Infosecurity Magazine
Vulnerability Management
Security leaders say the next two years are going to be 'insane' | CyberScoop
EU wants to support bedrock cyber vulnerability program, top official says - Nextgov/FCW
Rethinking Vulnerability Management Strategies
Vulnerabilities
A critical Windows security fix puts legacy hardware on borrowed time – Computerworld
Windows is finally fixing a years-old security hole in April | PCWorld
New Windows 11 emergency update fixes preview update install issues
F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild - SecurityWeek
Over 14,000 F5 BIG-IP APM instances still exposed to RCE attacks
Exploitation of Critical Fortinet FortiClient EMS Flaw Begins - SecurityWeek
Cisco Patches Critical and High-Severity Vulnerabilities - SecurityWeek
Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
Rapid Exploitation of CVE-2026-21962 Hits Oracle WebLogic - Infosecurity Magazine
Urgent Alert: NetScaler bug CVE-2026-3055 probed by attackers could leak sensitive data
Critical Fortinet Forticlient EMS flaw now exploited in attacks
Fortinet hit by another exploited cybersecurity flaw | CSO Online
Google fixes fourth Chrome zero-day exploited in attacks in 2026
Critical Vulnerability in Claude Code Emerges Days After Source Leak - SecurityWeek
Critical Flaw in Langflow AI Platform Under Attack
BIND Updates Patch High-Severity Vulnerabilities - SecurityWeek
Apple issues urgent lock screen warnings for unpatched iPhones and iPads
Hackers Actively Exploiting Critical WebLogic RCE Vulnerabilities in Attacks
Hackers Compromised 700+ Next.js Hosts by Exploiting React2Shell Vulnerability
Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
CISA Flags Critical PTC Vulnerability That Had German Police Mobilized - SecurityWeek
TP-Link Patches High-Severity Router Vulnerabilities - SecurityWeek
TrueConf zero-day vulnerability exploited to target government networks - Help Net Security
New Progress ShareFile flaws can be chained in pre-auth RCE attacks
OpenSSH 10.3 patches five security bugs and drops legacy rekeying support - Help Net Security
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 27 March 2026
Black Arrow Cyber Threat Intelligence Briefing 27 March 2026:
-When Confidence Becomes a Risk: The Gap Between Cyber Resilience Readiness and Reality
-Cyber Warfare Outstripping Business Defence Capabilities
-Enterprise Cyber Security Software Fails 20% of the Time, Warns Absolute Security
-An AI-Powered Phishing Campaign Has Compromised Hundreds of Organisations
-NCSC Warns Vibe Coding Poses a Major Risk to Businesses
-32% of Top-Exploited Vulnerabilities Are Over a Decade Old
-It’s Time Cyber Security Understood Human Behaviour and Acted Accordingly
-The Phone Call Is the New Phishing Email
-Financial Brands Targeted in Global Mobile Banking Malware Surge
-UK Finance Firms Given 12 Months to Prepare for Stricter Cyber Reporting
-NCA Boss Warns That Teens Are Being “Radicalised” Into Cybercrime Online
-Most Wanted Hackers Hide in Plain Sight – And There’s Nothing Police Can Do
-US Regulator Bans Imports of New Foreign-Made Routers, Citing Security Concerns
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
With escalating attacks, it is vital that business leaders focus on both cyber security (to reduce the likelihood of a successful attack) and cyber resilience (to stand the best chance of surviving an attack). In our review of specialist and general media this week, we highlight the gap in business leaders’ perception of how resilient they are versus how they manage a real or simulated incident.
We share reasons for that gap including security controls that have not been maintained, vulnerabilities that are over a decade old, and insecure business software code that has been written by AI. Meanwhile, attackers are using AI to empower their own attacks and adapt their social engineering techniques to gain access via employees. The high number of attacks has prompted the UK financial services regulator to enforce stricter reporting of cyber incidents, which is effective in the next 12 months.
From the above, business leaders need to ensure they understand how robust their own cyber security is, and whether their organisation is resilient enough to withstand a likely attack. This requires an objective assessment, with upskilled governance to assess against the reports from control providers. Contact us to find out how to do this proportionately in your organisation.
Top Cyber Stories of the Last Week
When Confidence Becomes a Risk: The Gap Between Cyber Resilience Readiness and Reality
Research indicates that many leadership teams may be more confident in their cyber resilience than the facts justify. While 99% of organisations say they have a cyber resilience strategy, only 40% successfully contained and recovered from their most recent incident or test, and 63% of IT leaders believe executives overestimate readiness. Organisations that test recovery plans monthly achieve a higher success rate compared with those that test less often, showing that regular validation is critical to reducing operational, financial and reputational risk.
Cyber Warfare Outstripping Business Defence Capabilities
Armis warns that cyber warfare has become a daily business risk, with artificial intelligence helping attackers move faster and target more precisely. While 81% of UK decision-makers say they are confident in their ability to detect and respond to a coordinated cyber attack, 48% report being hit by an AI-led attack in the past year. The financial impact is also rising sharply: the average ransomware payment for larger organisations reached £7.71 million in 2025, and 44% say these payments now exceed their annual cyber security budget.
https://www.emergingrisks.co.uk/cyber-warfare-outstripping-business-defence-capabilities/
Enterprise Cyber Security Software Fails 20% of the Time, Warns Absolute Security
Absolute Security reports that delays in applying patches is a main cause of endpoint security tools failing on around 20% of enterprise devices, creating the equivalent of 76 days a year when organisations may face greater exposure to cyber threats. Its research, based on data from tens of millions of business devices, also found nearly a quarter of vulnerability management tools were operating outside compliance, critical Windows updates were delayed by an average of 127 days, and almost 10% of devices were permanently unpatched. For senior leaders, the message is clear: security tools are only effective if they remain operational, updated and consistently enforced.
https://www.infosecurity-magazine.com/news/cybersecurity-software-failure-20/
An AI-Powered Phishing Campaign Has Compromised Hundreds of Organisations
Researchers have uncovered a large-scale phishing campaign that used artificial intelligence to create convincing, varied scam emails and gain access to Microsoft cloud accounts at speed. Huntress identified 344 affected organisations across sectors including finance, healthcare, government and legal services, and believes the true number could run into the thousands. In some cases, attackers could keep access for up to 90 days without needing a password or additional verification. The campaign highlights how artificial intelligence is lowering the barrier for cyber criminals and increasing the pace and scale of cyber attacks.
https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/
NCSC Warns Vibe Coding Poses a Major Risk to Businesses
The UK’s NCSC has warned that AI generated code, often called “vibe coding”, is creating growing cyber security risks for businesses. While AI could help reduce long standing software weaknesses, the agency says many organisations are not improving their ability to find and fix flaws quickly enough. It notes that software code in systems doubles roughly every 42 months, increasing the potential attack surface, while serious weaknesses are often exploited before fixes are applied. Separate industry research found 1 in 5 security leaders had experienced a major incident linked to AI generated code.
https://www.itpro.com/security/ncsc-warns-vibe-coding-poses-a-major-risk
32% of Top-Exploited Vulnerabilities Are Over a Decade Old
Cisco Talos reports that many of the security weaknesses most often exploited in 2025 were not new. Around 32% were more than 10 years old and nearly 40% affected unsupported devices, showing how ageing technology continues to create risk. Attackers also moved quickly on newly disclosed flaws, often using them almost at once. Ransomware remained steady, with manufacturing the hardest hit sector, while email was still a major route in, featuring in 40% of response cases.
It’s Time Cyber Security Understood Human Behaviour and Acted Accordingly
Organisations are being reminded that many serious cyber security breaches exploit human behaviour rather than technical flaws. Human actions such as responding quickly under pressure or approving repeated login requests can open the door to attackers, with Verizon finding human behaviour involved in around 60% of breaches. The growing use of AI is expected to make these manipulation tactics more convincing. Effective defence now depends on combining staff awareness with stronger sign in controls that can detect suspicious activity without creating unnecessary friction for employees.
The Phone Call Is the New Phishing Email
Mandiant reports a marked shift in cyber crime tactics, with voice phishing now behind 11% of the incidents it investigated in 2025. In these attacks, criminals phone employees or IT support while pretending to be legitimate staff in order to gain access. Software weaknesses still remained the main route in, accounting for 32% of cases. Technology firms were most affected at 17% of incidents, followed by finance at 14%, professional services at 13% and health care at 11%.
https://cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends/
Financial Brands Targeted in Global Mobile Banking Malware Surge
A sharp rise in mobile banking malware is putting financial organisations under growing pressure, with 1,243 financial brands across 90 countries now being targeted. Zimperium found attacks are increasingly happening on customers’ phones rather than within bank systems, making fraud harder to spot because it can look like normal account activity. Android banking trojan activity rose 56% in 2025, while online fraud increased 21% year on year. The US faces the highest concentration of targeted banking apps, followed by the UK.
https://www.infosecurity-magazine.com/news/financial-brands-mobile-banking/
UK Finance Firms Given 12 Months to Prepare for Stricter Cyber Reporting
Britain’s financial regulator has given firms 12 months to prepare for tougher reporting rules on cyber incidents and disruptions affecting key suppliers. The measures take effect on 18 March 2027 and are designed to improve operational resilience, meaning an organisation’s ability to keep critical services running during disruption. The move reflects growing concern over supply chain risk, with more than 40% of cyber incidents reported to the Financial Conduct Authority in 2025 involving a third party, including major outages linked to Cloudflare and AWS.
NCA Boss Warns That Teens Are Being “Radicalised” Into Cybercrime Online
The UK National Crime Agency warns that online platforms and recommendation systems are drawing some teenagers into cyber crime, alongside other serious offences, as digital networks make crime faster, more global and harder to separate into neat categories. The agency also reports rising online fraud, including investment scams and sexual extortion, plus a growing number of UK-based attackers using both malicious software and manipulation of staff. Its message to leaders is that protecting systems alone is not enough: organisations must also strengthen staff awareness, processes and supply chain resilience.
https://www.infosecurity-magazine.com/news/nca-boss-warns-teens-radicalized/
Most Wanted Hackers Hide in Plain Sight – And There’s Nothing Police Can Do
Cyber criminals often remain beyond the reach of law enforcement not because they cannot be identified, but because legal and political barriers make prosecutions difficult. In 2023, the FBI received more than 880,000 cyber crime complaints reporting losses above $12.5 billion, yet only a tiny proportion led to prosecutions. While international cooperation has improved and some criminal services have been disrupted, replacements quickly emerge. The result is a low risk, high reward environment in which many offenders operate openly from countries unwilling to extradite them.
https://cybernews.com/security/wanted-hackers-hide-plain-sight-police/
US Regulator Bans Imports of New Foreign-Made Routers, Citing Security Concerns
The US communications regulator has banned imports of newly approved foreign-made home routers, citing national security and cyber security concerns. China is thought to supply at least 60% of the US home router market. Existing models are unaffected, but new imports will be blocked after a government review warned that weaknesses in some devices could be used to disrupt essential services, spy on networks and steal valuable information. The move reflects growing concern that everyday internet equipment, which connects homes and businesses to online services, can create wider risks to national infrastructure and economic security.
Governance, Risk and Compliance
Cyber warfare outstripping business defence capabilities
UK finance firms given 12 months to prepare for stricter cyber reporting | Cyprus Mail
When confidence becomes a risk: The gap between cyber resilience readiness and reality | TechRadar
You can’t patch poor leadership: cyber security starts in the boardroom | BCS
From boardroom risk to deal flow: why cyber M&A is accelerating in 2026 | TechRadar
US government launches Bureau of Emerging Threats | Computer Weekly
How To Strengthen Cyber Resilience Through Shared Risk Ownership
Threats
Ransomware, Extortion and Destructive Attacks
Why hackers almost never get caught | Cybernews
Stryker cyber attack: Employees still unable to work more than a week after hack - mlive.com
Ransomware's New Era: Moving at AI Speed
Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation - Infosecurity Magazine
Ex-data analyst stole company data in $2.5M extortion scheme
FBI seizes domains linked to Iran hackers after Stryker cyberattack
TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals - Infosecurity Magazine
U.S. Sentences Russian Hacker to 6.75 Years for Role in $9M Ransomware Damage
Stryker Sued by Former Employee Alleging Failure to Secure Data
Cyber OpSec Fail: Beast Gang Exposes Ransomware Server
Extortion Group Claims It Hacked AstraZeneca - SecurityWeek
UK watchdog raises concerns over Jaguar Land Rover's cyber bailout | SC Media UK
Manager of botnet used in ransomware attacks gets 2 years in prison
Law Firm Ransomware Attacks On Rise, Report Says - Law360
Ransomware and Destructive Attack Victims
Co-op takes £126m knock from cyber attack as boss quits
UK watchdog raises concerns over Jaguar Land Rover's cyber bailout | SC Media UK
WorldLeaks group breached the City of Los Angeles
Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware - SecurityWeek
Phishing & Email Based Attacks
An AI-powered phishing campaign has compromised hundreds of organizations | CyberScoop
The phone call is the new phishing email | CyberScoop
Voice phishing skyrockets as smooth crims talk their way in • The Register
Microsoft Azure Monitor alerts abused for callback phishing attacks
Signal is being targeted by Russian hackers in a huge new phishing campaign, FBI says | TechRadar
Tycoon2FA phishing platform returns after recent police disruption
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Manager of botnet used in ransomware attacks gets 2 years in prison
Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware
Phishers Pose as Palo Alto Networks' Recruiters in Job Scam
Other Social Engineering
The phone call is the new phishing email | CyberScoop
Voice phishing skyrockets as smooth crims talk their way in • The Register
Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse
Trio sentenced for facilitating North Korean IT worker scheme from their homes | CyberScoop
Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security
Google slows Android sideloading to trip up scammers - Help Net Security
Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner
2FA/MFA
It’s time cyber security understood human behavior and acted accordingly | TechRadar
Tycoon2FA phishing platform returns after recent police disruption
Artificial Intelligence
An AI-powered phishing campaign has compromised hundreds of organizations | CyberScoop
Cybersecurity Staff Don’t Know How Fast They Could Stop AI Attacks - Infosecurity Magazine
Ransomware's New Era: Moving at AI Speed
Cyber Attacks Hit 93% of UK Critical Infrastructure as AI Threats Accelerate - IT Security Guru
Cybercriminals are Winning with AI - Security Boulevard
1 in 2 security leaders say they're not ready for AI attacks - 4 actions to take now | ZDNET
NCSC warns vibe coding poses a major risk to businesses | IT Pro
A nearly undetectable LLM attack needs only a handful of poisoned samples - Help Net Security
The Kill Chain Is Obsolete When Your AI Agent Is the Threat
AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link - SecurityWeek
SANS: Top 5 Most Dangerous New Attack Techniques to Watch
MSSPs Can’t Keep Up With AI-Driven Threats | news | MSSP Alert
Deepfake scams skyrocket. Can a safe word protect your family? | Cybernews
OpenClaw AI goes viral in China, raising cybersecurity fears - Asia Times
3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to China - SecurityWeek
China moves to curb use of OpenClaw AI at banks, state agencies | The Straits Times
Stop telling AI your secrets - 5 reasons why, and what to do if you already overshared | ZDNET
The OWASP Top 10 for LLM Applications (2025): Explained Simply - Security Boulevard
Who owns AI agent access? At most companies, nobody knows - Help Net Security
Bots/Botnets
US Takes Down Botnets Used in Record-Breaking Cyberattacks | WIRED
Manager of botnet used in ransomware attacks gets 2 years in prison
How one man used 10,000 bots to steal $8,000,000 from music artists
Careers, Roles, Skills, Working in Cyber and Information Security
The Hidden Cost of Cybersecurity Specialization: Losing Foundational Skills
Cyber platformisation is a skills issue for security teams | Computer Weekly
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner
Cyber Crime, Organised Crime & Criminal Actors
Why hackers almost never get caught | Cybernews
The rise of the cyber hacker - does clout matter more than cash? | TechRadar
Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown - Infosecurity Magazine
Manager of botnet used in ransomware attacks gets 2 years in prison
Russian initial access broker jailed for 81 months in US • The Register
Data Breaches/Leaks
Hackers claim to have accessed data tied to millions of crime tipsters | Malwarebytes
Marquis Data Breach Affects 672,000 Individuals - SecurityWeek
Mazda discloses security breach exposing employee and partner data
HackerOne Employee Data Exposed in Massive Navia Breach - SecurityWeek
Data/Digital Sovereignty
Big Win for Open Source as Germany Backs Open Document Format
Open source is booming in Europe as enterprises look to strengthen digital autonomy | IT Pro
Denial of Service/DoS/DDoS
US Takes Down Botnets Used in Record-Breaking Cyberattacks | WIRED
International joint action disrupts world’s largest DDoS botnets
Encryption
Google moves post-quantum encryption timeline up to 2029 | CyberScoop
Fraud, Scams and Financial Crime
Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown - Infosecurity Magazine
Industry Acts Against Fraud, but Government's Role Unclear
Fake app stores bypass sideloading restrictions using PWAs | Cybernews
Deepfake scams skyrocket. Can a safe word protect your family? | Cybernews
Google slows Android sideloading to trip up scammers - Help Net Security
Police take down 373,000 fake CSAM sites in Operation Alice
Man Used 373,000 Sites On Dark Web To Swindle Predators, Hackers
Scammers have virtual smartphones on speed dial for fraud • The Register
How one man used 10,000 bots to steal $8,000,000 from music artists
Phishers Pose as Palo Alto Networks' Recruiters in Job Scam
Identity and Access Management
AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link - SecurityWeek
Insider Risk and Insider Threats
Human Risk Multiplier: How Mobile Devices Expand Enterprise Attack Surfaces
It’s time cyber security understood human behavior and acted accordingly | TechRadar
Trio sentenced for facilitating North Korean IT worker scheme from their homes | CyberScoop
Ex-data analyst stole company data in $2.5M extortion scheme
Insurance
UK watchdog raises concerns over Jaguar Land Rover's cyber bailout | SC Media UK
Are nations ready to be the cybersecurity insurers of last resort? | CSO Online
Internet of Things – IoT
Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US | TechCrunch
Law Enforcement Action and Take Downs
Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown - Infosecurity Magazine
Why hackers almost never get caught | Cybernews
Trio sentenced for facilitating North Korean IT worker scheme from their homes | CyberScoop
US Takes Down Botnets Used in Record-Breaking Cyberattacks | WIRED
International joint action disrupts world’s largest DDoS botnets
Manager of botnet used in ransomware attacks gets 2 years in prison
NCA Boss Warns That Teens Are Being “Radicalized” Online - Infosecurity Magazine
Dark web platforms taken down in international operation | IT Pro
Alleged RedLine infostealer conspirator extradited to US | CyberScoop
Man Used 373,000 Sites On Dark Web To Swindle Predators, Hackers
Tycoon2FA phishing platform returns after recent police disruption
FBI seizes domains linked to Iran hackers after Stryker cyberattack
U.S. Sentences Russian Hacker to 6.75 Years for Role in $9M Ransomware Damage
3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to China - SecurityWeek
Linux and Open Source
Big Win for Open Source as Germany Backs Open Document Format
Open source is booming in Europe as enterprises look to strengthen digital autonomy | IT Pro
Malware
If You Own One Of These Popular Routers, The FBI Has A Serious Warning
Alleged RedLine infostealer conspirator extradited to US | CyberScoop
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
The New Turing Test: How Threats Use Geometry to Prove 'Humanness'
Chrome encryption bypass discovered: New malware steals passwords and cookies – Computerworld
GitHub-hosted malware campaign uses split payload to evade detection - Help Net Security
Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner
FBI: Iranian hackers targeting opponents with Telegram malware | CyberScoop
North Korea-linked threat actors abuse VS Code auto-run to spread StoatWaffle malware
Mobile
Human Risk Multiplier: How Mobile Devices Expand Enterprise Attack Surfaces
CISA urges US orgs to secure Microsoft Intune systems after Stryker breach
Financial Brands Targeted in Global Mobile Banking Malware Surge - Infosecurity Magazine
New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data
Fake app stores bypass sideloading restrictions using PWAs | Cybernews
FBI: Iranian hackers targeting opponents with Telegram malware | CyberScoop
Google slows Android sideloading to trip up scammers - Help Net Security
iOS, macOS 26.4 Roll Out With Fresh Security Patches - SecurityWeek
Hong Kong police can now demand phone passwords under national security law
Models, Frameworks and Standards
NIST updates its DNS security guidance for the first time in over a decade - Help Net Security
The OWASP Top 10 for LLM Applications (2025): Explained Simply - Security Boulevard
Cyber Resilience Act (EU) - Security Boulevard
Outages
Microsoft Exchange Online service change causes email access issues
Passwords, Credential Stuffing & Brute Force Attacks
Chrome encryption bypass discovered: New malware steals passwords and cookies – Computerworld
Hong Kong police can now demand phone passwords under national security law
Regulations, Fines and Legislation
UK finance firms given 12 months to prepare for stricter cyber reporting | Cyprus Mail
US bans foreign-made internet routers over security concerns | The Independent
UK Law Update 2026: Key Legal Shifts and What They Mean - Law News
US government launches Bureau of Emerging Threats | Computer Weekly
Irish government launches CNI resilience plan | Computer Weekly
What was missing from the UK digital ID consultation? • The Register
Social Media
Software Supply Chain
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
Supply Chain and Third Parties
SANS: Top 5 Most Dangerous New Attack Techniques to Watch
TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
Trivy’s March Supply Chain Attack Shows Where Secret Exposure Hurts Most - Security Boulevard
LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks - Help Net Security
From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI - SecurityWeek
Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware - SecurityWeek
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Cyber warfare outstripping business defence capabilities
Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury - SecurityWeek
How Russian electronic warfare is forcing ships to abandon GPS
First cyberattacks of war hint at Iran's playbook against U.S.
Inside the Growing 'Cyber Invasion' Targeting the US
Iran war fallout is no longer confined to states - it now runs through companies | The National
Only Trump decides when cyberwar turns into real war • The Register
How CISOs Can Survive the Era of Geopolitical Cyberattacks
Nation State Actors
Inside the Growing 'Cyber Invasion' Targeting the US
Blame Game: Why Public Cyber Attribution Carries Risks
China
US regulator bans imports of new foreign-made routers, citing security concerns | Reuters
3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to China - SecurityWeek
How Cyberattacks Can Turn Battery Farms Into Grid Blackouts
Hong Kong police can now demand phone passwords under national security law
OpenClaw AI goes viral in China, raising cybersecurity fears - Asia Times
China moves to curb use of OpenClaw AI at banks, state agencies | The Straits Times
Russia
How Russian electronic warfare is forcing ships to abandon GPS
Signal is being targeted by Russian hackers in a huge new phishing campaign, FBI says | TechRadar
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
FBI links Signal phishing attacks to Russian intelligence services
Manager of botnet used in ransomware attacks gets 2 years in prison
Russian initial access broker jailed for 81 months in US • The Register
Internet outages disrupt daily life in Russia, fueling fears of a digital crackdown | CNN
North Korea
North Korea-linked threat actors abuse VS Code auto-run to spread StoatWaffle malware
Trio sentenced for facilitating North Korean IT worker scheme from their homes | CyberScoop
Iran
Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury - SecurityWeek
First cyberattacks of war hint at Iran's playbook against U.S.
FBI seizes domains linked to Iran hackers after Stryker cyberattack
Stryker cyber attack: Employees still unable to work more than a week after hack - mlive.com
Handala Group Tied to Iranian Hack‑and‑Leak Operations, FBI Reveals - Infosecurity Magazine
Iran Hacktivists Make Noise but Have Little Impact on War
Iran war fallout is no longer confined to states - it now runs through companies | The National
TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
FBI: Iranian hackers targeting opponents with Telegram malware | CyberScoop
French aircraft carrier Charles de Gaulle tracked via Strava activity in OPSEC failure
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Only Trump decides when cyberwar turns into real war • The Register
Tools and Controls
Enterprise Cybersecurity Software Fails 20% of the Time, Warns Report - Infosecurity Magazine
CISA urges US orgs to secure Microsoft Intune systems after Stryker breach
NCSC warns vibe coding poses a major risk to businesses | IT Pro
When confidence becomes a risk: The gap between cyber resilience readiness and reality | TechRadar
NIST updates its DNS security guidance for the first time in over a decade - Help Net Security
UK firms regret software spending as tool sprawl causes IT headaches | IT Pro
Enterprise PCs are unreliable, unpatched, and unloved • The Register
CISOs Debate Human Role in AI-Powered Security
The OWASP Top 10 for LLM Applications (2025): Explained Simply - Security Boulevard
MSSPs Can’t Keep Up With AI-Driven Threats | news | MSSP Alert
Using a single LLM tool for malware analysis leads to unreliable results - BetaNews
Top AI coding tools make mistakes one in four times, study shows
UK is set to lead multinational cyber defence exercise | UKAuthority
Google unleashes Gemini AI agents on the dark web • The Register
Other News
Cyber Attacks Hit 93% of UK Critical Infrastructure as AI Threats Accelerate - IT Security Guru
7,500+ Magento sites defaced in global hacking campaign
The UK’s cyber-security reckoning | The Independent
Blame Game: Why Public Cyber Attribution Carries Risks
The era of cheap technology could be over | IT Pro
New rules, rising threats: why lean IT teams must rethink cyber-security | The Independent
One year on from retail’s devastating cyber attacks, what’s changed? - Retail Gazette
Vulnerability Management
32% of top-exploited vulnerabilities are over a decade old - Help Net Security
Enterprise PCs are unreliable, unpatched, and unloved • The Register
Lightning-fast exploits mean patch fast, says Cisco Talos • The Register
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
Vulnerabilities
New KB5085516 emergency update fixes Microsoft account sign-in
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Chrome encryption bypass discovered: New malware steals passwords and cookies – Computerworld
iOS, macOS 26.4 Roll Out With Fresh Security Patches - SecurityWeek
Telnet vulnerability opens door to remote code execution as root | CSO Online
Microsoft releases emergency fix for account internet error • The Register
Chrome 146 Update Patches High-Severity Vulnerabilities - SecurityWeek
Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager
MS update kills Microsoft account sign-ins in Windows 11 • The Register
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks
Apple details Safari 26.4 with 44 new features, 191 bug fixes, more - 9to5Mac
Patch now: TP-Link Archer NX routers vulnerable to firmware takeover
Critical Quest KACE Vulnerability Potentially Exploited in Attacks - SecurityWeek
QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 20 March 2026
Black Arrow Cyber Threat Intelligence Briefing 20 March 2026:
-Cyberattacks Spike 245% in the Two Weeks After the Start of War with Iran
-Attack on Stryker’s Microsoft Environment Wiped Employee Devices Without Malware
-Researchers Ask AI Agents to Create LinkedIn Posts. They Publish Passwords Instead
-AI Finally Delivers Those Elusive Productivity Gains… for Cybercriminals
-Phishers Weaponise Safe Links with Multi-Layered URL Rewriting to Evade Detection
-Ransomware Gang Exploits Cisco Flaw in Zero-Day Attacks Since January
-Your Favourite Image-Saving Chrome Extension Was Scraping Your Data for Cash
-Credential-Stealing Crew Spoofs VPN Clients From Cisco, Fortinet, and Others
-EDR Killers Are Now Standard Equipment in Ransomware Attacks
-Your Employees’ Tech Frustration is a Gift to Cybercriminals
-Third-Party Risk Management Must Now Confront AI, Cyber Security, and Technology Risk Head-On
-North Korea’s 100,000-Strong Fake IT Worker Army Rake In $500M a Year for Kim Jong Un
-Why Cyber Attacks on Critical National Infrastructure Are Such a Huge Threat
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
The Iran war is affecting organisations across the world, with a 245% rise in cyber attacks shortly after it started, particularly against financial services, e‑commerce and gaming sectors. Separately, a healthcare technology firm confirmed it had been attacked by Iranian‑linked hacktivists who wiped tens of thousands of devices.
In other news from our review of specialist and general media, we highlight the need for businesses to manage the risks associated with AI, either due to autonomous AI agents taking harmful actions or the use of AI by attackers.
We also share details of new and developing attacker tactics including multi-layered weblinks, zero-day firewall vulnerabilities, malicious Chrome extensions, fake VPNs and deactivating victims’ security controls. These tactics are not only used against your organisation but also against your suppliers and clients, which is why we include a reminder of the need to understand the security posture of third parties that you work with and to identify whether your need to include additional security in the way you work with them.
Current geopolitical tensions, whether in the Middle East or Europe, are further reasons for business leaders to take a structured approach to identifying cyber risks and the pragmatic controls to address them as part of a strategy across people, operations and technology. Contact us to discuss how to do this in your organisation.
Top Cyber Stories of the Last Week
Cyberattacks Spike 245% in the Two Weeks After the Start of War with Iran
Security researchers have reported a 245% rise in cyber-attacks in the two weeks after the conflict with Iran began on 28 February 2026, with banks, online retailers and gaming firms making up 80% of observed targets. Financial services and e-commerce accounted for more than half. Attackers are increasingly using legitimate administrative tools and stolen login details, making malicious activity harder to spot and allowing them to disrupt services or erase data at scale. The trend highlights how geopolitical conflict can quickly raise cyber security risks for private sector organisations well beyond the immediate region.
Attack on Stryker’s Microsoft Environment Wiped Employee Devices Without Malware
Medical technology firm Stryker has confirmed a major cyber-attack that disrupted its internal Microsoft systems and remotely wiped around 80,000 employee devices, leaving some ordering systems offline and forcing manual workarounds. The attackers also claimed to have stolen about 50 terabytes of company data and caused disruption across 79 countries. Stryker said the incident was contained within its corporate IT environment and did not affect its medical products or connected devices, which remain safe to use. The case highlights how compromised admin accounts can cause serious operational disruption without malicious software being installed.
Researchers Ask AI Agents to Create LinkedIn Posts. They Publish Passwords Instead
Tests by AI security researchers found that autonomous AI agents can take harmful actions even during routine business tasks. In one exercise, AI agents that were asked to draft LinkedIn posts exposed passwords publicly, while others bypassed security controls, ignored anti-virus protections and accessed restricted data by creating fake credentials. Separate studies found agents could leak confidential information, damage databases and influence other agents to break rules. The findings suggest that giving AI systems broad access, persistence and freedom to act can create serious cyber security, legal and governance risks for organisations.
https://cybernews.com/security/rogue-ai-agents-aggressive-passwords/
AI Finally Delivers Those Elusive Productivity Gains… for Cybercriminals
Interpol reports that artificial intelligence is making online fraud far more effective and around 4.5 times more profitable for criminals. Tools that refine language, mimic voices and create fake identities are helping scams appear more convincing at very low cost. The agency also warns that AI is driving a rise in blackmail using fabricated images, while large scale scam centres are expanding beyond South East Asia into Africa, Europe and the Americas. Global losses from financial fraud reached an estimated $442 billion in 2025, underlining the growing business risk and need for stronger public and private sector cooperation.
https://www.theregister.com/2026/03/16/interpol_ai_fraud/
Phishers Weaponise Safe Links with Multi-Layered URL Rewriting to Evade Detection
Criminal groups are increasingly abusing trusted email security tools to make phishing messages look legitimate and bypass automated checks. Researchers saw a marked rise in this tactic between late 2025 and January 2026, with attacks targeting Microsoft 365 users through multiple layers of trusted vendor links before reaching fake sign in pages. In some cases, links exceeded 1,200 characters and passed through five separate security services. The aim is to steal login details and access tokens, which can then be used to take over accounts, steal sensitive data, send internal phishing emails and, in serious cases, deploy ransomware.
https://cybersecuritynews.com/phishers-weaponize-safe-links-with-multi-layered-url/
Ransomware Gang Exploits Cisco Flaw in Zero-Day Attacks Since January
Cisco has warned that a ransomware group has been exploiting a previously unknown flaw in its firewall management software since late January, giving attackers more than a month to target organisations before a fix was released on 4 March. According to Amazon’s threat intelligence team, the group had a 36-day window to abuse the weakness in internet-facing systems. The case underlines the speed at which cyber criminals can weaponise newly discovered software flaws and the importance of rapid patching, strong monitoring and resilient incident response plans.
Your Favourite Image-Saving Chrome Extension Was Scraping Your Data for Cash
Google has removed the "Save image as Type" Chrome extension after identifying malicious behaviour, affecting at least one million users. The tool, which let people save website images in formats such as PNG or JPG, was found to be quietly redirecting users when making online purchases through its own affiliate links across at least 578 websites. In practice, this meant user activity was being monitored and monetised without clear consent. Reports suggest the extension changed ownership in late 2025, with the questionable activity continuing on Chrome until March 2026. The case is a reminder that even widely used browser add-ons can create hidden cyber security and privacy risks.
https://9to5google.com/2026/03/16/image-saving-chrome-extension-removed-as-malware/
Credential-Stealing Crew Spoofs VPN Clients From Cisco, Fortinet, and Others
Microsoft has uncovered a criminal group using fake virtual private network, or VPN, software from major suppliers including Cisco, Fortinet, Ivanti and Check Point to steal employee usernames and passwords. Since mid-January, the group has manipulated search results so bogus download pages appear above genuine ones, then directed victims to counterfeit installers hosted on GitHub. After capturing login details, the software shows a fake error and points uses to the real supplier site, making the attack hard to spot. The case underlines the need for controls including multi-factor authentication.
https://www.theregister.com/2026/03/13/vpn_clients_spoofed/
EDR Killers Are Now Standard Equipment in Ransomware Attacks
Ransomware gangs now routinely use tools that disable endpoint security (EDR) software before locking files, giving attackers a short but reliable window to cause disruption. Researchers found nearly 90 such tools in active use, showing how common this tactic has become. Many rely on weaknesses in legitimate software drivers, while others use standard administrator tools or interfere with security systems more directly. The trend is being widened by criminal affiliate networks and may be accelerated by AI assisted coding, making ransomware attacks harder to predict and defend against.
https://www.helpnetsecurity.com/2026/03/19/edr-killer-ransomware-attacks/
Your Employees’ Tech Frustration is a Gift to Cybercriminals
Poor workplace technology is more than a productivity issue. It is a growing cyber security risk. Research found 89% of IT professionals believe improving employees’ day to day digital experience strengthens security, while 27% of office workers use unapproved personal devices or apps when official tools are too difficult to use. Nearly half say they are left to teach themselves new systems. For senior leaders, the message is clear: simpler systems, better training and more automated routine IT tasks can reduce frustration, cut risky workarounds and make it harder for attackers to gain access.
https://www.techradar.com/pro/your-employees-tech-frustration-is-a-gift-to-cybercriminals
Third-Party Risk Management Must Now Confront AI, Cyber Security, and Technology Risk Head-On
Third-party risk management needs to cover more than compliance and financial checks. Many suppliers have access to sensitive data, core systems and critical business services, which means any weaknesses in their security, use of artificial intelligence, or wider technology can directly disrupt operations or expose other organisations to data loss, fraud and legal risk. Effective oversight should focus on the highest risk suppliers, strengthen contract terms, and include ongoing monitoring so businesses can spot problems early and reduce dependence on a small number of critical providers.
https://www.jdsupra.com/legalnews/third-party-risk-management-must-now-9969518/
North Korea’s 100,000-Strong Fake IT Worker Army Rake In $500M a Year for Kim Jong Un
North Korea is using a vast network of fake IT workers to secure remote technology jobs at companies around the world, generating an estimated $500 million a year for the regime. Researchers believe the operation involves more than 100,000 people across 40 countries, supported by recruiters, facilitators and Western accomplices who help provide false identities. Beyond the financial gain, the wider risk is that these workers can gain trusted access to company systems and sensitive information, making recruitment checks, interview scrutiny and identity verification an increasingly important part of cyber security.
https://www.theregister.com/2026/03/18/researchers_lift_the_lid_on/
Why Cyber Attacks on Critical National Infrastructure Are Such a Huge Threat
Critical national infrastructure is facing growing cyber security pressure as attackers target essential services such as energy, transport, healthcare, telecommunications and water. The aim is often not the direct target itself, but the wider disruption caused to daily life, public confidence and business operations. In the UK, 95% of critical national infrastructure organisations reported a cyber-attack in 2024. The risk is heightened by connected systems, complex supply chains and mixed public and private ownership, making stronger collaboration, clearer risk oversight and security built into infrastructure from the outset increasingly important.
Governance, Risk and Compliance
UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs - Infosecurity Magazine
Why cyber attacks on critical national infrastructure are such a huge threat | IT Pro
How Cyber Risk Management Builds Resilience | Kovrr - Security Boulevard
Did cybersecurity recently have its Gatling gun moment? | CSO Online
When Liability Turns the CISO Into the Fall Guy
Clear Communication: The Missing Link in Cybersecurity Success
Cyber exposures: third-party risk in a hyperconnected world — Financier Worldwide
Threats
Ransomware, Extortion and Destructive Attacks
Attack on Stryker ’s Microsoft environment wiped employee devices without malware
Ransomware gang exploits Cisco flaw in zero-day attacks since January
Cisco’s latest vulnerability spree has a more troubling pattern underneath | CyberScoop
EDR killers are now standard equipment in ransomware attacks - Help Net Security
AI-generated Slopoly malware used in Interlock ransomware attack
The ransomware economy is shifting toward straight-up data extortion | CyberScoop
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape | Google Cloud Blog
Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack | Trend Micro (US)
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
The UK's plans to tackle ransomware
Ransomware and Destructive Attack Victims
England Hockey investigating ransomware data breach
Payload Ransomware claims the hack of Royal Bahrain Hospital
Phishing & Email Based Attacks
Security Firm Executive Targeted in Sophisticated Phishing Attack - SecurityWeek
Phishers Weaponize Safe Links With Multi-Layered URL Rewriting to Evade Detection
Fake invoices appear as calendar events | Cybernews
Attackers Don't Just Send Phishing Emails. They Weaponize Your SOC's Workload
Robotics surgical biz Intuitive discloses phishing attack • The Register
Other Social Engineering
Elite members of North Korean society fake their way into Western paychecks - Help Net Security
North Korean's 100k fake IT workers net $500M a year for Kim • The Register
Fake invoices appear as calendar events | Cybernews
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
Help on the line: How a Microsoft Teams support call led to compromise | Microsoft Security Blog
I stopped using security questions when I found how easy they are to hack
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
EU freezes Chinese, Iranian firms over major cyberattacks | Cybernews
Artificial Intelligence
The AI literacy gap liability - Emerging Europe
Did cybersecurity recently have its Gatling gun moment? | CSO Online
Rogue AI agents can work together to hack systems • The Register
Rogue AI agents bypass antivirus, publish passwords | Cybernews
Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches - SecurityWeek
AI-generated Slopoly malware used in Interlock ransomware attack
AI-driven fraud far more profitable, Interpol warns • The Register
OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration
AI coding agents keep repeating decade-old security mistakes - Help Net Security
Shadow AI is everywhere. Here’s how to find and secure it.
Odido routers forwarded customers' personal data to American AI company for years | NL Times
Critical Langflow Vulnerability Exploited Hours After Public Disclosure - SecurityWeek
DOD says Anthropic’s ‘red lines’ make it an ‘unacceptable risk to national security’ | TechCrunch
Bots/Botnets
174 Vulnerabilities Targeted by RondoDox Botnet - SecurityWeek
Criminals hijack thousands of devices to create never-before-seen cyber weapon | The Independent
Law enforcement shuts down botnet made of tens of thousands of hacked routers | TechCrunch
Cyber criminals too are working from home… your home – Computerworld
Careers, Roles, Skills, Working in Cyber and Information Security
When Liability Turns the CISO Into the Fall Guy
Cloud/SaaS
Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches - SecurityWeek
Most Google Cloud Attacks Start With Bug Exploitation
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Crypto Scam "ShieldGuard" Dismantled After Malware Discovery - Infosecurity Magazine
C2 Implant 'SnappyClient' Targets Crypto Wallets
Cyber Crime, Organised Crime & Criminal Actors
Cyber criminals too are working from home… your home – Computerworld
Home Office and NCA to lead new national Online Crime Centre – PublicTechnology
Cybercriminals scale up, government sector hit hardest - Help Net Security
Data Breaches/Leaks
Millions of UK businesses exposed by Companies House security flaw | The Independent
Threat Actor Targeting VPN Users in New Credential Theft Campaign - SecurityWeek
What the Recent PayPal Breach Says About Modern Web Risk - Security Boulevard
Telus Digital confirms breach after hacker claims 1 petabyte data theft
Starbucks discloses data breach affecting hundreds of employees
What Proton’s Data Breach Observatory reveals in 2026 | Proton
Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact - SecurityWeek
Robotics surgical biz Intuitive discloses phishing attack • The Register
Police Scotland Fined After Sharing Victim’s Phone Data - Infosecurity Magazine
Canadian retail giant Loblaw notifies customers of data breach
Starbucks data breach impacts 889 employees
Aura confirms data breach exposing 900,000 marketing contacts
Denial of Service/DoS/DDoS
Why Most DDoS Protection Fails: Solving for Continuity and Resilience - Security Boulevard
What Are Your DDoS Testing Options in 2026? - Security Boulevard
Encryption
Why Post-Quantum Cryptography Can't Wait
Fraud, Scams and Financial Crime
Crypto Scam "ShieldGuard" Dismantled After Malware Discovery - Infosecurity Magazine
C2 Implant 'SnappyClient' Targets Crypto Wallets
AI-driven fraud far more profitable, Interpol warns • The Register
Fake scandal clips on Facebook bait victims into investment scams - Help Net Security
Global fraud losses climb to $442 billion - Help Net Security
Home Office and NCA to lead new national Online Crime Centre – PublicTechnology
€1 million online fraud scheme uncovered, three suspects arrested - Help Net Security
Going the Extra Mile: Travel Rewards Turn into Underground Currency.
The Refund Fraud Economy: Exploiting Major Retailers and Payment Platforms
Google, Amazon, Microsoft and others sign accord to stop scammers
Insider Risk and Insider Threats
When Cyberwar Hits the Corporate Home Front | Ropes & Gray LLP - JDSupra
War, AI, and the human factor | Ctech
Your Employees’ Tech Frustration is a Gift to Cybercriminals | TechRadar
Rising cyber threats bring the human factor back center stage | Ctech
Elite members of North Korean society fake their way into Western paychecks - Help Net Security
North Korean's 100k fake IT workers net $500M a year for Kim • The Register
Insurance
Gallagher Re urges more efficient cyber coverage :: Insurance Day
Emerging cyber risks challenge brokers | Insurance Business
Internet of Things – IoT
Every New Connected Feature Expands Vehicle Cybersecurity Risk, Says Deloitte | Autocar Professional
Security issues found in 79% of dash cams we tested - Which?
Law Enforcement Action and Take Downs
Law enforcement shuts down botnet made of tens of thousands of hacked routers | TechCrunch
US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet
Home Office and NCA to lead new national Online Crime Centre – PublicTechnology
€1 million online fraud scheme uncovered, three suspects arrested - Help Net Security
FBI seeks victims of Steam games used to spread malware
British man charged in Dubai for alleged filming of Iranian missiles - BBC News
Linux and Open Source
Big tech companies step in to support the open source security ecosystem - Help Net Security
Unprivileged users could exploit AppArmor bugs to gain root access
Malvertising
Fake scandal clips on Facebook bait victims into investment scams - Help Net Security
Malware
Your favorite image-saving Chrome extension was scraping data
Crypto Scam "ShieldGuard" Dismantled After Malware Discovery - Infosecurity Magazine
C2 Implant 'SnappyClient' Targets Crypto Wallets
Criminals hijack thousands of devices to create never-before-seen cyber weapon | The Independent
AI-generated Slopoly malware used in Interlock ransomware attack
Sophisticated Surveillance RAT Marketed for Global Buyers
Self-replicating malware spreads on GitHub, npm, Open VSX | Cybernews
Adaptability, Not Novelty: The Next Evolution of Malware - Security Boulevard
FBI seeks victims of Steam games used to spread malware
Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware
Vidar Stealer 2.0 Exploits Fake Game Cheats on GitHub, Reddit - Infosecurity Magazine
Misinformation, Disinformation and Propaganda
Russia’s crackdown on VPNs reaches new heights as internet restrictions intensify | TechRadar
Information Warfare: Ukrainian CyberWar Deceptions
Mobile
Attack on Stryker ’s Microsoft environment wiped employee devices without malware
New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data
Second iOS exploit kit now in use by suspected Russian hackers | CyberScoop
DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike
Snoops plant info-stealing malware on iPhones, Google warns • The Register
875 Million Android Phones At Risk From 60 Second Hack
Apple WebKit Vulnerability Enables Malicious Web Content Bypass on iOS and macOS
MediaTek security flaw may have affected more Android phones than initially reported
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
Android vs iOS security: Which operating system is safer? | Proton
Models, Frameworks and Standards
ISO 27000 standards for security and compliance | Proton
Outages
Microsoft Exchange Online outage blocks access to mailboxes
Passwords, Credential Stuffing & Brute Force Attacks
Threat Actor Targeting VPN Users in New Credential Theft Campaign - SecurityWeek
Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs • The Register
Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays
I stopped using security questions when I found how easy they are to hack
Regulations, Fines and Legislation
EU freezes Chinese, Iranian firms over major cyberattacks | Cybernews
UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs - Infosecurity Magazine
EU Parliament backs extension of CSAM detection rules until 2027 - Help Net Security
UK Cyber Security and Resilience Bill: key considerations for technology businesses
The UK's plans to tackle ransomware
Commercial Spyware Opponents Fear US Policy Shifting
Social media giants urged to protect children, UK rejects under-16 ban
Social Media
Fake scandal clips on Facebook bait victims into investment scams - Help Net Security
EU Parliament backs extension of CSAM detection rules until 2027 - Help Net Security
Russia’s crackdown on VPNs reaches new heights as internet restrictions intensify | TechRadar
Social media giants urged to protect children, UK rejects under-16 ban
Software Supply Chain
Self-replicating malware spreads on GitHub, npm, Open VSX | Cybernews
Supply Chain and Third Parties
Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact - SecurityWeek
Cyber exposures: third-party risk in a hyperconnected world — Financier Worldwide
The Growing Cyber Risk to Supply Chains by Marko Kovacevic & Sasha Pailet Koff - Project Syndicate
UK Cyber Security and Resilience Bill: key considerations for technology businesses
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
When Cyberwar Hits the Corporate Home Front | Ropes & Gray LLP - JDSupra
War, AI, and the human factor | Ctech
DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike
Snoops plant info-stealing malware on iPhones, Google warns • The Register
Why cyber attacks on critical national infrastructure are such a huge threat | IT Pro
'Digital fog of war' around Iranian cyberattacks | DefenceTalk
Stryker hack could set stage for more pro-Iran cyber sabotage - Nextgov/FCW
Suspicions grow that China is exploiting FOI laws to gather UK security data
Cyberattacks Spike 245% in the Two Weeks After the Start of War With Iran - Security Boulevard
Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears - Infosecurity Magazine
Russia establishes Vienna as key western spy hub targeting NATO
The Growing Cyber Risk to Supply Chains by Marko Kovacevic & Sasha Pailet Koff - Project Syndicate
Attack on Stryker ’s Microsoft environment wiped employee devices without malware
Hybrid attack on Ireland's critical infrastructure 'could cause social collapse within 48 hours'
Information Warfare: Ukrainian CyberWar Deceptions
Tracking the Iran War: A Month of Escalation and Regional Impact
Autonomous Agents and the Future of Cyber Competition
SideWinder Espionage Campaign Expands Across Southeast Asia
Nation State Actors
Why cyber attacks on critical national infrastructure are such a huge threat | IT Pro
China
Suspicions grow that China is exploiting FOI laws to gather UK security data
EU freezes Chinese, Iranian firms over major cyberattacks | Cybernews
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware
Russia
New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data
Second iOS exploit kit now in use by suspected Russian hackers | CyberScoop
DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike
Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks - SecurityWeek
Cisco’s latest vulnerability spree has a more troubling pattern underneath | CyberScoop
NCSC warns of ongoing Russian-aligned hacktivist cyber threats | UKAuthority
Russia establishes Vienna as key western spy hub targeting NATO
Russia-linked APT uses DRILLAPP backdoor to spy on Ukrainian targets
Information Warfare: Ukrainian CyberWar Deceptions
Russia’s crackdown on VPNs reaches new heights as internet restrictions intensify | TechRadar
Cyberattack disrupts parking payments in Russian city | The Record from Recorded Future News
North Korea
Elite members of North Korean society fake their way into Western paychecks - Help Net Security
North Korean's 100k fake IT workers net $500M a year for Kim • The Register
Iran
Stryker hack could set stage for more pro-Iran cyber sabotage - Nextgov/FCW
Cyberattacks Spike 245% in the Two Weeks After the Start of War With Iran - Security Boulevard
Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears - Infosecurity Magazine
Iran conflict prompts US tech companies to reassess cyber vulnerabilities
'Digital fog of war' around Iranian cyberattacks | DefenceTalk
Attack on Stryker ’s Microsoft environment wiped employee devices without malware
EU freezes Chinese, Iranian firms over major cyberattacks | Cybernews
Tracking the Iran War: A Month of Escalation and Regional Impact
Iranian cyber attacks at full force even as Tehran imposes internet blackout | The National
Are Microsoft systems exposed? US flags risks after Stryker breach
Poland says foiled cyberattack on nuclear centre may have come from Iran | Reuters
Hybrid attack on Ireland's critical infrastructure 'could cause social collapse within 48 hours'
Risky Business? Why US and Israel Are Targeting Iran’s Banks | Geopolitical Monitor
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Surge in Nation State Attacks on UK Firms Amid Cyber Warfare Fears - Infosecurity Magazine
Tools and Controls
EDR killers are now standard equipment in ransomware attacks - Help Net Security
How Cyber Risk Management Builds Resilience | Kovrr - Security Boulevard
Cyber exposures: third-party risk in a hyperconnected world — Financier Worldwide
Threat Actor Targeting VPN Users in New Credential Theft Campaign - SecurityWeek
Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs • The Register
Attackers Don't Just Send Phishing Emails. They Weaponize Your SOC's Workload
Your APIs are under siege, and attackers are just getting warmed up - Help Net Security
UK: Regulation Drives Cyber Spending for Critical Infrastructure Orgs - Infosecurity Magazine
US charges another ransomware negotiator linked to BlackCat attacks
Emerging cyber risks challenge brokers | Insurance Business
How CISOs can build a truly unified and resilient security platform | Computer Weekly
Calculating the ROI of AI in cybersecurity | TechTarget
Russia’s crackdown on VPNs reaches new heights as internet restrictions intensify | TechRadar
Certificate lifespans are shrinking and most organizations aren't ready - Help Net Security
Bank built its own AI threat hunter because vendors can’t • The Register
UK Cyber Monitoring Centre Sets Its Sights on US Expansion - Infosecurity Magazine
Switzerland built an alternative to BGP. Nobody noticed • The Register
Reports Published in the Last Week
Other News
Cyberattackers Don't Care About Good Causes
The Data Gap: Why Nonprofit Cyber Incidents Go Underreported
Hybrid attack on Ireland's critical infrastructure 'could cause social collapse within 48 hours'
EU-UK digital cooperation | Epthinktank | European Parliament
The Market for Spyware is Growing: It's Used Differently Against Women - The Citizen Lab
Why Are Platform Ecosystems — Like Salesforce — Often Targeted? | Security Magazine
UK Cyber Monitoring Centre Sets Its Sights on US Expansion - Infosecurity Magazine
The midmarket security gap • The Register
SMB cybersecurity in 2026: From reactive defense to strategic partnership | ChannelPro
Vulnerability Management
Most Google Cloud Attacks Start With Bug Exploitation
Vulnerabilities
Ransomware gang exploits Cisco flaw in zero-day attacks since January
Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks - SecurityWeek
Cisco’s latest vulnerability spree has a more troubling pattern underneath | CyberScoop
Apple WebKit Vulnerability Enables Malicious Web Content Bypass on iOS and macOS
875 Million Android Phones At Risk From 60 Second Hack
MediaTek security flaw may have affected more Android phones than initially reported
Google rushes Chrome update to fix zero-days under attack • The Register
Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flaw
Researchers disclose vulnerabilities in IP KVMs from four manufacturers - Ars Technica
Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE via Port 23
ConnectWise patches new flaw allowing ScreenConnect hijacking
Unknown attackers exploit another critical SharePoint bug • The Register
Unprivileged users could exploit AppArmor bugs to gain root access
Critical HPE AOS-CX Vulnerability Allows Admin Password Resets - SecurityWeek
Critical UniFi flaw allows unauthenticated compromise | Cybernews
Critical Langflow Vulnerability Exploited Hours After Public Disclosure - SecurityWeek
New Ubuntu Flaw Enables Local Attackers to Gain Root Access - Infosecurity Magazine
New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 13 March 2026
Black Arrow Cyber Threat Intelligence Briefing 13 March 2026:
-Only 30 Minutes per Quarter on Cyber Risk: Why CISO-Board Conversations Are Falling Short
-The Who, What, and Why of the Attack That Has Shut Down Stryker’s Windows Network
-Insights: Increased Risk of Wiper Attacks
-Iran Plots 'Infrastructure Warfare' Against US Tech Giants
-Middle East Conflict Tests Cyber War Exclusions, S&P Warns
-New Windows Malware Impersonates Everyday Apps to Infect Your Computer
-Cyber Attacks on UK Firms Increase at Four Times Global Rate
-Why Cyber Security Threats Are Growing
-The Human Side of Password Security That Tools Can’t Fix
-Credential Stuffing in 2025 – How Combolists, Infostealers and Account Takeover Became an Industry
-Microsoft: Hackers Abusing AI at Every Stage of Cyber Attacks
-Microsoft Warns North Korean Threat Groups Are Scaling Up Fake Worker Schemes With Generative AI
-Google Threat Intelligence Group Warns Enterprise Systems Increasingly Targeted by Zero-Day Exploits
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
Cyber security is based on risk management and governance; we start this week with research on the views of business and security leaders on how effective that governance is. We also share insights on an impactful incident where Iranian attackers accessed an organisation’s Microsoft Intune platform and remotely wiped large numbers of the victim’s Windows devices. The Middle East conflict also highlights the challenges with cyber insurance coverage and war exclusions.
The second half of our briefing includes developments in attacker tactics, from fake versions of familiar apps to AI-driven malware and exploiting poor password choices of employees, highlighting again that employees are at the front line of cyber security and are vital to safeguarding the organisation.
These threats and the required actions require business leaders to have their own clear and objective understanding of their organisation’s risk and the options for security controls spanning people, operations and technology. Credible and informed governance underpins all of this. Contact us to discuss how to achieve this, proportionate to your profile.
Top Cyber Stories of the Last Week
Only 30 Minutes per Quarter on Cyber Risk: Why CISO-Board Conversations Are Falling Short
New research suggests many boards are not spending enough time on cyber risk, with most security leaders given just 30 minutes each quarter and only 30% of boards describing the relationship as strong and collaborative. While 95% of security leaders report to the board regularly, discussions often stay at a high level and do not explore future risks such as artificial intelligence, which can both power more advanced cyber attacks and create new business exposures. Boards often stop short of experiencing cyber risk directly, with fewer than half participating in tabletop exercises or crisis simulations, indicating that reporting still focuses more on the current state than on preparing directors for what comes next.
The Who, What, and Why of the Attack That Has Shut Down Stryker’s Windows Network
A US‑based healthcare technology company, Stryker, has suffered a major cyber disruption after a pro-Iranian hacking group claimed responsibility for wiping large numbers of the company’s Windows systems. Reports suggest attackers may have used Microsoft Intune to issue deletion commands across Stryker’s Windows network, while other reports indicated that the erased devices displayed the Handala Hack logo, a group aligned with Iran’s Ministry of Intelligence. Stryker says it has found no evidence of ransomware or traditional malware; the attackers framed the attack as retaliation for recent US and Israeli military action.
Insights: Increased Risk of Wiper Attacks
Organisations face a heightened risk of disruptive cyber attacks linked to the conflict with Iran, with attackers reportedly gaining access to networks using legitimate corporate user credentials and then deleting servers and workstations. Israeli authorities have already reported several cases where operations were disrupted in this way. To manage this risk, organisations should reduce always-on administrator access, strengthen multi-factor authentication, tightly control high impact actions, monitor for unusual remote wipe activity and keep secure offline backups. Regular staff training is also essential, as email deception remains a common entry point.
https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/
Iran Plots 'Infrastructure Warfare' Against US Tech Giants
Iran has identified nearly 30 facilities linked to major US technology companies as potential targets, according to reporting from Iranian state‑affiliated media, including Amazon, Google, IBM, Microsoft, Nvidia, Oracle and Palantir across Bahrain, Israel, Qatar and the UAE. The move follows reported strikes on three Amazon Web Services data centres in the region, which disrupted some cloud services and forced several providers to activate disaster recovery plans. For business leaders, this highlights how geopolitical conflict can quickly affect digital services, supply chains and operational resilience far beyond the immediate area.
https://www.theregister.com/2026/03/11/iran_threatens_us_tech_companies/
Middle East Conflict Tests Cyber War Exclusions, S&P Warns
S&P Global Ratings has warned that rising cyber activity linked to the Middle East conflict could expose weaknesses in cyber insurance, particularly where policy wording struggles to separate acts of war from criminal activity. Recent incidents have mainly caused disruption rather than major insured losses, but the risk of more damaging attacks remains. The agency also noted that cyber insurance premiums could more than double by the end of the decade. For leaders, the concern is clear: a single large-scale event could disrupt multiple organisations at once and leave uncertainty over what is actually covered.
New Windows Malware Impersonates Everyday Apps to Infect Your Computer
Microsoft has warned of a Windows malware campaign that tricks people into downloading fake versions of familiar apps such as Adobe, Teams, Zoom and Google Meet through convincing phishing emails and counterfeit PDF prompts. The malicious software can appear legitimate because it looks digitally signed, a feature many people associate with trust. Once installed, the fake applications deploy remote monitoring and management tools, and create a secondary copy of the application as a Windows service to maintain persistence in the victim’s systems. The campaign is a reminder of the need to control software downloads, and to treat unexpected email attachments and update prompts with caution.
https://www.bgr.com/2119188/windows-malware-impersonates-signed-apps-infect-computer/
Cyber Attacks on UK Firms Increase at Four Times Global Rate
UK organisations are facing a sharp rise in cyber attacks, with incidents up 36% year on year in February 2026, compared with 9.8% globally. Education, energy, government, healthcare and financial services were among the hardest hit sectors. Ransomware, where criminals lock systems or data until a payment is made, remains a serious threat. At the same time, growing use of generative AI is increasing the risk of sensitive business information being accidentally exposed through employee prompts.
https://www.infosecurity-magazine.com/news/cyberattacks-uk-firms-increase/
Why Cyber Security Threats Are Growing
Organisations are facing a fast-growing cyber security threat as attacks become cheaper, faster and more convincing, particularly with the rise of artificial intelligence. The average global cost of a single data breach is about $4.4 million, while reported losses in the United States exceeded $10 million between March 2024 and February 2025. New tactics such as realistic fake audio and video, used to impersonate senior executives, are increasing fraud risks. For leadership teams, the message is clear: cyber security must be treated as a business resilience issue, supported by stronger authentication practices, employee training and greater awareness of how AI-enabled deception can bypass traditional defences.
https://time.com/7382979/cybersecurity-threats-are-growing/
The Human Side of Password Security That Tools Can’t Fix
Weak and reused passwords remain one of the easiest ways for attackers to gain access, and the problem is often human behaviour rather than a lack of technology. Annual training alone is rarely enough, so organisations should reinforce simple, practical guidance throughout the year. Stronger habits are most effective when backed by approved password managers, longer unique passphrases, and multi-factor authentication, which adds a second check to confirm identity. Leaders should also ensure existing security tools are fully enabled, as many already include stronger password controls that are not being used.
https://www.msspalert.com/perspective/the-human-side-of-password-security-that-tools-cant-fix
Credential Stuffing in 2025 – How Combolists, Infostealers and Account Takeover Became an Industry
Stolen usernames and passwords remain one of the most common ways into organisations, contributing to around a fifth of confirmed data breaches over the last three years. Criminal groups now treat account takeover as a low cost, high volume business, using malware to harvest login details and automated tools to test them across multiple services. Recent incidents affected more than 20,000 Australian pension accounts, while one major US healthcare breach caused a $22 million ransom payment and an estimated $872 million in disruption costs. The clearest safeguard is strong multi-factor authentication, which requires more than a password to gain access.
Microsoft: Hackers Abusing AI at Every Stage of Cyber Attacks
Microsoft reports that criminals are now using artificial intelligence to speed up and scale cyber attacks at almost every stage, from research and convincing scam emails to malicious software and follow-on activity after access is gained. The technology helps less skilled attackers work faster by producing text, code and fake online identities, while human operators choose the targets and direct the attack. The wider risk is that AI is lowering the barrier to entry, making established tactics easier to deliver at greater volume and with more convincing social engineering.
Microsoft Warns North Korean Threat Groups Are Scaling Up Fake Worker Schemes With Generative AI
Microsoft reports that North Korean groups are using generative AI to make fake remote worker schemes faster, more convincing and harder to detect. AI is helping them build realistic online identities, tailor job applications, mimic internal communications in multiple languages and even alter photos for identity documents. In some cases, it is also being used after hiring to draft credible messages, answer technical questions and produce code. Microsoft warns this could increase the scale and success of fraud, espionage and data theft against global organisations.
https://cyberscoop.com/microsoft-north-korea-ai-operations/
Google Threat Intelligence Group Warns Enterprise Systems Increasingly Targeted by Zero-Day Exploits
Google reports that attackers continued to exploit previously unknown software flaws at a high rate in 2025, with 90 cases tracked during the year. The focus is shifting away from consumer software towards business systems such as networking equipment, security tools and virtualisation platforms that help run corporate IT. Mobile devices were also targeted more often, rising from 9 cases in 2024 to 15 in 2025. The report warns that commercial surveillance firms are now playing a larger role in these attacks and that attackers may increasingly use AI tools to automate reconnaissance, vulnerability discovery and exploit development.
Threats
Ransomware, Extortion and Destructive Attacks
Majority of cyber insureds refuse to pay ransomware: Coalition :: Insurance Day
Initial cyber ransom demands grew by 47% in 2025 | Insurance Times
Revealed - what's changing about cyber claims | Insurance Business
Termite ransomware breaches linked to ClickFix CastleRAT attacks
Ransomware record year | Professional Security Magazine
Insights: Increased Risk of Wiper Attacks
Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks - Security Boulevard
Is cyberattack on U.S. health care firm the next phase of the Iran war? - National | Globalnews.ca
Stryker flags disruption to orders, manufacturing a day after cyberattack - CNA
Phobos Ransomware admin faces up to 20 years after guilty plea
Russian Ransomware Operator Pleads Guilty in US - SecurityWeek
The people behind cyber extortion are often in their forties - Help Net Security
Ransomware and Destructive Attack Victims
US Medical Equipment Maker Disabled In Hack Claimed By Iran
bne IntelliNews - Hacker group Handala claims cyber attack on US medical firm Stryker Corporation
How an Iranian-backed group crippled Stryker’s Irish HQ with a ‘wiper’ cyberattack
Crims hit EV charger firm ELECQ, steal customer contact data • The Register
INC Ransomware Group Holds Healthcare Hostage in Oceania
Phishing & Email Based Attacks
Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes
Microsoft Teams phishing targets employees with A0Backdoor malware
Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors
Attackers use AiTM phishing kit, typosquatted domains to hijack AWS accounts - Help Net Security
New ‘BlackSanta’ EDR killer spotted targeting HR departments
HR, recruiters targeted in year-long malware campaign - Help Net Security
EU court adviser says banks must immediately refund phishing victims
Phishers hide scam links with IPv6 trick in “free toothbrush” emails | Malwarebytes
Phishing scammers weaponize ICE ragebait | PCWorld
Other Social Engineering
Termite ransomware breaches linked to ClickFix CastleRAT attacks
Microsoft spots ClickFix scam spreading Lumma infostealer • The Register
Fake Claude Code install guides push infostealers in InstallFix attacks
ClickFix Campaign Uses Fake VCs on LinkedIn to Deliver Malware to Crypto and Web3 Professionals
Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer
'InstallFix' Attacks Spread Fake Claude Code Sites
Researchers uncover AI-powered vishing platform - Help Net Security
EU court adviser says banks must immediately refund phishing victims
SIM Swaps Expose a Critical Flaw in Identity Security - SecurityWeek
Compromised WordPress Sites Deliver ClickFix Attacks - Infosecurity Magazine
2FA/MFA
Where Multi-Factor Authentication Stops and Credential Abuse Starts
Artificial Intelligence
Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes
AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns - Infosecurity Magazine
Microsoft: Hackers abusing AI at every stage of cyberattacks
Fake Claude Code install guides push infostealers in InstallFix attacks
CISOs in a Pinch: A Security Analysis of OpenClaw | Trend Micro (US)
AI is supercharging cloud cyberattacks - and third-party software is the most vulnerable | ZDNET
Most executives have no idea how many employees are actually using AI | IT Pro
AI has overtaken stolen passwords as the top identity threat, report says - BetaNews
Iran war: AI-fueled cyberattacks are escalating. Here's what to know
Agentic attack chains advance as infostealers flood criminal markets - Help Net Security
Researchers uncover AI-powered vishing platform - Help Net Security
Nation-State Actor Embraces AI Malware Assembly Line
Nation-State Hackers Play the Vibes - InfoRiskToday
AI Adoption Is Forcing Security Teams to Rethink Browser Defense - Security Boulevard
FBI says even in an AI-powered world, security basics still matter | CyberScoop
AI on the battlefield: How is the US integrating AI into its military?
AI is transforming modern warfare. It also wants to dismantle the rules | The Independent
'InstallFix' Attacks Spread Fake Claude Code Sites
5 Inconvenient Truths: How Agentic AI Breaks Your Security Playbook | SECURITY.COM
AI agent hacked McKinsey chatbot for read-write access • The Register
GhostClaw Mimic as OpenClaw to Steal Everything from Developers
Europe unites to build sovereign cloud and AI infrastructure to stop reliance on US
Anthropic forms institute to study long-term AI risks facing society - Help Net Security
The Fallout Over OpenAI's Pentagon Deal Is Growing - Business Insider
OpenAI robotics leader resigns over concerns about surveillance and autonomous weapons | Fortune
Privacy risks of agentic oversharing on the Web | Brave
Trump’s cyber strategy emphasizes offensive operations, deregulation, AI | CSO Online
Bots/Botnets
KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet
Cloud/SaaS
Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials - Infosecurity Magazine
AI is supercharging cloud cyberattacks - and third-party software is the most vulnerable | ZDNET
Attackers use AiTM phishing kit, typosquatted domains to hijack AWS accounts - Help Net Security
Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool
Google: Cloud attacks exploit flaws more than weak credentials
'Overly Permissive' Salesforce Cloud Configs in the Crosshairs
Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign - SecurityWeek
Middle East Conflict Highlights Cloud Resilience Gaps
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
Cloud to ground: Iran puts foreign data centres on the front line | The Strategist
Salesforce issues new security alert tied to third customer attack spree in six months | CyberScoop
Europe unites to build sovereign cloud and AI infrastructure to stop reliance on US
Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stol - Infosecurity Magazine
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
US contractor's son arrested over alleged $46M crypto theft • The Register
Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets
ClickFix Campaign Uses Fake VCs on LinkedIn to Deliver Malware to Crypto and Web3 Professionals
Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets | Malwarebytes
Fake GitHub tools are wiping wallets of Windows users | Cybernews
FBI arrests suspect linked to $46M crypto theft from US Marshals
Hackers Use Fake CleanMyMac Site to Deploy SHub Stealer and Hijack Crypto Wallets
UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
Crypto Gets National Security Status In New US Cyber Strategy
Cyber Crime, Organised Crime & Criminal Actors
Iran MOIS Colludes With Criminals to Boost Cyberattacks
Cybercrime isn't just a cover for Iran's government goons • The Register
Data Breaches/Leaks
'Overly Permissive' Salesforce Cloud Configs in the Crosshairs
Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign - SecurityWeek
Scattered Spider attack on TfL affected 10 million people | Computer Weekly
Michelin Confirms Data Breach Linked to Oracle EBS Attack - SecurityWeek
GhostClaw Mimic as OpenClaw to Steal Everything from Developers
Crims hit EV charger firm ELECQ, steal customer contact data • The Register
Cal AI allegedly breached, hackers expose user data | Cybernews
Ericsson US discloses data breach after service provider hack
Data/Digital Sovereignty
Europe unites to build sovereign cloud and AI infrastructure to stop reliance on US
Denial of Service/DoS/DDoS
Teen crew caught selling DDoS attack tools - Help Net Security
Encryption
Swiss e-vote snafu leaves 2,048 ballots unreadable • The Register
Fraud, Scams and Financial Crime
That attractive online ad might be a malware trap - Help Net Security
A global investment scam is spreading across Facebook, WhatsApp, and more - what to look for | ZDNET
EU law advisor wants cybercrime protections fast-tracked • The Register
Signal warns users to be vigilant in spate of phishing attacks | Cybernews
Ghanain man pleads guilty to role in $100 million fraud ring
Dutch police start publicly shaming scammers into submission • The Register
EU court adviser says banks must immediately refund phishing victims
UK Launches New Crackdown Unit to Tackle Cyber-Fraud at the Source - Infosecurity Magazine
Identity and Access Management
AI has overtaken stolen passwords as the top identity threat, report says - BetaNews
SIM Swaps Expose a Critical Flaw in Identity Security - SecurityWeek
Insider Risk and Insider Threats
AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns - Infosecurity Magazine
Insurance
Majority of cyber insureds refuse to pay ransomware: Coalition :: Insurance Day
Revealed - what's changing about cyber claims | Insurance Business
Internet of Things – IoT
Crims hit EV charger firm ELECQ, steal customer contact data • The Register
DJI will pay $30K to the man who accidentally hacked 7,000 Romo robovacs | The Verge
Law Enforcement Action and Take Downs
Teen crew caught selling DDoS attack tools - Help Net Security
Dutch police start publicly shaming scammers into submission • The Register
UK Launches New Crackdown Unit to Tackle Cyber-Fraud at the Source - Infosecurity Magazine
Phobos Ransomware admin faces up to 20 years after guilty plea
Russian Ransomware Operator Pleads Guilty in US - SecurityWeek
Ghanain man pleads guilty to role in $100 million fraud ring
US contractor's son arrested over alleged $46M crypto theft • The Register
FBI arrests suspect linked to $46M crypto theft from US Marshals
Age Verification Laws Are Multiplying Like a Virus, and Your Linux Computer Might be Next
Police dismantles online gambling ring exploiting Ukrainian women
Linux and Open Source
Malvertising
A global investment scam is spreading across Facebook, WhatsApp, and more - what to look for | ZDNET
Malware
Browser extensions can install malware, researchers say | Cybernews
That attractive online ad might be a malware trap - Help Net Security
Hackers Use Fake CleanMyMac Site to Deploy SHub Stealer and Hijack Crypto Wallets
New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network
Fake Claude Code install guides push infostealers in InstallFix attacks
Agentic attack chains advance as infostealers flood criminal markets - Help Net Security
Microsoft spots ClickFix scam spreading Lumma infostealer • The Register
Crooks compromise WordPress sites, spread infostealers • The Register
Microsoft Teams phishing targets employees with A0Backdoor malware
Signed Malware Masquerading as Teams, Zoom Apps Drops RMM Backdoors
HR, recruiters targeted in year-long malware campaign - Help Net Security
Iran-linked MuddyWater deploys Dindoor malware against U.S. organizations
Massive GitHub malware operation spreads BoryptGrab stealer
Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft
Credential Stuffing in 2025 - How Combolists, Infostealers and Account Takeover Became an Industry
New 'Zombie ZIP' technique lets malware slip past security tools
ClickFix Campaign Uses Fake VCs on LinkedIn to Deliver Malware to Crypto and Web3 Professionals
Fake GitHub tools are wiping wallets of Windows users | Cybernews
UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
Nation-State Actor Embraces AI Malware Assembly Line
Nation-State Hackers Play the Vibes - InfoRiskToday
Compromised WordPress Sites Deliver ClickFix Attacks - Infosecurity Magazine
Over 100 GitHub Repositories Distributing BoryptGrab Stealer - SecurityWeek
Wikipedia hit by self-propagating JavaScript worm that vandalized pages
Chinese state hackers target telcos with new malware toolkit
Misinformation, Disinformation and Propaganda
Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant?
Mobile
Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets
Feds take notice of iOS vulnerabilities exploited under mysterious circumstances - Ars Technica
Government iPhone Exploits Reach Cybercriminals - DevX
New BeatBanker Android malware poses as Starlink app to hijack devices
Signal warns users to be vigilant in spate of phishing attacks | Cybernews
Spyware disguised as emergency-alert app sent to Israelis • The Register
A major security flaw could affect 1 in 4 Android phones - here's how to check yours | ZDNET
SIM Swaps Expose a Critical Flaw in Identity Security - SecurityWeek
You should lock your SIM card before someone else does
Models, Frameworks and Standards
EU Cyber Resilience Act: European Commission publishes draft guidance | Hogan Lovells - JDSupra
Germany Implements NIS2, Expanding Cybersecurity Obligations
EU NIS2 directive implemented into Polish law by president
Passwords, Credential Stuffing & Brute Force Attacks
Credential Stuffing in 2025 - How Combolists, Infostealers and Account Takeover Became an Industry
Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials - Infosecurity Magazine
The Human Side of Password Security That Tools Can’t Fix | perspective | MSSP Alert
AI has overtaken stolen passwords as the top identity threat, report says - BetaNews
Google: Cloud attacks exploit flaws more than weak credentials
Where Multi-Factor Authentication Stops and Credential Abuse Starts
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
Regulations, Fines and Legislation
EU Cyber Resilience Act: European Commission publishes draft guidance | Hogan Lovells - JDSupra
EU law advisor wants cybercrime protections fast-tracked • The Register
EU court adviser says banks must immediately refund phishing victims
CVE program funding secured, easing fears of repeat crisis | CSO Online
Germany Implements NIS2, Expanding Cybersecurity Obligations
EU NIS2 directive implemented into Polish law by president
Age Verification Laws Are Multiplying Like a Virus, and Your Linux Computer Might be Next
Crypto Gets National Security Status In New US Cyber Strategy
Anthropic sues the Pentagon after being labeled a threat to national security | Fortune
Trump’s cyber strategy emphasizes offensive operations, deregulation, AI | CSO Online
DHS CISO, deputy CISO exit amid reported IT leadership overhaul | FedScoop
White House Cybersecurity Strategy Is Light on Details, Big on Consequences
Social Media
Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant?
A global investment scam is spreading across Facebook, WhatsApp, and more - what to look for | ZDNET
ClickFix Campaign Uses Fake VCs on LinkedIn to Deliver Malware to Crypto and Web3 Professionals
Software Supply Chain
AI is supercharging cloud cyberattacks - and third-party software is the most vulnerable | ZDNET
Over 100 GitHub Repositories Distributing BoryptGrab Stealer - SecurityWeek
Supply Chain and Third Parties
AI is supercharging cloud cyberattacks - and third-party software is the most vulnerable | ZDNET
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
Michelin Confirms Data Breach Linked to Oracle EBS Attack - SecurityWeek
Ericsson US discloses data breach after service provider hack
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Cyberattacks and Unpredictable Targeting Remain an Iran Risk
Insights: Increased Risk of Wiper Attacks
Iran war: Is Europe prepared for the fallout?
Securing Critical Infrastructure in a Time of War
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
Hybrid warfare and Europe’s democratic resilience - Decode39
War spreads into cyberspace after Iran-linked hackers hit medtech giant Stryker - Help Net Security
Iran war: What role is cyber warfare played in Iran? - BBC News
Middle East conflict tests cyber war exclusions, S&P warns | Insurance Business
Heightened risk of severe cyberattacks amid Middle East conflict: S&P - Reinsurance News
AI on the battlefield: How is the US integrating AI into its military?
AI is transforming modern warfare. It also wants to dismantle the rules | The Independent
Submarine cables move to the center of critical infrastructure security debate - Help Net Security
How Chinese Hackers Reached America’s Surveillance Infrastructure - Security Boulevard
5 Actions Critical for Cybersecurity Leadership During International Conflicts - Security Boulevard
OpenAI robotics leader resigns over concerns about surveillance and autonomous weapons | Fortune
This spy tool has been quietly stealing data for years - Help Net Security
Defence secretary John Healey is losing sleep over our uncertain world
Nation State Actors
Nation-State Actor Embraces AI Malware Assembly Line
Nation-State Hackers Play the Vibes - InfoRiskToday
China
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
How Chinese Hackers Reached America’s Surveillance Infrastructure - Security Boulevard
Google: Spyware vendors, China-linked spies led 0-day abuse • The Register
Spyware suppliers exploit more zero-days than nation states | Computer Weekly
The New U.S. Cyber Strategy Misreads China’s Threat | Council on Foreign Relations
Chinese state hackers target telcos with new malware toolkit
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years
China’s CERT warns OpenClaw can inflict nasty wounds • The Register
China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks
Russia
Hybrid warfare and Europe’s democratic resilience - Decode39
Signal issues scam warning to users after hackers target officials - BBC News
Russia-linked hackers appear on Iran war’s cyber front, but their impact is murky - Nextgov/FCW
This spy tool has been quietly stealing data for years - Help Net Security
Russian gang claims breach of US power grid cooperative | Cybernews
Phobos Ransomware admin faces up to 20 years after guilty plea
Russian Ransomware Operator Pleads Guilty in US - SecurityWeek
North Korea
UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
Iran
War spreads into cyberspace after Iran-linked hackers hit medtech giant Stryker - Help Net Security
Iran war: What role is cyber warfare played in Iran? - BBC News
Middle East conflict tests cyber war exclusions, S&P warns | Insurance Business
Heightened risk of severe cyberattacks amid Middle East conflict: S&P - Reinsurance News
Cyberattacks and Unpredictable Targeting Remain an Iran Risk
Iran conflict drives heightened espionage activity against Middle East targets | Proofpoint US
Iran war: AI-fueled cyberattacks are escalating. Here's what to know
Global business on alert for Iranian cyber-attack threat
Middle East Conflict Fuels Opportunistic Cyber Attacks - Security Boulevard
Iran plots 'infrastructure warfare' against US tech giants • The Register
Insights: Increased Risk of Wiper Attacks
Iran war: Is Europe prepared for the fallout?
Securing Critical Infrastructure in a Time of War
Iran-linked APT targets US critical sectors with new backdoors - Help Net Security
Iran MOIS Colludes With Criminals to Boost Cyberattacks
Cybercrime isn't just a cover for Iran's government goons • The Register
Middle East Conflict Highlights Cloud Resilience Gaps
Cloud to ground: Iran puts foreign data centres on the front line | The Strategist
bne IntelliNews - Hacker group Handala claims cyber attack on US medical firm Stryker Corporation
Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks - Security Boulevard
The who, what, and why of the attack that has shut down Stryker's Windows network - Ars Technica
Is cyberattack on U.S. health care firm the next phase of the Iran war? - National | Globalnews.ca
Stryker flags disruption to orders, manufacturing a day after cyberattack - CNA
Iran war will bring wave of 'low-level cyber activity,' says intelligence group | StateScoop
Europol warns of elevated terrorism threat in EU amid Iran conflict
GPS Attacks Near Iran Are Wreaking Havoc on Delivery and Mapping Apps | WIRED
Iran's Cyber-Kinetic War Doctrine Takes Shape
Iran-linked hackers target IP cameras across Israel and Gulf states for military intelligence
Russia-linked hackers appear on Iran war’s cyber front, but their impact is murky - Nextgov/FCW
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
Spyware suppliers exploit more zero-days than nation states | Computer Weekly
Tools and Controls
Majority of cyber insureds refuse to pay ransomware: Coalition :: Insurance Day
Revealed - what's changing about cyber claims | Insurance Business
Survey: CISOs Continue to Struggle to Strike Right Risk Balance - Security Boulevard
Microsoft warns of new signed malware which deploys remote monitoring tools as backdoors | TechRadar
Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stol - Infosecurity Magazine
AI is getting scary good at finding hidden software bugs - even in decades-old code | ZDNET
More AI tools, more burnout! New research explains why - Help Net Security
This VPN ban is edging ever closer, and here's what it means for your privacy
Why AI Security Is Emerging as the Fourth Pillar of Cybersecurity - IT Security Guru
After the Panic, the Reality of Claude Code Security
OpenAI’s GPT-5.4 doubles down on safety as competition heats up - Help Net Security
Bug bounties are broken, and the best security pros are moving on - Help Net Security
Scientists have found a way to hide data in plain sight, and hackers can’t touch it - Digital Trends
Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model
Other News
Submarine cables move to the center of critical infrastructure security debate - Help Net Security
Defence secretary John Healey is losing sleep over our uncertain world
UK Launches New Crackdown Unit to Tackle Cyber-Fraud at the Source - Infosecurity Magazine
Swiss e-vote snafu leaves 2,048 ballots unreadable • The Register
Vulnerability Management
Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials - Infosecurity Magazine
Google GTIG: 90 zero-day flaws exploited in 2025 as enterprise targets grow
Spyware suppliers exploit more zero-days than nation states | Computer Weekly
CVE program funding secured, easing fears of repeat crisis | CSO Online
AI is getting scary good at finding hidden software bugs - even in decades-old code | ZDNET
Vulnerabilities
Critical Microsoft Excel bug weaponizes Copilot Agent • The Register
Veeam Patches 7 Critical Backup & Replication Flaws Allowing Remote Code Execution
Microsoft Patches 83 CVEs in March Update
Dozens of Vendors Patch Security Flaws Across Enterprise Software and Network Devices
Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities - SecurityWeek
Splunk, Zoom Patch Severe Vulnerabilities - SecurityWeek
Chrome 146 Update Patches Two Exploited Zero-Days - SecurityWeek
Apple issues emergency fixes for Coruna flaws in older iOS versions
Apple Updates Legacy iOS Versions to Patch Coruna Exploits - SecurityWeek
FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials
SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities - SecurityWeek
Adobe Patches 80 Vulnerabilities Across Eight Products - SecurityWeek
Cisco Patches High-Severity IOS XR Vulnerabilities - SecurityWeek
WordPress membership plugin bug exploited to create admin accounts
Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model
Critical Nginx UI flaw CVE-2026-27944 exposes server backups
HPE warns of critical AOS-CX flaw allowing admin password resets
Critical defect in Java security engine poses serious downstream security risks | CyberScoop
Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials
Critical SQL Injection bug in Ally plugin threatens 400,000+ WordPress sites
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 06 March 2026
Black Arrow Cyber Threat Intelligence Briefing 06 March 2026:
-European Police Body Warns Iran Crisis Raises Threat of Terror, Extremism and Cyber Attacks
-NCSC Warns UK Organisations to Prepare for Potential Iran-Linked Cyber Activity
-Ransomware Attacks Soar as Hackers Pivot to Small Businesses
-Ransomware Activity Peaks Outside Business Hours
-Ransomware Groups Switch to Stealthy Attacks and Long-Term Access
-Most Organisations Unprepared for External Cyber Risks and Supply Chain Disruptions
-High‑Risk Vulnerabilities Surge, Deepening Security Debt for IT Teams
-AI Went from Assistant to Autonomous Actor and Security Never Caught Up
-Why Enterprise AI Agents Could Become the Ultimate Insider Threat
-AI Raises the Cybersecurity Stakes — But People Still Open the Door
-Hackers Are Turning to Easy, Fast AI Solutions to Roll Out Attacks – So How Can Your Business Stay Safe?
-New AirSnitch Attack Bypasses Wi-Fi Encryption in Homes, Offices, and Enterprises
-Employees Install Pirate Software Despite Malware Risks
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
This week, much of the specialist and general media has reported on the security ramifications of the military action in the Middle East, and we have included warnings from European and UK authorities on the need for organisations to heighten their vigilance for cyber security attacks.
In a more general context, we also report on increasing levels of ransomware attacks, especially on smaller organisations and outside of business hours with a focus on long term access to victims’ systems. Supply chain risks and unmanaged vulnerabilities also continue to present challenges to be addressed in a cyber security strategy.
AI risks are accumulating, with expected growth in the number of enterprise applications using AI agents. As we reported previously, AI is also enabling attackers to enhance attacks such as social engineering to be more effective against employees.
The variety of established and evolving risks reminds us of the need for business leaders to be regularly updated on the developing threat landscape and to ensure that the risks are prioritised and addressed in a proportionate cyber security strategy that is delivered by your chosen control providers. Contact us for an impartial discussion on how to do this.
Top Cyber Stories of the Last Week
European Police Body Warns Iran Crisis Raises Threat of Terror, Extremism and Cyber Attacks
Europol has warned that the escalating conflict involving Iran is likely to increase security risks across the European Union, including a higher threat of terrorism, organised crime and cyber attacks targeting critical infrastructure such as energy and transport systems. Officials expect more online fraud using artificial intelligence, where criminals use automated tools to create convincing scams and misinformation linked to the conflict. Europol also noted that groups aligned with Iran may attempt destabilising activities including intimidation, terrorist financing and cyber crime. Authorities assess the overall terrorist threat level in the EU as high, with concerns that online content could accelerate radicalisation and inspire lone actors or small cells.
NCSC Warns UK Organisations to Prepare for Potential Iran-Linked Cyber Activity
The UK National Cyber Security Centre has urged organisations to review their cyber security posture following rising tensions involving Iran, the United States and Israel. While there is no confirmed increase in direct threats to the UK, the agency warns there is almost certainly a heightened risk of indirect cyber activity, particularly for organisations with operations or supply chains in the Middle East. Iranian state actors and politically motivated groups have previously targeted sectors including energy, finance and transport. The NCSC advises organisations to strengthen monitoring, maintain software updates, prepare for phishing and service disruption attacks, and review incident response plans to ensure resilience during periods of geopolitical instability.
Ransomware Attacks Soar as Hackers Pivot to Small Businesses
Attackers are increasingly targeting small and medium sized businesses that may lack strong cyber security defences. Chainalysis reports a sharp rise in ransomware activity, with nearly 8,000 public leak events recorded in 2025, a 50% increase on the previous year. Despite this surge, total ransom payments fell 8% to about $820 million as many large organisations refused to pay and law enforcement disrupted criminal money laundering networks. At the same time, the average price for buying access to compromised systems on dark web marketplaces dropped from $1,427 in 2023 to $439 in 2026, lowering the barrier for criminals to launch cyber attacks.
https://invezz.com/news/2026/02/27/ransomware-attacks-soar-as-hackers-pivot-to-small-businesses/
Ransomware Activity Peaks Outside Business Hours
Sophos has reported that ransomware is typically deployed when organisations are least staffed, with 88% of attacks launched outside normal working hours. Identity compromise is now the main route used in cyber attacks, accounting for 67% of initial access across 661 incidents analysed between November 2024 and October 2025 in 70 countries. Attackers commonly use stolen or guessed passwords and phishing emails to gain entry before moving quickly to central identity systems that control user access, often under 4 hours. Data theft followed a similar pattern in 79% of cases, highlighting the need for continuous security monitoring.
https://www.helpnetsecurity.com/2026/02/27/sophos-identity-driven-breaches-report/
Ransomware Groups Switch to Stealthy Attacks and Long-Term Access
Ransomware groups are increasingly shifting from disruptive attacks to quieter, long-term intrusions designed to remain undetected inside corporate networks. Research by Picus Security analysing 1.1 million malicious files found that four in five common attack techniques are now designed to evade security controls and maintain persistent access. Rather than immediately encrypting systems, many attackers focus on stealing sensitive data and threatening to release it publicly to force payment. Encryption based attacks have fallen by 38% over the past year, while more than 7,000 victims were publicly named by ransomware groups, highlighting the growing scale and persistence of the threat.
Most Organisations Unprepared for External Cyber Risks and Supply Chain Disruptions
Zscaler reports that many organisations are overconfident about cyber security resilience because plans still focus mainly on internal systems, not the wider supplier and partner network. In its research, 61% of businesses admit their approach is too inward looking, while 60% suffered a major supplier related disruption in the past year. Yet only 54% have cyber insurance that covers a third-party breach. More than half of IT leaders say current controls are not ready for AI driven cyber attacks, and up to 70% lack visibility of shadow AI (meaning unapproved AI tools used without oversight).
https://petri.com/organizations-unprepared-external-cyber-risks/
High‑Risk Vulnerabilities Surge, Deepening Security Debt for IT Teams
Veracode’s 2026 State of Software Security report highlights a growing gap between the number of software vulnerabilities discovered and the ability of organisations to fix them. Security debt, meaning unresolved security weaknesses in software, now affects 82% of organisations, up from 74%, while 60% face critical long-standing flaws. High risk vulnerabilities have risen by 36%, driven by AI assisted coding and increased reliance on third party software components. Nearly half of applications still contain vulnerabilities more than a year old, underscoring the need for stronger governance and prioritisation of the most serious risks.
https://petri.com/sharp-rise-high-risk-flaws-security-debt/
AI Went from Assistant to Autonomous Actor and Security Never Caught Up
A briefing from the AIUC 1 Consortium warns that as artificial intelligence moves from simple assistants to autonomous systems capable of carrying out business tasks, security oversight has not kept pace. An EY survey found that 64% of companies with annual turnover above $1 billion have lost more than $1 million due to AI failures, while one in five reported a breach linked to unauthorised use of AI tools by staff. Many organisations lack visibility into how AI systems access data or systems, increasing the risk of sensitive information exposure and operational disruption if these tools act incorrectly or without proper controls.
https://www.helpnetsecurity.com/2026/03/03/enterprise-ai-agent-security-2026/
Why Enterprise AI Agents Could Become the Ultimate Insider Threat
Generative AI tools are rapidly evolving from simple assistants into autonomous agents that can launch other agents, access systems and even authorise transactions. Security researchers warn this could create a new form of insider threat if poorly controlled. CyberArk reports that machine identities already outnumber human ones by 82 to 1, while Gartner expects more than 40% of enterprise applications to use AI agents by 2026. Yet governance remains limited, highlighting the growing cyber security challenge as these tools gain greater access to corporate systems.
https://www.zdnet.com/article/enterprise-ai-agents-insider-threat/
AI Raises the Cybersecurity Stakes — But People Still Open the Door
Artificial intelligence is lowering the barrier for cyber criminals, enabling them to produce convincing phishing emails, cloned voice calls and highly targeted scams far more quickly. These tactics, known as social engineering, manipulate people through urgency, authority or confusion rather than breaking technical defences. While organisations are investing heavily in AI security tools, many successful cyber attacks still begin with human interaction. The key defence therefore lies in building strong security awareness and judgement across the workforce. Encouraging staff to pause, question unusual requests and report concerns can significantly reduce the risk of deception led cyber attacks.
https://www.infosecurity-magazine.com/opinions/ai-cybersecurity-people-open-door/
Hackers Are Turning to Easy, Fast AI Solutions to Roll Out Attacks – So How Can Your Business Stay Safe?
HP Wolf Security found that 14% of malicious emails bypassed at least one email security filter, as cyber criminals increasingly use generative AI to launch cyber attacks more quickly and at lower cost. Rather than creating highly sophisticated attacks, many criminals prioritise speed and scale, using readily available tools to produce convincing emails, fake invoices and malicious software installers. Despite their basic nature, these attacks remain effective. Common delivery methods included executable files accounting for 37% of attacks, ZIP files at 11% and Word documents at 10%, highlighting the continued effectiveness of simple tactics.
New AirSnitch Attack Bypasses Wi-Fi Encryption in Homes, Offices, and Enterprises
Researchers have uncovered “AirSnitch”, a new Wi-Fi attack that can bypass the client isolation feature many routers use to keep connected devices separated, including on guest networks. It affects a wide range of home and enterprise equipment and could enable a machine-in-the-middle cyber attack where an intruder intercepts and potentially alters data in transit. The risk is highest where internet traffic is not fully encrypted, as attackers could steal passwords, session cookies, and payment details. Some vendors have issued updates, but parts of the issue may require longer term hardware changes.
Employees Install Pirate Software Despite Malware Risks
Barracuda reports that employees are still attempting to install pirated or cracked software on company devices, despite the significant cyber security risks. Such software is often modified to include hidden malware that can steal login details, install ransomware, hijack user sessions or run cryptomining programs that misuse company systems. Because pirated software cannot receive legitimate security updates, vulnerabilities remain unpatched. Barracuda warns that organisations should strengthen security controls, restrict installation permissions and improve employee awareness to reduce the risk of a cyber attack.
https://betanews.com/article/employees-install-pirate-software-despite-malware-risks/
Governance, Risk and Compliance
Four Risks Boards Cannot Treat as Background Noise - SecurityWeek
AI risk moves into the security budget spotlight - Help Net Security
Cyber incidents remain the primary challenge facing UK businesses
The CISO role keeps getting heavier - Help Net Security
Executive data can become the weak link in the cybersecurity chain - BetaNews
Cyber resilience tunnel vision is leaving enterprises open to external threats | IT Pro
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware groups switch to stealthy attacks and long-term access | CSO Online
Ransomware: As Infostealers Bite, Prevention Beats Recovery
Ransomware activity peaks outside business hours - Help Net Security
Ransomware attacks soar as hackers pivot to small businesses - Invezz
Scattered Lapsus$ Hunters seeks women to defraud helpdesks • The Register
Double whammy: Steaelite RAT bundles data theft, ransomware • The Register
Notorious ransomware gang allegedly blackmailed by fake FSB officer
Bitcoin Still Fuels Ransomware Economy in 2025
Ransomware Attacks Rose 50% in 2025 According to Chainalysis Report
Ransomware groups claim record number of victims in 2025 - CIR Magazine
Ransomware Payments Decline 8% as Attacks Surge 50% - Infosecurity Magazine
Ransomware Victims
Conduent Data Breach - Largest Data Breach in U.S. History As Ransomware Group Stolen 8 TB of Data
1 Million Records from Dutch Telco Odido Published Online After Extortion Attempt
Qilin ransomware hits Malaysia Airlines | Cybernews
Dutch cops back Odido as ShinyHunters leaks continue • The Register
ShinyHunters leaked the full Odido dataset
Airbus and Boeing supplier named in ransomware attack | Cybernews
Phishing & Email Based Attacks
OAuth Abuse in Microsoft Entra ID Enables Stealthy Email Access
Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication
Fake LastPass support email threads try to steal vault passwords
Purchase order attachment isn’t a PDF. It’s phishing for your password | Malwarebytes
Remote-working breaches as phishing fears reach record high | theHRD
Microsoft warning: attackers are abusing Google logins to spread malware | Cybernews
Attack on trust | Professional Security Magazine
Darktrace Flags 32 Million Phishing Emails in 2025 as Identity Attacks - Infosecurity Magazine
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Hacker mass-mails HungerRush extortion emails to restaurant patrons
Business Email Compromise (BEC)/Email Account Compromise (EAC)
Attack on trust | Professional Security Magazine
Other Social Engineering
Fake LastPass support email threads try to steal vault passwords
Attack on trust | Professional Security Magazine
Purchase order attachment isn’t a PDF. It’s phishing for your password | Malwarebytes
Scattered Lapsus$ Hunters seeks women to defraud helpdesks • The Register
Europol-led crackdown on The Com hackers leads to 30 arrests
DoJ Seizes $61 Million in Tether Linked to Pig Butchering Crypto Scams
Why scammers call you and say nothing - and how to respond safely | ZDNET
Scammers target Dubai bank accounts amid Iran missile salvo • The Register
If You're a Tech Worker With an Attractive Girlfriend, We Have Extremely Bad News
Telegram rises to top spot in job scam activity - Help Net Security
2FA/MFA
Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Artificial Intelligence
AI went from assistant to autonomous actor and security never caught up - Help Net Security
Why enterprise AI agents could become the ultimate insider threat | ZDNET
AI Raises the Cybersecurity Stakes — But People Still Open the Door - Infosecurity Magazine
AI risk moves into the security budget spotlight - Help Net Security
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer | Trend Micro (US)
How Threat Actors Turned OpenClaw Into a Scraping Botnet - Security Boulevard
Organizations Unprepared for External Cyber Risks
Fraudsters integrate ChatGPT into global scam campaigns - Help Net Security
Your Staff Are Your Biggest Security Risk: AI is Making it Worse
AI bot compromises five major GitHub repositories | Cybernews
ClawJacked flaw exposed OpenClaw users to data theft
Your personal OpenClaw agent may also be taking orders from malicious websites | CSO Online
AI and Deepfakes Supercharge Sophisticated Cyber-Attacks: Cloudflare - Infosecurity Magazine
The AI-Powered Hacking Spree Is Here
Destroyed servers and DoS attacks: What can happen when OpenClaw AI agents interact | ZDNET
Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement
How Deepfakes and Injection Attacks Are Breaking Identity Verification
Chatbot data harvesting yields sensitive personal info • The Register
Calls for Global Digital Estate Standard as Fraud Risk Grows - Infosecurity Magazine
Hackers Leveraged CyberStrikeAI Tool to Breach Fortinet FortiGate Devices
Pentagon ditches Anthropic AI over “security risk” and OpenAI takes over - Security Boulevard
Sam Altman admits OpenAI can’t control Pentagon’s use of AI | Technology | The Guardian
Pentagon moves to build AI tools for China cyber operations
Hacker Steals Huge Data Trove From Mexico Using Anthropic's Claude
OpenAI Reaches A.I. Agreement With Defense Dept. After Anthropic Clash - The New York Times
Why Pentagon-Anthropic AI clash is pivotal front in future of warfare
Flaw-Finding AI Assistants Face Criticism for Speed, Accuracy
LLMs are getting better at unmasking people online | CyberScoop
Anthropic fallout Iran strikes fuel tech backlash over military AI use
What AI Models for War Actually Look Like | WIRED
Bots/Botnets
Memory scalpers hunt scarce DRAM with bot blitz • The Register
How Threat Actors Turned OpenClaw Into a Scraping Botnet - Security Boulevard
Careers, Roles, Skills, Working in Cyber and Information Security
Code of Professional Conduct | Professional Security Magazine
Cybersecurity professionals are burning out on extra hours every week - Help Net Security
GCHQ hunts for CISO with £130K top salary • The Register
Comms Dealer - Why UK MSPs Need Global Talent Now More Than Ever
Cloud/SaaS
Cloudflare tracked 230 billion daily threats and here is what it found - Help Net Security
Attackers are using your network against you, according to Cloudflare | CyberScoop
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
DoJ Seizes $61 Million in Tether Linked to Pig Butchering Crypto Scams
QuickLens Chrome extension steals crypto, shows ClickFix attack
Bitcoin Still Fuels Ransomware Economy in 2025
Cyber Crime, Organised Crime & Criminal Actors
AI and Deepfakes Supercharge Sophisticated Cyber-Attacks: Cloudflare - Infosecurity Magazine
Europol-led crackdown on The Com hackers leads to 30 arrests
Turns out most cybercriminals are old enough to know better • The Register
Compromised Site Management Panels are a Hot Item in Cybercrime Markets
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials
Data Breaches/Leaks
Conduent Data Breach - Largest Data Breach in U.S. History As Ransomware Group Stolen 8 TB of Data
AI bot compromises five major GitHub repositories | Cybernews
ClawJacked flaw exposed OpenClaw users to data theft
Double whammy: Steaelite RAT bundles data theft, ransomware • The Register
Huge “Shadow Layer” of Organizations Hit by Supply Chain Attacks - Infosecurity Magazine
1 Million Records from Dutch Telco Odido Published Online After Extortion Attempt
15M French citizens affected by massive data breach following cyberattack on medical software
New LexisNexis Data Breach Confirmed After Hackers Leak Files - SecurityWeek
“Non-terrestrial officers:” the UFO files McKinnon found, hacking NASA | Cybernews
Hacker Steals Huge Data Trove From Mexico Using Anthropic's Claude
Olympique Marseille confirms 'attempted' cyberattack after data leak
Canadian Tire 2025 data breach impacts 38 million users
UH Cyber Hack Exposed Social Security Numbers Of Up To 1.15 Million - Honolulu Civil Beat
Brit games studio Cloud Imperium admits to data breach • The Register
Madison Square Garden Data Breach Confirmed Months After Hacker Attack - SecurityWeek
Denial of Service/DoS/DDoS
149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict
Russian DDoS: what’s the threat to businesses? | IT Pro
Encryption
Expert Recommends: Prepare for PQC Right Now
Fraud, Scams and Financial Crime
Fraudsters integrate ChatGPT into global scam campaigns - Help Net Security
Calls for Global Digital Estate Standard as Fraud Risk Grows - Infosecurity Magazine
Data Broker Breaches Fueled Nearly $21 Billion in Identity-Theft Losses | WIRED
Memory scalpers hunt scarce DRAM with bot blitz • The Register
Why scammers call you and say nothing - and how to respond safely | ZDNET
Scammers target Dubai bank accounts amid Iran missile salvo • The Register
Telegram rises to top spot in job scam activity - Help Net Security
Alabama man pleads guilty to hacking, extorting hundreds of women
Florida woman imprisoned for massive Microsoft license fraud scheme
Identity and Access Management
How Deepfakes and Injection Attacks Are Breaking Identity Verification
Insider Risk and Insider Threats
Why enterprise AI agents could become the ultimate insider threat | ZDNET
AI Raises the Cybersecurity Stakes — But People Still Open the Door - Infosecurity Magazine
42 percent of organizations see an increase in malicious insider incidents - BetaNews
Your Staff Are Your Biggest Security Risk: AI is Making it Worse
Employees install pirate software despite malware risks - BetaNews
U.S. Defense Contractor Faces 87 Months in Prison For Selling Secrets to Russia - ClearanceJobs
Insurance
Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance - SecurityWeek
Internet of Things – IoT
Your smart home may be at risk - 6 ways experts protect your devices from attacks | ZDNET
Every Car Made After 2008 Has the Same Digital Security Risk
Meta Workers Say They're Seeing Disturbing Things Through Users' Smart Glasses
Law Enforcement Action and Take Downs
Europol-led crackdown on The Com hackers leads to 30 arrests
U.S. Defense Contractor Faces 87 Months in Prison For Selling Secrets to Russia - ClearanceJobs
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials
DoJ Seizes $61 Million in Tether Linked to Pig Butchering Crypto Scams
Project Compass is Europol's new playbook for taking on The Com | CyberScoop
Cambodia, a center for online scam, cracks down on the scammers : State of the World from NPR : NPR
Ukrainian man pleads guilty to running AI-powered fake ID site
Alabama man pleads guilty to hacking, extorting hundreds of women
Florida woman imprisoned for massive Microsoft license fraud scheme
Malware
Double whammy: Steaelite RAT bundles data theft, ransomware • The Register
Microsoft OAuth scams abuse redirects for malware delivery • The Register
Employees install pirate software despite malware risks - BetaNews
Microsoft warning: attackers are abusing Google logins to spread malware | Cybernews
CISA warns that RESURGE malware can be dormant on Ivanti devices
North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT
QuickLens Chrome extension steals crypto, shows ClickFix attack
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer | Trend Micro (US)
Microsoft warns of RAT delivered through trojanized gaming utilities
Mobile
Coruna: Spy-grade iOS exploit kit powering financial crime - Help Net Security
Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited
Models, Frameworks and Standards
Passwords, Credential Stuffing & Brute Force Attacks
Fake LastPass support email threads try to steal vault passwords
Purchase order attachment isn’t a PDF. It’s phishing for your password | Malwarebytes
US Shuts Down 'LeakBase' Hacker Forum Known for Selling Stolen Data
FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials
Regulations, Fines and Legislation
UK’s Data Watchdog Gets a Makeover to Match Growing Demands - Infosecurity Magazine
CISA leadership shakeup comes amid ‘pressure’ moment for cyber agency | Federal News Network
Trump Bans Anthropic AI in Federal Agencies — Pentagon Flags Claude as Security Risk
OpenAI Reaches A.I. Agreement With Defense Dept. After Anthropic Clash - The New York Times
Why Pentagon-Anthropic AI clash is pivotal front in future of warfare
Social Media
Social media companies are fighting the 'age verification trap' | Fortune
Software Supply Chain
What to Know About the Notepad++ Supply-Chain Attack - Security Boulevard
Your dependencies are 278 days out of date and your pipelines aren't protected - Help Net Security
Surging third-party risks create software vulnerability headaches for developer teams | IT Pro
Supply Chain and Third Parties
Conduent Data Breach - Largest Data Breach in U.S. History As Ransomware Group Stolen 8 TB of Data
Huge “Shadow Layer” of Organizations Hit by Supply Chain Attacks - Infosecurity Magazine
Organizations Unprepared for External Cyber Risks
What to Know About the Notepad++ Supply-Chain Attack - Security Boulevard
Madison Square Garden Data Breach Confirmed Months After Hacker Attack - SecurityWeek
Airbus and Boeing supplier named in ransomware attack | Cybernews
Third-Party Risk: The New Maturity Curve for Security Providers | perspective | MSSP Alert
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
UK warns of Iranian cyberattack risks amid Middle-East conflict
U.S. war with Iran forces CEOs to prepare for the worst | Fortune
Hybrid Middle East Conflict Triggers Surge in Global Cyber Activity - Infosecurity Magazine
The cyber war in Iran - POLITICO
Expect Iran to Launch Cyber-Attacks Globally, Warns Google - Infosecurity Magazine
Europe braces as Iran threatens to attack – POLITICO
If You're a Tech Worker With an Attractive Girlfriend, We Have Extremely Bad News
Businesses told to harden defenses amid Iran conflict risk • The Register
Mapping Iran’s hacking threats | Ctech
Iran War Puts Companies, Infrastructure on Cyber Threat Alert
Iran could use AI to accelerate cyberattacks on U.S. and Israeli critical infrastructure | Fortune
Cyberwarfare ignites in US-Israel-Iran war
Pro-Iranian Actors Launch Barrage of Cyberattacks
Double jeopardy for Dubai, faces espionage threat amid Iran offensive - The Statesman
Western Cybersecurity Experts Brace for Iranian Reprisal
Iranian Hackers Ramp Up Cyberattacks on US and Israel After Recent Strikes - gHacks Tech News
Sam Altman admits OpenAI can’t control Pentagon’s use of AI | Technology | The Guardian
Anthropic fallout Iran strikes fuel tech backlash over military AI use
What AI Models for War Actually Look Like | WIRED
Nation State Actors
How to understand and avoid Advanced Persistent Threats - Security Boulevard
China
If You're a Tech Worker With an Attractive Girlfriend, We Have Extremely Bad News
Hackers Leveraged CyberStrikeAI Tool to Breach Fortinet FortiGate Devices
From phishing to Google Drive C2: Silver Dragon expands APT41 playbook
China's Silver Dragon Razes Governments in EU, SE Asia
Pentagon moves to build AI tools for China cyber operations
Russia
If You're a Tech Worker With an Attractive Girlfriend, We Have Extremely Bad News
Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks - SecurityWeek
Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch
Russian DDoS: what’s the threat to businesses? | IT Pro
U.S. Defense Contractor Faces 87 Months in Prison For Selling Secrets to Russia - ClearanceJobs
Notorious ransomware gang allegedly blackmailed by fake FSB officer
North Korea
North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT
North Korea’s APT37 Expands Toolkit to Breach Air-Gapped Networks - Infosecurity Magazine
ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks
APT37 hackers use new malware to breach air-gapped networks
Suspected Nork intruders infecting US healthcare, education • The Register
Britain sees North Korea as 'major' cyber threat: Cybersecurity expert
Iran
U.S. war with Iran forces CEOs to prepare for the worst | Fortune
Hybrid Middle East Conflict Triggers Surge in Global Cyber Activity - Infosecurity Magazine
The cyber war in Iran - POLITICO
Europe braces as Iran threatens to attack – POLITICO
Businesses told to harden defenses amid Iran conflict risk • The Register
Mapping Iran’s hacking threats | Ctech
Iran War Puts Companies, Infrastructure on Cyber Threat Alert
Cyberwarfare ignites in US-Israel-Iran war
Pro-Iranian Actors Launch Barrage of Cyberattacks
Iran intelligence backdoored US bank, airport networks • The Register
Scammers target Dubai bank accounts amid Iran missile salvo • The Register
US financial firms on cyber alert amid Iran war | The Jerusalem Post
Iranian Hackers Ramp Up Cyberattacks on US and Israel After Recent Strikes - gHacks Tech News
149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict
Strikes on Iran will test US cyber strategy abroad, and defenses at home - Nextgov/FCW
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Hacktivists claim to have hacked Homeland Security to release ICE contract data | TechCrunch
149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict
Tools and Controls
AI risk moves into the security budget spotlight - Help Net Security
Flaw-Finding AI Assistants Face Criticism for Speed, Accuracy
Why encrypted backups may fail in an AI-driven ransomware era | ZDNET
How Deepfakes and Injection Attacks Are Breaking Identity Verification
Cloudflare tracked 230 billion daily threats and here is what it found - Help Net Security
Attackers are using your network against you, according to Cloudflare | CyberScoop
The Expanding Link Between Software Engineering And Cyber Security - DevX
Your dependencies are 278 days out of date and your pipelines aren't protected - Help Net Security
Cyber resilience tunnel vision is leaving enterprises open to external threats | IT Pro
12 Million exposed .env files reveal widespread security failures
Security debt is becoming a governance issue for CISOs - Help Net Security
Other News
Cloudflare tracked 230 billion daily threats and here is what it found - Help Net Security
Attackers are using your network against you, according to Cloudflare | CyberScoop
The Increasing Speed of Cyberattacks
How 'silent probing' can make your security playbook a liability | CyberScoop
The Expanding Link Between Software Engineering And Cyber Security - DevX
UK government seeks to clamp down on cyber-threats - Digital Journal
DEF CON hackers 'fed up with government,' Jake Braun says • The Register
Sweden Tells Energy Sector to Raise Security, but Faces no Specific Threat
Healthcare organizations are accepting cyber risk to cut costs - Help Net Security
Cybersecurity is now a bigger worry for car-makers than costs - Drives&Controls
Cybersecurity a ‘significant’ issue for 95% of manufacturers
Vulnerability Management
Flaw-Finding AI Assistants Face Criticism for Speed, Accuracy
Exploitable Vulnerabilities Present in 87% of Organizations - Infosecurity Magazine
Report Shows Sharp Rise in High‑Risk Flaws and Security Debt
Your dependencies are 278 days out of date and your pipelines aren't protected - Help Net Security
Surging third-party risks create software vulnerability headaches for developer teams | IT Pro
Google will soon ship Chrome updates every two weeks • The Register
Vulnerabilities
NCSC warns of attacks to Cisco Catalyst SD-WAN | UKAuthority
Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch
Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited
Juniper issues emergency patch for critical PTX router RCE
Cisco warns of max severity Secure FMC flaws giving root access
What to Know About the Notepad++ Supply-Chain Attack - Security Boulevard
Trend Micro fixes two critical flaws in Apex One
Critical Juniper Networks PTX flaw allows full router takeover
Firefox 148 Released With Sanitizer API to Disable XSS Attack
New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel
Security hole could let hackers take over Juniper Networks PTX core routers | CSO Online
Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 27 February 2026
Black Arrow Cyber Threat Intelligence Briefing 27 February 2026:
-The Growing Risk of Malicious Apps in a Mobile-First Workplace
-Why 'Call This Number' TOAD Emails Beat Gateways
-New Phishing Hacks Aren’t Sloppy—They’re Personalised
-Google Disrupts Chinese-Linked Hackers That Attacked 53 Groups Globally
-Basic Security Gaps Leave Enterprises Exposed to AI-Boosted Attacks
-'God-Like' Attack Machines: AI Agents Ignore Security Policies
-13 Ways Attackers Use Generative AI To Exploit Your Systems
-AI Accelerates Attacker Breakout Time to Just Four Minutes
-Resilience: Cyber Risk Shifts from Disruption to Long-Tail Losses
-Ransomware Readiness is the Difference Between a Bad Day at Work and No More Workplace
-So You Think You Have Cyber Insurance? The Breach is Only the First Incident. The Claim is the Second.
-Russia Stepping Up Hybrid Attacks, Preparing for Long Standoff with West, Dutch Intelligence Warns
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
We have details of new and developing threats for business leaders to address in their security strategy. These include malicious apps on work mobile devices, and phishing emails without links or attachments but with instructions for the recipient to call a number that turns out to be a scam. Separately, Google has identified attackers using online Google Sheets that contain command instructions for malware already installed in victims’ systems at a previous stage. As mentioned in our previous weekly reports, AI is being used to make cyber-attacks faster and more effective.
Addressing these and other risks requires two areas of focus: proportionate cyber security to reduce the frequency of successful attacks, and cyber resilience to improve the chances that the organisation can successfully detect and respond to attacks. Insurance is often part of that resilience; however, we include a reminder on the need to ensure a clear understanding upfront on exactly what the insurance policy provides and the conditions of cover.
Business leaders are not expected to be cyber experts, but your ability to ensure that your cyber security and resilience can address today’s evolving risks requires you to understand the fundamentals, and this is best sourced from experts who are not your control providers. Contact us for details of how to achieve proportionate security and resilience for your business .
Top Cyber Stories of the Last Week
The Growing Risk of Malicious Apps in a Mobile-First Workplace
As workplaces become increasingly mobile-first, employees’ smartphones now provide a direct route into corporate systems and sensitive data. Attackers are exploiting this by disguising malicious code inside legitimate-looking apps, including those published in trusted app stores, and by rapidly creating new variants that evade traditional, signature-based security tools. Risk also comes from poorly built apps that request excessive access or accidentally expose information through weak design. To reduce exposure, organisations need greater visibility into what apps are installed, what data they access, and whether their behaviour changes after updates, treating mobile apps as a core enterprise risk, not just an IT concern.
Why 'Call This Number' TOAD Emails Beat Gateways
Attackers are increasingly using “call this number” emails that contain no links or attachments, helping them slip past many secure email gateways. Analysis of roughly 5,000 threats that bypassed enterprise defences since December 2025 found telephone-oriented attack delivery (TOAD) made up almost 28% of these incidents. The tactic typically mimics a billing alert from a trusted brand and pressures staff to phone a number, where scammers try to steal login details, gain remote access to devices, or extract payments such as gift cards. Senior leaders should reinforce clear rules: invoices are not resolved by unsolicited phone calls, and staff must verify unexpected payment requests via known channels.
https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
New Phishing Hacks Aren’t Sloppy—They’re Personalised
Artificial intelligence is making phishing scams far more convincing by tailoring messages with personal details pulled from past data breaches and public sources such as social media. These emails and texts may reference your name, location, services you use, or even your interests, helping criminals build trust and pressure people into clicking links, sharing information, or sending money. If staff credentials are stolen, accounts can be compromised, potentially impacting the wider business. Key safeguards include keeping software and security tools up to date, and treating personalised or unexpected payment or account warnings with caution by verifying them through official channels.
Google Disrupts Chinese-Linked Hackers That Attacked 53 Groups Globally
Google has disrupted a Chinese-linked hacking group with a near decade-long record of targeting governments and telecoms, after confirming access to at least 53 organisations across 42 countries, with possible reach into 22 more. The attackers used Google Sheets to hide activity within normal network traffic, which Google stressed was not a flaw in its products. In one incident, they installed a hidden way to regain access on a system holding sensitive personal data such as names, phone numbers, dates of birth and national ID details.
Basic Security Gaps Leave Enterprises Exposed to AI-Boosted Attacks
IBM’s 2026 X-Force Threat Intelligence Index warns that criminals are increasingly using AI to find and exploit basic security gaps at speed. Attacks starting through internet-facing applications rose 44%, often due to insufficient access controls, while ransomware and extortion activity grew 49% year on year and disclosed victim counts increased by about 12%. Supply chain and third-party compromises have almost quadrupled since 2020, targeting software build and deployment environments and cloud applications. In 2025, exploiting known weaknesses drove 40% of observed incidents. Manufacturing remained the most targeted sector (27%), and North America saw 29% of cases.
https://betanews.com/article/basic-security-gaps-leave-enterprises-exposed-to-ai-boosted-attacks/
'God-Like' Attack Machines: AI Agents Ignore Security Policies
Security leaders are warning that goal-driven AI agents can unintentionally expose sensitive information or make damaging changes if they are given too much access. A recent Microsoft Copilot bug reportedly summarised confidential emails, and separately an AI agent ignored restrictions and deleted a live database. Experts caution that built-in AI guardrails are not strong enough to be relied on as security controls. Organisations adopting AI agents should limit permissions to the minimum required, separate critical systems, keep clear oversight through monitoring and audit logs, and ensure robust backups to quickly reverse mistakes.
https://www.darkreading.com/application-security/ai-agents-ignore-security-policies
13 Ways Attackers Use Generative AI To Exploit Your Systems
Criminals are using generative AI to make familiar cyber attacks faster and more convincing, rather than inventing entirely new ones. It is boosting realistic phishing messages that trick staff into handing over passwords, and helping create malware to damage systems or steal data. AI is also enabling deepfake voice and video scams and automating espionage, with one campaign reportedly automated by about 80% and aimed at roughly 30 major organisations.
AI Accelerates Attacker Breakout Time to Just Four Minutes
ReliaQuest reports that attackers are moving faster, with the average time from initial access to spreading inside an organisation dropping to 34 minutes in 2025, and a record low of just four minutes. Data theft can happen in as little as six minutes, down from over four hours in 2024. The report links this acceleration to wider use of automation and AI, with 80% of ransomware groups using one or both. Many organisations remain exposed due to gaps such as poor visibility of activity logs, weak remote access protections, and identity processes that can be tricked through social engineering where attackers persuade staff to grant access.
https://www.infosecurity-magazine.com/news/ai-accelerates-attack-breakout/
Resilience: Cyber Risk Shifts from Disruption to Long-Tail Losses
According to a report by US insurance provider, Resilience, cyber attacks are increasingly causing long-lasting financial, regulatory and reputational harm, driven by criminals stealing data and demanding payment to stop it being published. Data theft-only incidents rose from 49% of extortion claims in the first half of last year to 65% in the second half, and this model could become the majority by the end of 2026. The report also warns that paying to suppress stolen data may still lead to lawsuits and further exposure. Retail, manufacturing and health care made up 68% of losses.
https://www.insurancejournal.com/news/national/2026/02/25/859511.htm
Ransomware Readiness is the Difference Between a Bad Day at Work and No More Workplace
Ransomware is now a routine business risk, and organisations that recover fastest are typically those with strong readiness rather than the most complex technology. Effective preparation starts with clear governance and a tested incident response plan that assumes key systems and email may be unavailable. It also requires reliable, regularly tested backups that can restore critical services quickly, plus offline access to continuity plans and contact lists. Senior leaders should rehearse early decisions, including how to handle ransom demands, legal checks, and insurer requirements. Today’s ransomware is often data theft followed by extortion, raising regulatory and reputational stakes.
So You Think You Have Cyber Insurance? The Breach is Only the First Incident. The Claim is the Second.
Many organisations treat cyber insurance as a simple safety net, but in practice it is often a patchwork of policies with gaps and overlaps that only become clear after an incident. The most common losses involve other people’s data held on your systems, ransomware that combines disruption with extortion, and business email compromise where criminals impersonate staff to divert payments. Insurers may dispute claims by arguing the loss sits under a different policy, that payments were voluntary, or that conditions were not met. The key message is to stress test cover in advance, so it still pays out under real-world pressure.
Russia Stepping Up Hybrid Attacks, Preparing for Long Standoff with West, Dutch Intelligence Warns
Dutch intelligence agencies warn that Russia is intensifying a hybrid campaign across Europe as it prepares for a long confrontation with the West. This blends cyber-attacks, sabotage, disinformation and covert political influence to stay below the threshold of open war. Since late 2023, activity has risen sharply, with the Netherlands targeted through cyber operations against public institutions and critical infrastructure. The agencies assess Russia’s risk tolerance has increased since 2024, meaning disruption to vital services could become more likely even without direct military conflict.
Governance, Risk and Compliance
Resilience: Cyber Risk Shifts From Disruption to Long-Tail Losses
Resilience Cyber Claims Data Reveals The New Economics of Professionalized Cybercrime
Cyber is long tail threat warns new study
Identifying cyber crime motives more vital than ever, report says | The National
Organizations, MSSPs Need to Mind the Gaps in Their Security: Barracuda | MSSP Alert
Businesses rank cyber incidents as their biggest threat - BetaNews
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware is a mid-market tax. Here's how UK firms can stop it - Raconteur
Ransomware playbook torn up as data theft becomes top threat – Resilience | Insurance Business
BeyondTrust Vulnerability Exploited in Ransomware Attacks - SecurityWeek
Ransomware Victims
Mississippi medical center closes all clinics after ransomware attack
Chip Testing Giant Advantest Hit by Ransomware - SecurityWeek
ShinyHunters demands $1.5M not to leak Wynn Resorts data • The Register
Two years on, what are the lessons from the British Library cyberattack?
ShinyHunters extortion gang claims Odido breach affecting millions
Wynn Resorts confirms data stolen after ShinyHunters threats • The Register
Qilin targets NYC transit workers | Cybernews
Everest ransomware hits Vikor Scientific 's supplier, data of 140,000 patients stolen
Phishing & Email Based Attacks
New phishing hacks aren't sloppy—they're personalized | PCWorld
Why 'Call This Number' TOAD Emails Beat Gateways
The Art of Deception: Typosquatting to Bypass Detection
UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
Russian hackers target European firms with new spear-phishing cyberattacks | TechRadar
Hackers Using OAuth Apps in Microsoft Entra ID to Establish Persistence
Airline brands become launchpads for phishing, crypto fraud - Help Net Security
Phishing campaign targets freight and logistics orgs in the US, Europe
Multifaceted Phishing Scheme Deceives Bitpanda Customers - Infosecurity Magazine
Business Email Compromise (BEC)/Email Account Compromise (EAC)
Know the red flags: Business email compromise signs to look out for | CSO Online
Other Social Engineering
Why 'Call This Number' TOAD Emails Beat Gateways
The Art of Deception: Typosquatting to Bypass Detection
ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
Fake CAPTCHA attacks exploded by 563% last year: How to spot them and stay safe online | ZDNET
Airline brands become launchpads for phishing, crypto fraud - Help Net Security
I'm a tech pro and an AI job scam almost fooled me - here's what gave it away | ZDNET
Threat Actors Using Fake Avast Website to Harvest Users Credit Card Details
Ad tech firm Optimizely confirms data breach after vishing attack
How to protect yourself from SIM swapping
The latest delivery scam has 'carriers' calling to return your phone - don't fall for it | ZDNET
Virgin Media O2 Warn Customers to Watch Out for Fake 5G SIM Upgrade Emails - ISPreview UK
AML/CFT/Money Laundering/Terrorist Financing/Sanctions
The US expanded its sanctions list against Russia due to cybersecurity threats | УНН
Artificial Intelligence
Cyberattack Breakout in Just 27 Seconds? 2026 Threat Report Reveals Shocking Speed | IBTimes UK
AI Accelerates Attacker Breakout Time to Just Four Minutes - Infosecurity Magazine
Hackers Gain Speed, Not Major New Tradecraft, Using AI Tools
AI-powered Cyber-Attacks Up Significantly, Warns CrowdStrike - Infosecurity Magazine
13 ways attackers use generative AI to exploit your systems | CSO Online
New phishing hacks aren't sloppy—they're personalized | PCWorld
'God-Like' Attack Machines: AI Agents Ignore Security Policies
2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface
Attackers Now Need Just 29 Minutes to Own a Network
Cyberattacks are hitting faster with AI fuelling an 89% jump, data shows - National | Globalnews.ca
The rise of the evasive adversary | CSO Online
Basic security gaps leave enterprises exposed to AI-boosted attacks - BetaNews
Android malware uses Google’s own Gemini AI to adapt in real time - Android Authority
Multiple Hacking Groups Exploit OpenClaw Instances to Steal API key and Deploy Malware
AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries
Lessons From AI Hacking: Every Model, Every Layer Is Risky
Model Inversion Attacks: Growing AI Business Risk - Security Boulevard
AI is becoming part of everyday criminal workflows - Help Net Security
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer | Trend Micro (US)
Cyber Attacks Skirt Corporate Defenses With AI, Cloud Intrusions
Anthropic Drops Flagship Safety Pledge | TIME
National Crime Agency calls for ‘whole-system approach’ to tech-enabled abuse – PublicTechnology
44% Surge in App Exploits as AI Speeds Up Cyber-Attacks, IBM Finds - Infosecurity Magazine
AI coding assistant Cline compromised, installs OpenClaw • The Register
Urgent research needed to tackle AI threats, says Google AI boss - BBC News
Deloitte Australia bans staff from using ChatGPT over data leak fears
How Exposed Endpoints Increase Risk Across LLM Infrastructure
UAE foils AI-powered 'terrorist cyber attacks' on vital sectors | The National
Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model
Shai-Hulud-Like Worm Targets Developers via npm and AI Tools - Infosecurity Magazine
Major 'vibe-coding' platform Orchids is easily hacked, researcher finds - BBC News
Do NOT use AI-generated passwords, security experts warn | PCWorld
Nation state hackers fail to gain edge with AI, OpenAI report finds - Cryptopolitan
Claude's collaboration tools allowed remote code execution • The Register
Cyber: the dangers of agents and vibe coding | ICAEW
Chinese Police Use ChatGPT to Smear Japan PM Takaichi
Careers, Roles, Skills, Working in Cyber and Information Security
Where CISOs need to hire and develop cybersecurity talent
ISC2 Launches Global Code of Professional Conduct for Cybersecurity
UK tech has fewer foreign techies, struggling to upskill • The Register
Cloud/SaaS
2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface
Cyber Attacks Skirt Corporate Defenses With AI, Cloud Intrusions
Hackers Using OAuth Apps in Microsoft Entra ID to Establish Persistence
Founder drops AWS for Euro stack in bid for sovereignty • The Register
Europe’s ‘tech sovereignty’ ambitions carry security risks, military warns
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Airline brands become launchpads for phishing, crypto fraud - Help Net Security
Cyber Crime, Organised Crime & Criminal Actors
Resilience: Cyber Risk Shifts From Disruption to Long-Tail Losses
AI is becoming part of everyday criminal workflows - Help Net Security
Resilience Cyber Claims Data Reveals The New Economics of Professionalized Cybercrime
Cyber Claims Data Shows ‘New Economics’ of Cybercrime
Cyber is long tail threat warns new study
Identifying cyber crime motives more vital than ever, report says | The National
Latin America's Cyber Maturity Lags Threat Landscape
Don’t trust TrustConnect: This fake remote support tool only helps hackers | CSO Online
International operation dismantles fraud network, €400,000 seized - Help Net Security
Data Breaches/Leaks
PayPal Data Breach Led to Fraudulent Transactions - SecurityWeek
PayPal discloses extended data leak linked to Loan App glitch
ICO wins battle in fight to fine tech retailer £500k • The Register
ShinyHunters extortion gang claims Odido breach affecting millions
Ashley Madison pivots to shake cyberattack ghost | Cybernews
CarGurus data breach exposes information of 12.4 million accounts
Ad tech firm Optimizely confirms data breach after vishing attack
Data/Digital Sovereignty
Founder drops AWS for Euro stack in bid for sovereignty • The Register
Europe’s ‘tech sovereignty’ ambitions carry security risks, military warns
Denial of Service/DoS/DDoS
Dramatic Escalation Frequency and Power of in DDoS Attacks - Infosecurity Magazine
Suspected Anonymous members cuffed in Spain over DDoS attack • The Register
Spain arrests suspected hacktivists for DDoSing govt sites
Fraud, Scams and Financial Crime
PayPal Data Breach Led to Fraudulent Transactions - SecurityWeek
Fraud Investigation Reveals Sophisticated Python Malware - Infosecurity Magazine
International operation dismantles fraud network, €400,000 seized - Help Net Security
I'm a tech pro and an AI job scam almost fooled me - here's what gave it away | ZDNET
Manipulating AI memory for profit: The rise of AI Recommendation Poisoning | Microsoft Security Blog
Threat Actors Using Fake Avast Website to Harvest Users Credit Card Details
Virgin Media O2 Warn Customers to Watch Out for Fake 5G SIM Upgrade Emails - ISPreview UK
Hackers use this tool to bypass fraud detection and weaponize Google ads | Mashable
The latest delivery scam has 'carriers' calling to return your phone - don't fall for it | ZDNET
Identity and Access Management
When identity isn’t the weak link, access still is
Insider Risk and Insider Threats
Cost of Insider Incidents Surges 20% to Nearly $20m - Infosecurity Magazine
Ex-L3Harris exec jailed for selling zero-days to Russian exploit broker
Defense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker
Insurance
Internet of Things – IoT
Security vulnerabilities in Tesla's Model 3 and Cybertruck reveal how connected cars can be hacked
Law Enforcement Action and Take Downs
Ex-Google engineers accused of swiping chip security secrets • The Register
Defense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker
International operation dismantles fraud network, €400,000 seized - Help Net Security
Suspected Anonymous members cuffed in Spain over DDoS attack • The Register
Police seize 100,000 stolen Facebook credentials in cybercrime raid - Help Net Security
Linux and Open Source
Open-source security debt grows across commercial software - Help Net Security
Malvertising
Hackers use this tool to bypass fraud detection and weaponize Google ads | Mashable
Malware
Fraud Investigation Reveals Sophisticated Python Malware - Infosecurity Magazine
Multiple Hacking Groups Exploit OpenClaw Instances to Steal API key and Deploy Malware
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer | Trend Micro (US)
Fake troubleshooting tip on ClawHub leads to infostealer infection - Help Net Security
ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware
Russian hackers target European firms with new spear-phishing cyberattacks | TechRadar
New malware-as-a-service fronts as legit RMM provider | SC Media
Criminals create business website to sell RAT disguised as RMM tool - Help Net Security
Fake Zoom update covertly installs spy tool | Cybernews
Don’t trust TrustConnect: This fake remote support tool only helps hackers | CSO Online
Shai-Hulud-Like Worm Targets Developers via npm and AI Tools - Infosecurity Magazine
MuddyWater Targets Orgs With Fresh Malware Amid Rising Tensions
Mobile
The Growing Risk of Malicious Apps in a Mobile-First Workplace - Security Boulevard
Android malware uses Google’s own Gemini AI to adapt in real time - Android Authority
Predator spyware hooks iOS SpringBoard to hide mic, camera activity
How To Prevent Your Smartphone From Spying On Your Activities
Researchers flag Samsung Tizen OS weakness | Cybernews
Virgin Media O2 Warn Customers to Watch Out for Fake 5G SIM Upgrade Emails - ISPreview UK
How to protect yourself from SIM swapping
Android mental health apps with 14.7M installs filled with security flaws
Models, Frameworks and Standards
Passwords, Credential Stuffing & Brute Force Attacks
The 25 Most Vulnerable Passwords of 2026 | Security Magazine
Every day in every way, passwords are getting worse • The Register
The Real Initial Access Vector: Compromised Active Directory Credentials - Security Boulevard
Too many users are reusing passwords: Cybersecurity dangers revealed - Digital Journal
Police seize 100,000 stolen Facebook credentials in cybercrime raid - Help Net Security
Do NOT use AI-generated passwords, security experts warn | PCWorld
Regulations, Fines and Legislation
National Crime Agency calls for ‘whole-system approach’ to tech-enabled abuse – PublicTechnology
ICO wins battle in fight to fine tech retailer £500k • The Register
UK fines Reddit $19 million for using children’s data unlawfully
US cybersecurity agency CISA reportedly in dire shape amid Trump cuts and layoffs | TechCrunch
Across party lines and industry, the verdict is the same: CISA is in trouble | CyberScoop
Social Media
Police seize 100,000 stolen Facebook credentials in cybercrime raid - Help Net Security
I'm a tech pro and an AI job scam almost fooled me - here's what gave it away | ZDNET
Discord postpones global age verification rollout | AP News
UK fines Reddit $19 million for using children’s data unlawfully
Supply Chain and Third Parties
Group-IB High-Tech Crime Trends Report 2026: Supply Chain Attacks Emerge as Top Global Cyber Threat
Shai-Hulud-Like Worm Targets Developers via npm and AI Tools - Infosecurity Magazine
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Disrupting the GRIDTIDE Global Cyber Espionage Campaign | Google Cloud Blog
Awareness of Russian threat growing in EU, says MEP
Nation State Actors
Nation state hackers fail to gain edge with AI, OpenAI report finds - Cryptopolitan
UAE foils AI-powered 'terrorist cyber attacks' on vital sectors | The National
China
Google Disrupts UNC2814 GRIDTIDE Campaign After 53 Breaches Across 42 Countries
Google and friends disrupt suspected Beijing espionage op • The Register
Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model
Chinese Police Use ChatGPT to Smear Japan PM Takaichi
Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs - SecurityWeek
Russia
Awareness of Russian threat growing in EU, says MEP
UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware
Russian hackers target European firms with new spear-phishing cyberattacks | TechRadar
Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls - Infosecurity Magazine
The US expanded its sanctions list against Russia due to cybersecurity threats | УНН
Defense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker
North Korea
Iran
MuddyWater Targets Orgs With Fresh Malware Amid Rising Tensions
Ex-Google engineers accused of swiping chip security secrets • The Register
Tools and Controls
Criminals create business website to sell RAT disguised as RMM tool - Help Net Security
Fake Zoom update covertly installs spy tool | Cybernews
Identity-First AI Security: Why CISOs Must Add Intent to the Equation
AI gets good at finding bugs, not as good at fixing them • The Register
When identity isn’t the weak link, access still is
Why Most Breaches Happen After Launch: SaaS Security Testing Best Practices - Security Boulevard
Why the shift left dream has become a nightmare for security and developers
What Is Zero Trust Security? A Plain-English Guide - Security Boulevard
Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs - SecurityWeek
Shai-Hulud-Like Worm Targets Developers via npm and AI Tools - Infosecurity Magazine
AI coding assistant Cline compromised, installs OpenClaw • The Register
Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems
Major 'vibe-coding' platform Orchids is easily hacked, researcher finds - BBC News
Cyber: the dangers of agents and vibe coding | ICAEW
LLM firewalls emerge as a new AI security layer | TechTarget
Other News
The FBI Says These Wi-Fi Routers Are Unsafe, And Here's Why
Cyber-attacks may disrupt smart factories by targeting time | University of East London
“The automotive industry will eventually wake up to cyber attacks. It's a pandemic th | Ctech
Emerging Chiplet Designs Spark Fresh Cybersecurity Challenges
Enigma Cipher Device Still Holds Secrets for Cyber Pros
Vulnerability Management
AI gets good at finding bugs, not as good at fixing them • The Register
Organizations, MSSPs Need to Mind the Gaps in Their Security: Barracuda | MSSP Alert
Ex-L3Harris exec jailed for selling zero-days to Russian exploit broker
Microsoft extends security patching for three Windows products at a price - Help Net Security
Vulnerabilities
AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries
Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers - SecurityWeek
Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access
Claude's collaboration tools allowed remote code execution • The Register
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration
BeyondTrust Vulnerability Exploited in Ransomware Attacks - SecurityWeek
CISA gives feds 3 days to patch actively exploited Dell bug • The Register
Attackers Use New Tool to Scan for React2Shell Exposure
SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution
VMware Aria Operations flaws could enable remote attacks
Major 'vibe-coding' platform Orchids is easily hacked, researcher finds - BBC News
Researchers flag Samsung Tizen OS weakness | Cybernews
Recent RoundCube Webmail Vulnerability Exploited in Attacks - SecurityWeek
Critical Zyxel router flaw exposed devices to remote attacks
Android mental health apps with 14.7M installs filled with security flaws
Critical Grandstream Phone Vulnerability Exposes Calls to Interception - SecurityWeek
RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN
CISA Confirms Active Exploitation of FileZen CVE-2026-25108 Vulnerability
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 20 February 2026
Black Arrow Cyber Threat Intelligence Briefing 20 February 2026:
-New Phishing Campaign Tricks Employees into Bypassing Microsoft 365 MFA
-Microsoft Patches Security Flaw That Exposed Confidential Emails to AI
-SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns
-One Stolen Credential Is All It Takes to Compromise Everything
-Ukrainian Sentenced to 5 Years in Prison for Facilitating North Korean Remote Worker Scheme
-1,500 Percent Increase in New, Unique Malware Highlights Growing Complexity
-A Worrying Dell Zero-Day Flaw Has Reportedly Gone Unpatched for Nearly Two Years – and Chinese Hackers Are Taking Advantage
-AI Agents Abound, Unbound by Rules or Safety Disclosures
-‘An All-Time High’: Number of Ransomware Groups Exploded in 2025 As Victim Growth Rate Doubled – With Qilin Dominating the Landscape
-Ransomware Hackers Targeting Employee Monitoring Software to Access Computers
-Low-Skilled Cybercriminals Use AI to Perform "Vibe Extortion" Attacks
-Europe Must Adapt to ‘Permanent’ Cyber and Hybrid Threats, Sweden Warns
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
There is a significant new attack technique against organisations that use Microsoft 365, bypassing MFA, and Microsoft has also recently fixed a flaw in Copilot Chat that compromised confidential emails. We report on these developments for the attention of business leaders, as well as a government alert on attacks against small and medium sized businesses, and the risks posed when user access is not appropriately managed.
The North Korean military continues to pose as civilians hired by organisations, and a high number of new malware variants are being delivered over encrypted web traffic, making inspection necessary to reliably identify and block them. As in previous weeks, we include information on how attackers are using AI to develop their techniques and malware.
While cyber security risks can be varied, the solution is consistently clear. Business leaders should undertake an impartial assessment of their risks against their information and systems, and ensure they have appropriate controls to manage those risks. It is important not to rely on the standard offerings of control providers such as IT, which is why business leaders should upskill on the fundamentals of cyber risk management from impartial experts. Contact us to discuss how to achieve this in a proportionate manner.
Top Cyber Stories of the Last Week
New Phishing Campaign Tricks Employees into Bypassing Microsoft 365 MFA
A new phishing campaign is bypassing Microsoft 365 multi factor authentication by tricking employees into approving a login for a hacker’s device on a genuine Microsoft sign-in page. Emails posing as payment requests, bonus documents or voicemails prompt users to enter a ‘secure authorisation’ code, which actually grants an access token that can keep an attacker signed into services such as Outlook, Teams and OneDrive without repeated login checks. Leaders should ensure only approved applications and devices can be connected, limit unnecessary device sign-ins, and reinforce user awareness of unexpected login prompts, even on trusted domains.
Microsoft Patches Security Flaw That Exposed Confidential Emails to AI
Microsoft has fixed a flaw in Copilot Chat that allowed the AI to summarise confidential emails without proper permission, bypassing controls designed to stop sensitive company information being shared with large language models. The issue, present since late January and patched in early February, affected emails in users’ Sent Items and Drafts even when marked as confidential. The incident reflects wider concerns about AI tools handling organisational data, with Microsoft reporting that over 80% of Fortune 500 firms are deploying AI agents, but only 47% say they have the security controls needed to manage them safely.
SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks, NCSC Boss Warns
The UK NCSC chief Richard Horne has warned that small and medium sized businesses should not assume they are too small to face a cyber attack. Many attackers are not chasing big names; they look for easy opportunities where basic protections are missing, and the impact can be severe. Horne urged SMEs to adopt basic cyber controls including the secure set up of devices, controls on who can access systems, protection against malicious software, timely security updates, and firewalls. The NCSC has also highlighted rising cyber threats in its latest annual review.
https://www.infosecurity-magazine.com/news/sme-cyber-attack-threat-ncsc/
One Stolen Credential Is All It Takes to Compromise Everything
A research report on more than 750 investigations shows how a single stolen login can rapidly open the door to multiple parts of an organisation. Identity weaknesses featured in almost 90% of cases, with attacks often spanning endpoints, networks, cloud services and software as a service platforms. Cloud access is a particular concern: analysis of over 680,000 cloud identities found 99% had excessive permissions, including access unused for 60 days. Attack speed is also rising, with the fastest quarter reaching data exfiltration in 72 minutes, down from 285 minutes in 2024.
https://www.helpnetsecurity.com/2026/02/18/identity-based-cyberattacks-compromise/
Ukrainian Sentenced to 5 Years in Prison for Facilitating North Korean Remote Worker Scheme
US authorities have sentenced Ukrainian national Oleksandr Didenko to five years in prison for helping North Korean operatives secure remote IT jobs at 40 American companies. Over six years, he stole identities, created more than 2,500 fraudulent online accounts, and ran laptop farms in several US states so workers could appear to be based locally. Officials say the operatives earned hundreds of thousands of dollars, with payments helping fund North Korea’s weapons programmes.
https://cyberscoop.com/doj-ukrainian-north-korea-remote-worker-scheme-facilitator-sentenced/
1,500 Percent Increase in New, Unique Malware Highlights Growing Complexity
WatchGuard threat intelligence shows a sharp rise in malicious software, with new variants increasing each quarter in 2025 and jumping 1,548% from Q3 to Q4. Nearly a quarter of detected malware bypassed traditional signature checks, meaning it was effectively new and unknown to defenders. Most blocked malware is now delivered over encrypted (TLS) internet traffic, which can hide threats unless organisations inspect encrypted web traffic. While ransomware activity fell 68% percent year-on-year, record extortion payments suggest fewer but more costly cyber-attacks, underlining the need for layered, proactive cyber security.
A Worrying Dell Zero-Day Flaw Has Reportedly Gone Unpatched for Nearly Two Years – and Chinese Hackers Are Taking Advantage
Dell has patched a critical weakness in RecoverPoint for Virtual Machines (a Dell disaster recovery product for VMware and Hyper-V) where login details were mistakenly left in the software. Google and Mandiant report the flaw was exploited as a previously unknown issue from mid-2024 by a China-linked group, giving attackers unauthorised access and long term control at the highest system level. The group used a new Grimbolt backdoor and a stealth technique to move between systems and stay hidden.
AI Agents Abound, Unbound by Rules or Safety Disclosures
A review of 30 AI agents found rapid growth without clear, consistent safety disclosure. Of the 13 agents showing very high autonomy, only four publicly share any safety evaluation, while 25 provide no detail on safety testing and 23 offer no independent test data. Most of the AI agents reviewed do not publish their underlying code, offering limited independent visibility into how they operate. Many depend on a small number of underlying models from Anthropic, Google and OpenAI, creating complex shared responsibility. Researchers warn some agents ignore signals when sites do not permit automated access.
https://www.theregister.com/2026/02/20/ai_agents_abound_unbound_by/
‘An All-Time High’: Number of Ransomware Groups Exploded in 2025 As Victim Growth Rate Doubled – With Qilin Dominating the Landscape
Searchlight Cyber reports that ransomware reached record levels in 2025, with 7,458 organisations listed on ransomware leak sites and the victim growth rate doubling since 2024. The US was hardest hit with 1,536 disclosed victims, while the UK reported 131. Behind these figures is a fast growing criminal marketplace: 124 active groups operated in 2025, including 73 newcomers, helped by ransomware as a service, where criminals can buy ready made tools and share profits. Artificial intelligence is also being used to create more convincing scam messages that trick staff into clicking.
Ransomware Hackers Targeting Employee Monitoring Software to Access Computers
Huntress has identified two recent attempted ransomware incidents where attackers misused employee monitoring software and an IT remote support tool to gain and maintain access to corporate systems. By blending in with legitimate administrative software, the criminals made their activity harder to spot and ultimately attempted to deploy ransomware. This matters because such monitoring tools are widely used, with around a third of UK firms and roughly 60% of US firms using them, expanding organisations’ exposure. The underlying issues were weak access controls, including compromised VPN accounts.
Low-Skilled Cybercriminals Use AI to Perform "Vibe Extortion" Attacks
Even low skilled criminals are using AI writing tools to run convincing extortion campaigns, a tactic dubbed “vibe extortion”. This matters because AI can enable low skilled attackers to create attacks that sound polished and urgent. Researchers have seen attackers begin searching for newly disclosed weaknesses within 15 minutes of them being announced, and in some cases reduce work that previously took three to four weeks to under 25 minutes. Leaders should prioritise rapid patching, stronger checks for sensitive requests, and tighter control of business AI systems.
https://www.infosecurity-magazine.com/news/cybercriminals-ai-vibe-extortion/
Europe Must Adapt to ‘Permanent’ Cyber and Hybrid Threats, Sweden Warns
Sweden is warning that cyber and hybrid threats, where cyber attacks are combined with economic pressure and influence campaigns designed to erode public trust, are becoming a permanent part of Europe’s security landscape. Speaking at the Munich Cyber Security Conference, a senior Swedish defence official said organisations and governments must plan to operate through sustained disruption, not treat incidents as rare. Sweden is responding through its ‘total defence’ approach, rebuilding civil defence, strengthening national cyber security, and improving coordination through Sweden’s National Cyber Security Centre. The aim is credible deterrence through resilience, supported by closer public and private sector collaboration.
https://therecord.media/sweden-cyber-threats-europe-permanent
Governance, Risk and Compliance
SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks: NCSC Boss War - Infosecurity Magazine
UK.gov launches cyber 'lockdown' campaign as 80% of orgs hit • The Register
Attackers keep finding the same gaps in security programs - Help Net Security
Discipline is the new power move in cybersecurity leadership | CSO Online
Cyber attacks enabled by basic failings, Palo Alto analysis finds | CSO Online
With CISOs stretched thin, re-envisioning enterprise risk may be the only fix | CSO Online
Threats
Ransomware, Extortion and Destructive Attacks
Why Ransomware Remains One of Cybersecurity’s Most Persistent Threats - Infosecurity Magazine
Ransomware attacks up almost 50 percent in 2025 - BetaNews
LockBit 5.0 ransomware expands its reach across Windows, Linux, and ESXi - Help Net Security
The UK’s Ransomware Strategy: What the UK Government’s Response Signals | Goodwin - JDSupra
Record Number of Ransomware Victims and Groups in 2025 - Infosecurity Magazine
Ransomware gangs are using employee monitoring software as a springboard for cyber attacks | IT Pro
Washington Hotel in Japan discloses ransomware infection incident
Polish authorities arrest alleged Phobos ransomware affiliate | CyberScoop
Negotiating with hackers: The AI in ransomware response
Ransomware Victims
Fintech firm Figure disclosed data breach after employee phishing attack
ShinyHunters allegedly drove off with 1.7M CarGurus records • The Register
Phishing & Email Based Attacks
Best-in-Class 'Starkiller' Phishing Kit Bypasses MFA
New phishing campaign tricks employees into bypassing Microsoft 365 MFA – Computerworld
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection | CSO Online
Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities | Trend Micro (US)
Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages
Phishing via Google Tasks | Kaspersky official blog
Fintech firm Figure disclosed data breach after employee phishing attack
Other Social Engineering
Snail mail letters target Trezor and Ledger users in crypto-theft attacks
Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
ClickFix added nslookup commands to its arsenal for downloading RATs - Security Boulevard
Hackers Use Fake CAPTCHA To Infect Windows PCs - gHacks Tech News
2FA/MFA
Best-in-Class 'Starkiller' Phishing Kit Bypasses MFA
Ongoing Campaign Targets Microsoft 365 to Steal OAuth Tokens and Gain Persistent Access
New phishing campaign tricks employees into bypassing Microsoft 365 MFA – Computerworld
Artificial Intelligence
Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages
Agentic AI is a priority for 87 percent of security teams - BetaNews
Why are experts sounding the alarm on AI risks? | Cybercrime News | Al Jazeera
Low-Skilled Cybercriminals Use AI to Perform “Vibe Extortion” Attacks - Infosecurity Magazine
Microsoft Patches Security Flaw That Exposed Confidential Emails to AI - Security Boulevard
AI agents abound, unbound by rules or safety disclosures • The Register
What CISOs need to know about the OpenClaw security nightmare | CSO Online
Microsoft Finds “Summarize with AI” Prompts Manipulating Chatbot Recommendations
Infostealer Targets OpenClaw to Loot Victim’s Digital Life - Infosecurity Magazine
Meta and Other Tech Firms Put Restrictions on Use of OpenClaw Over Security Fears | WIRED
PromptSpy: First Android malware to use generative AI in its execution flow - Help Net Security
Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies
API Threats Grow in Scale as AI Expands the Blast Radius - SecurityWeek
Why ‘secure-by-design’ systems are non-negotiable in the AI era | CyberScoop
Over-Privileged AI Drives 4.5 Times Higher Incident Rates - Infosecurity Magazine
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
AI platforms can be abused for stealthy malware communication
Security at AI speed: The new CISO reality - Help Net Security
UK sets course for stricter AI chatbot regulation - Help Net Security
Ireland now also investigating X over Grok-made sexual images
Turning Moltbook Into a Global Botnet Map
When Cybersecurity Breaks at Scale: What 2026 Will Expose
Safe and Inclusive E‑Society: How Lithuania Is Bracing for AI‑Driven Cyber Fraud
Bots/Botnets
Cloud/SaaS
Phishing via Google Tasks | Kaspersky official blog
CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Snail mail letters target Trezor and Ledger users in crypto-theft attacks
What Is Cryptojacking? How to Check That Your Computer Isn't Infected
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
Crypto Payments to Human Traffickers Surges 85% - Infosecurity Magazine
Cryptojacking Campaign Exploits Driver to Boost Monero Mining - Infosecurity Magazine
Cyber Crime, Organised Crime & Criminal Actors
More Than 40% of South Africans Were Scammed in 2025
Men sentenced to 8 years in $1.3 million computer intrusion and tax fraud scheme - Help Net Security
Nigerian man gets eight years in prison for hacking tax firms
Red Card 2.0: INTERPOL busts scam networks across Africa, seizes millions
RAT disguised as an RMM costs crims $300 a month • The Register
Glendale man gets 5 years in prison for role in darknet drug ring
Nigerian man sentenced to 8 years in prison for running phony tax refund scheme | CyberScoop
On The Front Lines Of Cybercrime – Eurasia Review
Data Breaches/Leaks
French Ministry confirms data access to 1.2 Million bank accounts
'Your data is public': Hacker warns victims after leaking 6.8 billion emails online | TechRadar
Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data - SecurityWeek
Data breach at fintech firm Figure affects nearly 1 million accounts
Betterment data breach might be worse than we thought - Security Boulevard
Millions of passwords and Social Security numbers exposed
Exposed Database Was Storing More Than 1 Billion Social Security Numbers
Hackers sell stolen Eurail traveler information on dark web
Adidas investigates third-party data breach • The Register
Fintech firm Figure disclosed data breach after employee phishing attack
Canada Goose investigating as hackers leak 600K customer records
Dutch cops arrest man after sending him confidential files • The Register
53% of Gen Z were warned by retailers that their data was compromised - Retail Gazette
Hotel hacker paid 1 cent for luxury rooms, Spanish cops say • The Register
Asahi cyberattack: leak of over 110,000 personal records confirmed - Just Food
Washington Hotel in Japan discloses ransomware infection incident
Louis Vuitton, Dior, and Tiffany fined $25 million over data breaches
Sex toys maker Tenga says hacker stole customer information | TechCrunch
Data/Digital Sovereignty
Washington pushes back against EU’s bid for tech autonomy – POLITICO
Denial of Service/DoS/DDoS
German Rail Giant Deutsche Bahn Hit by Large-Scale DDoS Attack - SecurityWeek
Encryption
Quantum security is turning into a supply chain problem - Help Net Security
Your encrypted data is already being stolen - Help Net Security
Fraud, Scams and Financial Crime
Revealed: 95 billion scam adverts shown to Britons on social media last year | The Independent
More Than 40% of South Africans Were Scammed in 2025
Men sentenced to 8 years in $1.3 million computer intrusion and tax fraud scheme - Help Net Security
Red Card 2.0: INTERPOL busts scam networks across Africa, seizes millions
Scam Abuses Gemini Chatbots to Convince People to Buy Fake Crypto
Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign
Nigerian man sentenced to 8 years in prison for running phony tax refund scheme | CyberScoop
Identity and Access Management
Identity is the new cyber attack surface | UKAuthority
Survey: Most Security Incidents Involve Identity Attacks - Security Boulevard
Unit 42: Nearly two-thirds of breaches now start with identity abuse | CyberScoop
Over-Privileged AI Drives 4.5 Times Higher Incident Rates - Infosecurity Magazine
Insider Risk and Insider Threats
Infosec exec sold eight zero-day exploit kits to Russia: DoJ • The Register
Internet of Things – IoT
Poland bans Chinese cars from military bases • The Register
Connected and Compromised: When IoT Devices Turn Into Threats
Amazon Scraps Partnership With Surveillance Company After Super Bowl Ad Backlash - SecurityWeek
Apple privacy labels often don't match what Chinese smart home apps do - Help Net Security
Critical infra Honeywell CCTVs vulnerable to auth bypass flaw
Law Enforcement Action and Take Downs
Men sentenced to 8 years in $1.3 million computer intrusion and tax fraud scheme - Help Net Security
Nigerian man gets eight years in prison for hacking tax firms
Red Card 2.0: INTERPOL busts scam networks across Africa, seizes millions
Polish authorities arrest alleged Phobos ransomware affiliate | CyberScoop
Former Google Engineers Indicted Over Trade Secret Transfers to Iran
Nigerian man sentenced to 8 years in prison for running phony tax refund scheme | CyberScoop
Dutch cops arrest man after sending him confidential files • The Register
Glendale man gets 5 years in prison for role in darknet drug ring
Linux and Open Source
LockBit 5.0 ransomware expands its reach across Windows, Linux, and ESXi - Help Net Security
Everyone uses open source, but patching still moves too slowly - Help Net Security
Open source registries underfunded as security costs rise • The Register
Malvertising
Threat Actors Exploit Claude Artifacts and Google Ads to Target macOS Users
Malware
1,500 percent increase in new, unique malware highlights growing complexity - BetaNews
Threat Actors Exploit Claude Artifacts and Google Ads to Target macOS Users
Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data - SecurityWeek
RAT disguised as an RMM costs crims $300 a month • The Register
CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
Infostealer Targets OpenClaw to Loot Victim’s Digital Life - Infosecurity Magazine
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection | CSO Online
OysterLoader Evolves With New C2 Infrastructure and Obfuscation - Infosecurity Magazine
New 'Foxveil' Malware Loader Leverages Cloudflare, Netlify, and Discord to Evade Detection
Remcos RAT Expands Real-Time Surveillance Capabilities - Infosecurity Magazine
Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies
AI platforms can be abused for stealthy malware communication
ClickFix added nslookup commands to its arsenal for downloading RATs - Security Boulevard
Microsoft alerts on DNS-based ClickFix variant delivering malware via nslookup
Hackers Use Fake CAPTCHA To Infect Windows PCs - gHacks Tech News
New threat actor UAT-9921 deploys VoidLink against enterprise sectors
Cryptojacking Campaign Exploits Driver to Boost Monero Mining - Infosecurity Magazine
Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs
RMM Abuse Explodes as Hackers Ditch Malware
Mobile
Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign
PromptSpy: First Android malware to use generative AI in its execution flow - Help Net Security
New Keenadu Android Malware Found on Thousands of Devices - SecurityWeek
ZeroDayRAT spyware targets Android and iOS devices via commercial toolkit | CSO Online
Apple privacy labels often don't match what Chinese smart home apps do - Help Net Security
Public mobile networks are being weaponized for combat drone operations - Help Net Security
Google blocked over 1.75 million Play Store app submissions in 2025
Models, Frameworks and Standards
UK.gov launches cyber 'lockdown' campaign as 80% of orgs hit • The Register
When DORA Goes From Afterthought to Commercial Imperative - IT Security Guru
Businesses urged to “lock the door” on cyber criminals as new government campaign launches - GOV.UK
Cyber Resilience Act: The Fine Line Between SaaS and Digital Products | DLA Piper - JDSupra
EU eyes rollback of key privacy rules, GDPR| Cybernews
Breaking down NIS2: the five main requirements of the updated NIS Directive — Financier Worldwide
How the Cybersecurity and Resilience Bill could impact MSPs | ChannelPro
Passwords to passkeys: Staying ISO 27001 compliant in a passwordless era
Bulgaria's Cybersecurity Act Amendments: Key Changes 2026
Outages
Microsoft Teams outage affects users in United States, Europe
Passwords, Credential Stuffing & Brute Force Attacks
One stolen credential is all it takes to compromise everything - Help Net Security
French Ministry confirms data access to 1.2 Million bank accounts
Millions of passwords and Social Security numbers exposed
Exploitable Flaws Found in Cloud-Based Password Managers
Vulnerabilities in Password Managers Allow Hackers to Change Passwords - Infosecurity Magazine
Password managers' promise that they can't see your vaults isn't always true - Ars Technica
Regulations, Fines and Legislation
When DORA Goes From Afterthought to Commercial Imperative - IT Security Guru
The UK’s Ransomware Strategy: What the UK Government’s Response Signals | Goodwin - JDSupra
EU eyes rollback of key privacy rules, GDPR| Cybernews
Breaking down NIS2: the five main requirements of the updated NIS Directive — Financier Worldwide
How the Cybersecurity and Resilience Bill could impact MSPs | ChannelPro
UK to force social media to remove abusive pics in 48 hours • The Register
Louis Vuitton, Dior, and Tiffany fined $25 million over data breaches
UK sets course for stricter AI chatbot regulation - Help Net Security
Ireland now also investigating X over Grok-made sexual images
US appears open to reversing some China tech bans • The Register
US Reportedly Shelves Plan a Ban TP-Link Routers for Now | PCMag
Bulgaria's Cybersecurity Act Amendments: Key Changes 2026
CISA Navigates DHS Shutdown With Reduced Staff - SecurityWeek
Europe's social media ban wave | Cybernews
Social Media
Revealed: 95 billion scam adverts shown to Britons on social media last year | The Independent
UK to force social media to remove abusive pics in 48 hours • The Register
Europe's social media ban wave | Cybernews
Supply Chain and Third Parties
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs
The Law of Cyberwar is Pretty Discombobulated - Security Boulevard
Venezuela operation relied on little-known cyber center, official says - Breaking Defense
Nation State Actors
China
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
New threat actor UAT-9921 deploys VoidLink against enterprise sectors
If we can’t name China’s cyberattacks, we lose trust in ourselves | The Strategist
US appears open to reversing some China tech bans • The Register
US Reportedly Shelves Plan a Ban TP-Link Routers for Now | PCMag
Poland bans Chinese cars from military bases • The Register
US lawyers file privacy class action against Lenovo • The Register
FBI: Threats from Salt Typhoon are ‘still very much ongoing’ | CyberScoop
Texas sues TP-Link over China links and security vulns • The Register
China-linked crew embedded in US energy networks • The Register
Apple privacy labels often don't match what Chinese smart home apps do - Help Net Security
Russia
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs
Public mobile networks are being weaponized for combat drone operations - Help Net Security
Infosec exec sold eight zero-day exploit kits to Russia: DoJ • The Register
Poland Energy Survives Attack on Wind, Solar Infrastructure
First Starlink, Now Telegram: Russian War Bloggers Sound The Alarm
North Korea
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
Iran
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations
Former Google Engineers Indicted Over Trade Secret Transfers to Iran
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Venezuela operation relied on little-known cyber center, official says - Breaking Defense
Tools and Controls
RMM Abuse Explodes as Hackers Ditch Malware
LockBit 5.0 ransomware expands its reach across Windows, Linux, and ESXi - Help Net Security
Exploitable Flaws Found in Cloud-Based Password Managers
Vulnerabilities in Password Managers Allow Hackers to Change Passwords - Infosecurity Magazine
RAT disguised as an RMM costs crims $300 a month • The Register
Identity is the new cyber attack surface | UKAuthority
Survey: Most Security Incidents Involve Identity Attacks - Security Boulevard
Unit 42: Nearly two-thirds of breaches now start with identity abuse | CyberScoop
Microsoft: Anti-phishing rules mistakenly blocked emails, Teams messages
How the rise of the AI ‘agent boss’ is reshaping accountability in IT | IT Pro
Why ‘secure-by-design’ systems are non-negotiable in the AI era | CyberScoop
Ransomware gangs are using employee monitoring software as a springboard for cyber attacks | IT Pro
With CISOs stretched thin, re-envisioning enterprise risk may be the only fix | CSO Online
Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks
Security professionals struggle to spot production risks - BetaNews
Microsoft alerts on DNS-based ClickFix variant delivering malware via nslookup
New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS
Flaws in popular VSCode extensions expose developers to attacks
Cybersecurity Requires Collective Resilience
Redefining risk management | IT Pro
How Security Operations Will Fundamentally Change in 2026
Spain orders NordVPN, ProtonVPN to block LaLiga piracy sites
Critical Grandstream VoIP Bug Highlights SMB Security Blind Spot
Other News
RMM Abuse Explodes as Hackers Ditch Malware
SMEs Wrong to Assume They Won’t Be Hit by Cyber-Attacks: NCSC Boss War - Infosecurity Magazine
Attackers keep finding the same gaps in security programs - Help Net Security
Dutch defense chief: F-35s can be jailbroken like iPhones • The Register
FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025
Hotel hacker paid 1 cent for luxury rooms, Spanish cops say • The Register
Four new reasons why Windows LNK files cannot be trusted | CSO Online
Exclusive: US plans online portal to bypass content bans in Europe and elsewhere | Reuters
Vulnerability Management
Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks
Everyone uses open source, but patching still moves too slowly - Help Net Security
Notepad++ boosts update security with ‘double-lock’ mechanism
Vulnerabilities
Dell's Hard-Coded Flaw: A Nation-State Goldmine
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection | CSO Online
Vulnerabilities in Password Managers Allow Hackers to Change Passwords - Infosecurity Magazine
Exploitable Flaws Found in Cloud-Based Password Managers
One threat actor responsible for 83% of recent Ivanti RCE attacks
Critical Microsoft bug from 2024 under exploitation • The Register
Microsoft Patches CVE-2026-26119 Privilege Escalation in Windows Admin Center
PoC Released for Windows Notepad Vulnerability that Enables Malicious Command Execution
Flaws in popular VSCode extensions expose developers to attacks
Vulnerabilities in Popular PDF Platforms Allowed Account Takeover, Data Exfiltration - SecurityWeek
Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs
Windows 11 KB5077181 Securiuty Update Causing Some Devices to Restart in an Infinite Loop
Ivanti Exploitation Surges as Zero-Day Attacks Traced Back to July 2025 - SecurityWeek
Four new reasons why Windows LNK files cannot be trusted | CSO Online
Critical Grandstream VoIP Bug Highlights SMB Security Blind Spot
Critical infra Honeywell CCTVs vulnerable to auth bypass flaw
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 13 February 2026
Black Arrow Cyber Threat Intelligence Briefing 13 February 2026:
-‘Dead’ Outlook Add-In Hijacked to Phish 4,000 Microsoft Office Store Users
-30+ Chrome Extensions Disguised as AI Chatbots Steal Users’ API Keys, Emails, Other Sensitive Data
-Payroll Pirates Are Conning Help Desks to Steal Workers’ Identities and Redirect Paychecks
-Naming and Shaming: How Ransomware Groups Tighten the Screws on Victims
-LummaStealer Infections Surge After CastleLoader Malware Campaigns
-Devilish Devs Spawn 287 Chrome Extensions to Flog Your Browser History to Data Brokers
-AI Threat Modelling Must Include Supply Chain, Agents, and Human Risk
-Deepfake Fraud Taking Place on an Industrial Scale, Study Finds
-Supply Chain Attacks Now Fuel a ‘Self-Reinforcing’ Cybercrime Economy
-These 4 Critical AI Vulnerabilities Are Being Exploited Faster than Defenders Can Respond
-Those 'Summarise With AI' Buttons May Be Lying to You
-Which Cyber Security Terms Your Management Might Be Misinterpreting
-Follow the Code
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
We start this week with some actions for business leaders to address new and emerging threats including malicious Outlook add-ins and Chrome extensions disguised as AI chatbots, as well as an evolution of classic payroll fraud. We also report on how attackers, once in your system, are increasingly using data leak sites on the dark web to force victims to pay.
AI, as expected, is proving to be an escalating risk. We include a number of examples used by attackers including deepfake fraud, hidden instructions that manipulate AI, and data poisoning. AI is also empowering criminals to conduct traditional attacks more successfully. This information highlights that organisations to consider their entire ecosystem in their threat modelling to identify the necessary cyber controls, which should consider security as well as the minimum standards for regulatory compliance.
We finish with an article written by one of our Directors for the magazine of the Institute of Chartered Accountants of Scotland (ICAS), on the value of the UK Government’s Cyber Governance Code of Practice.
Contact us to discuss how to apply these insights in your security strategy in a pragmatic and proportionate manner.
Top Cyber Stories of the Last Week
‘Dead’ Outlook Add-In Hijacked to Phish 4,000 Microsoft Office Store Users
Researchers at Koi Security found that an abandoned Outlook add-in called AgreeTo was taken over and used to steal Microsoft account log-in details from around 4,000 users. The abandoned add‑in relied on an external website to load its content when used; the attacker took over that website and replaced it with a fake Microsoft login page to gain access to the user’s Outlook. This allowed the attacker to access the user’s emails by using previously granted permissions.
30+ Chrome Extensions Disguised as AI Chatbots Steal Users’ API Keys, Emails, Other Sensitive Data
More than 30 malicious Chrome extensions disguised as AI chatbot tools have been found stealing sensitive information from at least 260,000 users. The extensions share the same code and link back to a single operator in a campaign called AiFrame. Some use embedded web pages to mimic trusted tools, allowing them to harvest browsing data, login details, API keys, and even Gmail messages and drafts.
https://www.theregister.com/2026/02/12/30_chrome_extensions_ai/
Payroll Pirates Are Conning Help Desks to Steal Workers’ Identities and Redirect Paychecks
Binary Defense investigated a December 2025 incident where criminals redirected a physician’s salary by manipulating a help desk, exploiting people and weak internal processes rather than breaking through technical defences. After gaining access to a shared email mailbox, the attacker phoned the help desk, claimed they were locked out and needed urgent access, and persuaded staff to reset the password and multi-factor authentication. They then used the organisation’s own virtual desktop system so activity looked normal, accessed the Workday payroll platform, and changed bank details. This was only spotted when the physician was not paid.
https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/
Naming and Shaming: How Ransomware Groups Tighten the Screws on Victims
Ransomware groups are increasingly using data leak sites on the dark web to pressure organisations into paying, by stealing information and threatening to publish it publicly. These sites often release a small sample, such as emails or contracts, then use deadlines and public exposure to force rapid decisions, even before leaders have full clarity on what was taken. The impact can spread beyond the initial victim, with stolen data reused for fraud, phishing, and attacks on customers and partners. Paying a ransom does not guarantee recovery or confidentiality, and some victims are targeted again within months.
LummaStealer Infections Surge After CastleLoader Malware Campaigns
LummaStealer, a criminal malware‑as‑a‑service operation disrupted in May 2025 when authorities seized 2,300 malicious domains, is scaling up again. Activity resumed in July 2025 and grew sharply between December 2025 and January 2026. Infections are increasingly spread through ClickFix pages that show fake verification prompts and trick users into running a PowerShell command, which silently installs LummaStealer to capture passwords, browser data, and other sensitive information.
Devilish Devs Spawn 287 Chrome Extensions to Flog Your Browser History to Data Brokers
A security researcher has identified 287 Google Chrome extensions, with an estimated 37.4 million installations, that allegedly share users’ browsing histories with more than 30 organisations. Browsing history is a record of websites visited and can reveal sensitive interests or activities; even when anonymised, it can often be linked back to individuals. Many of the extensions present as harmless tools while requesting broad access that is not clearly justified, with privacy policies that may obscure how data is used. The findings highlight the need for tighter controls over browser add-ons and clearer user awareness.
https://www.theregister.com/2026/02/11/security_researcher_287_chrome_extensions_data_leak/
AI Threat Modelling Must Include Supply Chain, Agents, and Human Risk
Palo Alto Networks reports that 99% of organisations suffered at least one attack on an AI system in the past year, underscoring that AI risk is not solved by strengthening cloud infrastructure alone. Effective protection must cover the wider ecosystem including the third party software and data used to build and run AI, as well as the automated AI agents that can take actions on behalf of staff, and the people who approve changes. When agents have broad permissions, attackers can manipulate what they read and influence what they do without obvious signs of hacking. These risks can be better managed through strong governance, strict access controls and better monitoring.
https://cyberscoop.com/ai-threat-modeling-beyond-cloud-infrastructure-op-ed/
Deepfake Fraud Taking Place on an Industrial Scale, Study Finds
Deepfake fraud is now happening at industrial scale, with inexpensive AI tools making it easy to create convincing fake video and voice that impersonate trusted people such as journalists, politicians or company leaders. The AI Incident Database has logged more than a dozen recent cases, and researchers estimate fraud and manipulation have been the largest category of reported incidents in 11 of the past 12 months. The impact is real: a finance officer at a Singaporean multinational transferred nearly $500,000 after a fake video call, while UK consumers are estimated to have lost £9.4bn to fraud in the nine months to November 2025.
Supply Chain Attacks Now Fuel a ‘Self-Reinforcing’ Cybercrime Economy
Group-IB warns that criminals are increasingly using supply chain attacks as an industrial-scale route of entry into many organisations, by compromising trusted suppliers, service providers, or widely used software components. The report describes a self-reinforcing cycle where stolen login details and abused sign-in permissions are used to gain access to cloud business services; the attacker then moves across connected partners before deploying ransomware or extortion. Over the next year, Group-IB expects attacks to speed up through AI tools that scan suppliers. It is also expected that identity-based intrusions will increasingly replace traditional malware; these can be harder to spot because attackers appear to be legitimate users.
https://www.theregister.com/2026/02/12/supply_chain_attacks/
These 4 Critical AI Vulnerabilities Are Being Exploited Faster than Defenders Can Respond
Researchers warn that companies are rolling out AI faster than they can secure it, and several major weaknesses currently have no reliable fix. Attackers can manipulate AI agents to carry out cyber attacks, including tricking AI tools using hidden instructions, poisoning training data very cheaply, and using deepfake audio or video to impersonate executives. Studies show prompt‑based attacks work against 56% of large AI models, training data can be poisoned using just 250 malicious documents for about $60, and deepfake scams have already enabled major fraud.
https://www.zdnet.com/article/ai-security-threats-2026-overview/
Those 'Summarise With AI' Buttons May Be Lying to You
Microsoft has found that some ‘Summarise with AI’ buttons on websites hide instructions designed to influence the answers given by AI assistants. These hidden prompts can quietly steer the assistant toward recommending a particular company or source. Microsoft detected 50 such attempts across 31 companies in 14 industries, meaning senior decision makers could receive biased advice without realising it. This works by pre‑filling prompts and, in some cases, storing them using the assistant’s memory feature.
https://www.darkreading.com/cyber-risk/summarize-ai-buttons-may-be-lying
Which Cyber Security Terms Your Management Might Be Misinterpreting
Clear, shared language between the CISO and the Board is essential because common cyber security terms are often misunderstood, leading to misdirected spending and false confidence. Cyber risk is a business risk tied to continuity, financial loss, and reputation, not just an IT uptime issue. Compliance only proves minimum standards at a point in time and does not equal safety. Leaders should distinguish weaknesses from threats and the resulting business risk, and avoid assuming recovery plans alone cover a cyber attack. Zero-trust and cloud security also require long term process change, not a product purchase.
https://www.kaspersky.co.uk/blog/language-of-risk-key-cybersecurity-terms-for-the-board/30035/
Follow the Code
The UK government’s Cyber Governance Code of Practice is becoming an important framework for business leaders as cyber‑attacks rise. It contains clear actions to help achieve proportionate and evidence-based governance, avoiding ‘compliance theatre’. Leaders are expected to improve their own cyber literacy, understand the business impact of a cyber incident, and to challenge the evidence provided to them including from control providers in IT. Two high value elements are realistic incident rehearsals, and quarterly reviews of cyber metrics. The Code complements established cyber security frameworks and standards, and supports wider governance regimes. Boards are encouraged to discuss adopting the Code and to use specialist expertise to strengthen their oversight.
Governance, Risk and Compliance
Supply chain breaches fuel cybercrime cycle, report says • The Register
69% of CISOs open to career move — including leaving role entirely | CSO Online
Attackers are moving at machine speed, defenders are still in meetings - Help Net Security
Schrödinger's cat and the enterprise security paradox | CSO Online
Security in the Dark: Recognizing the Signs of Hidden Information - SecurityWeek
CISOs to pour 2026 budgets into AI as cybersecurity priorities shift | Ctech
Threats
Ransomware, Extortion and Destructive Attacks
Ransomware Groups May Pivot Back to Encryption as Data Theft Tactics Falter - SecurityWeek
Reynolds ransomware uses BYOVD to disable security before encryption
Naming and shaming: How ransomware groups tighten the screws on victims
Nitrogen’s ransomware can’t be decrypted — even by Nitrogen – DataBreaches.Net
Black Basta Ransomware Actors Embeds BYOVD Defense Evasion Component with Ransomware Payload Itself
Interlock Ransomware Actors New Tool Exploiting Gaming Anti-Cheat Driver 0-Day to Disable EDR and AV
Phorpiex Phishing Delivers Low-Noise Global Group Ransomware - Infosecurity Magazine
Attackers Weaponizing Windows Shortcut File to Deliver Global Group Ransomware
As ransomware recedes, a new more dangerous digital parasite rises | ZDNET
From Ransomware to Residency: Inside the Rise of the Digital Parasite
Crazy ransomware gang abuses employee monitoring tool in attacks
FTC warns poor cybersecurity leaves consumers open to ransomware | Cybernews
0APT ransomware group rises swiftly with bluster, along with genuine threat of attack | CyberScoop
Under-reporting masks scale of ransomware crisis, ESET warn
Italian university La Sapienza hit by massive IT outage
Ransomware Victims
Payments platform BridgePay confirms ransomware attack behind outage
BridgePay Confirms Ransomware Attack, No Card Data Compromised - Infosecurity Magazine
Phishing & Email Based Attacks
Surge in AI-Driven Phishing Attacks and QR Code Quishing in 2025 Spam and Phishing Report
Phorpiex Phishing Delivers Low-Noise Global Group Ransomware - Infosecurity Magazine
‘Dead’ Outlook add-in hijacked to phish 4,000 Microsoft Office Store users – Computerworld
Flickr moves to contain data exposure, warns users of phishing
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
Other Social Engineering
Surge in AI-Driven Phishing Attacks and QR Code Quishing in 2025 Spam and Phishing Report
Payroll pirates conned the help desk, stole employee’s pay • The Register
DPRK IT Workers Use Stolen LinkedIn Identities to Secure Remote Employment
EDR, Email, and SASE Miss This Entire Class of Browser Attacks
Digital squatters are weaponizing your muscle memory to steal passwords | Cybernews
State-sponsored cyber spies directly target defense industry employees across West | Cybernews
Dating online this Valentine’s Day? Here’s how to spot an AI romance scam - Digital Trends
A new wave of romance scams is washing across the internet—here's how to stay safe
2FA/MFA
Police arrest seller of JokerOTP MFA passcode capturing tool
Artificial Intelligence
Surge in AI-Driven Phishing Attacks and QR Code Quishing in 2025 Spam and Phishing Report
Deepfake fraud taking place on an industrial scale, study finds | Deepfake | The Guardian
Google says hackers are abusing Gemini AI for all attacks stages
42,900 OpenClaw Exposed Control Panels and Why You Should Care - Security Boulevard
These 4 critical AI vulnerabilities are being exploited faster than defenders can respond | ZDNET
30+ Chrome extensions disguised as AI chatbots steal secrets • The Register
Those 'Summarize With AI' Buttons May Be Lying to You
AI threat modeling must include supply chains, agents, and human risk | CyberScoop
Attackers are moving at machine speed, defenders are still in meetings - Help Net Security
OpenClaw's Gregarious Insecurities Make Safe Usage Difficult
Moltbook: Cutting Through the AI Hype to the Real Security Risks - IT Security Guru
AI agents behave like users, but don't follow the same rules - Help Net Security
Living off the AI: The Next Evolution of Attacker Tradecraft - SecurityWeek
North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms - Infosecurity Magazine
Your AI browser is a cybersecurity threat you’re not prepared for
Security professionals express concern over OpenClaw - SD Times
Threat Actors Weaponize ChatGPT, Grok and Leverages Google Ads to Distribute macOS AMOS Stealer
Why your AI doctor doesn't follow HIPAA: The hidden risks of medical chatbots | CyberScoop
Cloud teams are hitting maturity walls in governance, security, and AI use - Help Net Security
Indian police commissioner wants ID cards for AI agents • The Register
AI hacking platform WormGPT has user data leaked, attackers claim | Cybernews
VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code - Infosecurity Magazine
Bots/Botnets
DDoS deluge: Brit biz battered by record botnet blitz • The Register
Kimwolf Botnet Swamps Anonymity Network I2P – Krebs on Security
New Linux botnet SSHStalker uses old-school IRC for C2 comms
Careers, Roles, Skills, Working in Cyber and Information Security
69% of CISOs open to career move — including leaving role entirely | CSO Online
Survey: Widespread Adoption of AI Hasn't Yet Reduced Cybersecurity Burnout - Security Boulevard
What happens when cybersecurity knowledge walks out the door - Help Net Security
Cloud/SaaS
AI threat modeling must include supply chains, agents, and human risk | CyberScoop
VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code - Infosecurity Magazine
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Sovereign infrastructure spend to triple in Europe as fifth of workloads stay local | IT Pro
EU capitals say deleting US tech is not realistic – POLITICO
Cloud teams are hitting maturity walls in governance, security, and AI use - Help Net Security
Security teams are paying for sprawl in more ways than one - Help Net Security
Why organizations need cloud attack surface management | TechTarget
The invisible breach: how SaaS supply chains became cybersecurity’s new weak link
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms - Infosecurity Magazine
Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
North Korean hackers use new macOS malware in crypto-theft attacks
Cyber Crime, Organised Crime & Criminal Actors
Supply chain breaches fuel cybercrime cycle, report says • The Register
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Police arrest seller of JokerOTP MFA passcode capturing tool
On the Front Lines of Cybercrime - Africa Defense Forum
Data Breaches/Leaks
30+ Chrome extensions disguised as AI chatbots steal secrets • The Register
Handful of breaches expose most patient data in UK | Cybernews
UK blames legacy IT for incomplete data protection progress • The Register
Nearly 17,000 Volvo staff dinged in supplier breach • The Register
South Korea Blames Coupang Data Breach on Management Failure, Not Sophisticated Attack
Security researcher finds 287 Chrome extensions leaking data • The Register
Why your AI doctor doesn't follow HIPAA: The hidden risks of medical chatbots | CyberScoop
Odido data breach exposes personal info of 6.2 million customers
AI hacking platform WormGPT has user data leaked, attackers claim | Cybernews
Flickr Security Incident Tied to Third-Party Email System - SecurityWeek
European Governments Breached in Zero-Day Attacks Targeting Ivanti - Infosecurity Magazine
Budget leak bigger than thought, says NCSC - www.rossmartin.co.uk
Polish hacker charged seven years after massive Morele.net data breach
Fairphone denies any hack behind suspicious emails - Android Authority
Data Protection
UK blames legacy IT for incomplete data protection progress • The Register
Data/Digital Sovereignty
Sovereign infrastructure spend to triple in Europe as fifth of workloads stay local | IT Pro
EU capitals say deleting US tech is not realistic – POLITICO
Denial of Service/DoS/DDoS
DDoS deluge: Brit biz battered by record botnet blitz • The Register
Encryption
"Encrypt It Already" Campaign Pushes Big Tech on E2E Encryption
Fraud, Scams and Financial Crime
Deepfake fraud taking place on an industrial scale, study finds | Deepfake | The Guardian
Payroll pirates conned the help desk, stole employee’s pay • The Register
Fake Dubai Crown Prince tracked to Nigerian mansion after $2.5M romance scam
'Digital squatting' hits new levels as hackers target brand domains | TechRadar
Dating online this Valentine’s Day? Here’s how to spot an AI romance scam - Digital Trends
A new wave of romance scams is washing across the internet—here's how to stay safe
FTC warns poor cybersecurity leaves consumers open to ransomware | Cybernews
60% of Financial Cyberattacks Begin with Stolen Logins: UAE Cyber Security Council
Fugitive behind $73M 'pig butchering' scheme gets 20 years in prison
Identity and Access Management
Why identity recovery is now central to cyber resilience | CSO Online
Insider Risk and Insider Threats
AI threat modeling must include supply chains, agents, and human risk | CyberScoop
DPRK IT Workers Use Stolen LinkedIn Identities to Secure Remote Employment
Internet of Things – IoT
Hackers Are Targeting Your Smart Home. Here's How to Stop Them | PCMag
'Dodgy boxes': Irish homes warned after major global cyberattack targets Android-enabled TVs
What Organizations Need to Change When Managing Printers
Law Enforcement Action and Take Downs
Police arrest seller of JokerOTP MFA passcode capturing tool
Fugitive behind $73M 'pig butchering' scheme gets 20 years in prison
Dutch authorities seized one of Windscribe VPN's servers – here's everything we know | TechRadar
Polish hacker charged seven years after massive Morele.net data breach
Man pleads guilty to hacking nearly 600 women’s Snapchat accounts
Linux and Open Source
New Linux botnet SSHStalker uses old-school IRC for C2 comms
Malvertising
Social Media Platforms Earn Billions from Scam Ads - Infosecurity Magazine
Malware
‘Dead’ Outlook add-in hijacked to phish 4,000 Microsoft Office Store users – Computerworld
LummaStealer infections surge after CastleLoader malware campaigns
30+ Chrome extensions disguised as AI chatbots steal secrets • The Register
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Kimwolf Botnet Swamps Anonymity Network I2P – Krebs on Security
Shai-hulud: The Hidden Costs of Supply Chain Attacks
Over 1,800 Windows Servers Compromised by BADIIS Malware in Large-Scale SEO Poisoning Campaign
Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware
North Korean hackers use new macOS malware in crypto-theft attacks
VoidLink Malware Exhibits Multi-Cloud Capabilities and AI Code - Infosecurity Magazine
Threat Actors Weaponize ChatGPT, Grok and Leverages Google Ads to Distribute macOS AMOS Stealer
Cybercriminals Use Malicious Cybersquatting Attacks to Distribute Malware and Hijack Data
Malicious 7-Zip site distributes installer laced with proxy tool
Chinese-Made Malware Kit Targets Chinese-Based Edge Devices - Infosecurity Magazine
Sophisticated Cyber Attack Targets Wedding Industry With Teams-Based Malware Delivery
APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India - SecurityWeek
Misinformation, Disinformation and Propaganda
From disinformation to espionage – Russia’s hybrid actions against Poland
Mobile
Security teams are paying for sprawl in more ways than one - Help Net Security
Google says 1 billion Android users need to buy a new phone now - PhoneArena
Germany warns of Signal account hijacking targeting senior figures
ZeroDayRAT spyware grants attackers total access to mobile devices
Is spyware hiding on your phone? How to find out and remove it - fast | ZDNET
Fairphone denies any hack behind suspicious emails - Android Authority
Models, Frameworks and Standards
Outages
Microsoft 365 outage takes down admin center in North America
Passwords, Credential Stuffing & Brute Force Attacks
First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials
60% of Financial Cyberattacks Begin with Stolen Logins: UAE Cyber Security Council
Digital squatters are weaponizing your muscle memory to steal passwords | Cybernews
Your router's default password is probably on a public database
Your browser extensions can see every password you type
Regulations, Fines and Legislation
Why your AI doctor doesn't follow HIPAA: The hidden risks of medical chatbots | CyberScoop
Cybersecurity Information Sharing Act of 2015 Reauthorized Through September 2026 – DataBreaches.Net
Social Media
Social Media Platforms Earn Billions from Scam Ads - Infosecurity Magazine
DPRK IT Workers Impersonating Individuals Using Real LinkedIn Accounts to Apply for Remote Roles
Man pleads guilty to hacking nearly 600 women’s Snapchat accounts
Discord Is Threatening To Restrict Your Account Unless You Provide ID And Facial Scans
Flickr moves to contain data exposure, warns users of phishing
TikTok under EU pressure to change its addictive algorithm - Help Net Security
Fears about TikTok’s policy changes point to a deeper problem in the tech industry
Supply Chain and Third Parties
AI threat modeling must include supply chains, agents, and human risk | CyberScoop
Supply chain breaches fuel cybercrime cycle, report says • The Register
Shai-hulud: The Hidden Costs of Supply Chain Attacks
Security teams are paying for sprawl in more ways than one - Help Net Security
Cloud teams are hitting maturity walls in governance, security, and AI use - Help Net Security
The invisible breach: how SaaS supply chains became cybersecurity’s new weak link
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
State-sponsored cyber spies directly target defense industry employees across West | Cybernews
Google Warns of 'Relentless' Cyber Siege on Defense Industry
State-sponsored hackers targeting defence sector employees, Google says | Espionage | The Guardian
EU Commission commits €347m to submarine cable security ...
Grey Zone Warfare - The Statesman
State spies snooping on Signal users, Germany warns | Cybernews
Singapore spent 11 months evicting suspected telco spies • The Register
Nation State Actors
German Agencies Warn of Signal Phishing Targeting Politicians, Military, Journalists
Hackers Linked to State Actors Target Signal Messages of Military Officials and Journalists
China
Google: China's APT31 used Gemini to plan US cyberattacks • The Register
Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
Palo Alto Chose Not to Tie China to Hacking Campaign on Retaliation Fear: Sources
Chinese cyberspies breach Singapore's four largest telcos
Singapore spent 11 months evicting suspected telco spies • The Register
Senator doesn't trust telcos on Salt Typhoon mitigations • The Register
Chinese-Made Malware Kit Targets Chinese-Based Edge Devices - Infosecurity Magazine
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
8.7 billion records spilled: Inside the massive Chinese data leak | Cybernews
Russia
The world’s default productivity tool is becoming a national security liability | Computer Weekly
State-sponsored hackers targeting defence sector employees, Google says | Espionage | The Guardian
EU Commission commits €347m to submarine cable security ...
From disinformation to espionage – Russia’s hybrid actions against Poland
Thwarted Winter Olympics hack highlights growing cyber exposure for major events | Insurance Times
Bloody Wolf Targets Uzbekistan, Russia Using NetSupport RAT in Spear-Phishing Campaign
Top Putin General Vladimir Alexeyev Behind U.S. Election Meddling Shot in Moscow
Russia tries to block WhatsApp, Telegram in communication blockade
North Korea
DPRK IT Workers Impersonating Individuals Using Real LinkedIn Accounts to Apply for Remote Roles
North Korean Hackers Use Deepfake Video Calls to Target Crypto Firms - Infosecurity Magazine
North Korean hackers use new macOS malware in crypto-theft attacks
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities
RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India - SecurityWeek
State-sponsored cyber spies directly target defense industry employees across West | Cybernews
Google Warns of 'Relentless' Cyber Siege on Defense Industry
State-sponsored hackers targeting defence sector employees, Google says | Espionage | The Guardian
Tools and Controls
Reynolds ransomware uses BYOVD to disable security before encryption
Survey: Widespread Adoption of AI Hasn't Yet Reduced Cybersecurity Burnout - Security Boulevard
Interlock Ransomware Actors New Tool Exploiting Gaming Anti-Cheat Driver 0-Day to Disable EDR and AV
Crazy ransomware gang abuses employee monitoring tool in attacks
Security in the Dark: Recognizing the Signs of Hidden Information - SecurityWeek
Dutch authorities seized one of Windscribe VPN's servers – here's everything we know | TechRadar
What Organizations Need to Change When Managing Printers
"Encrypt It Already" Campaign Pushes Big Tech on E2E Encryption
Microsoft Copilot Security Has a Blind Spot — And It’s at Runtime - Security Boulevard
Ransomware crews abuse bossware to blend into networks • The Register
CISOs to pour 2026 budgets into AI as cybersecurity priorities shift | Ctech
Organizations Urged to Replace Discontinued Edge Devices - SecurityWeek
Other News
NCSC Issues Warning Over “Severe” Cyber-Attacks Targeting CNI - Infosecurity Magazine
Cyberattacks emerges as “material transaction risk” for PE | Insurance Business
Cyber risk is becoming a hold-period problem for private equity firms - Help Net Security
European Commission Investigating Cyberattack - SecurityWeek
‘Prepare for blackouts’: Ed Miliband’s net zero revolution is a hacker’s dream
A case of when, not if – the reality of Cyber-attacks | London City Hall
Rising threats require a battle-tested electricity system for Europe, says Eurelectric report
How Emerging Threats Are Forcing A Reboot Of Defence Industrial Base Security Policy | Scoop News
Vulnerability Management
CVEs set to hit record high levels in 2026 - BetaNews
FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026 - Infosecurity Magazine
Time to Exploit Plummets as N-Day Flaws Dominate - Infosecurity Magazine
New Data Tool Helps Orgs Prioritize Exploited Flaws Smarter
Google says 1 billion Android users need to buy a new phone now - PhoneArena
Upgrade Now: Microsoft Issues Security Warning to Those Still on Windows 10
Infosec researchers mull curious case of Telnet ancient flaw • The Register
Organizations Urged to Replace Discontinued Edge Devices - SecurityWeek
Vulnerabilities
Microsoft just patched 6 zero-days, but you might want to hold off updating - here's why | ZDNET
Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms
Chrome 145 Patches 11 Vulnerabilities - SecurityWeek
Cisco Meeting Management Vulnerability Let Remote Attacker Upload Arbitrary Files
F5 Patches Critical Vulnerabilities in BIG-IP, NGINX, and Related Products
SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers
Apple Patches iOS Zero-Day Exploited in 'Extremely Sophisticated Attack' - SecurityWeek
Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices
Windows Notepad is now complex enough to have a serious security flaw | PCWorld
Windows 11 Notepad flaw let files execute silently via Markdown links
Microsoft begins Secure Boot certificate update for Windows devices - Help Net Security
Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD - SecurityWeek
BeyondTrust warns of critical RCE flaw in remote support software
Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution
Critical Fortinet FortiClientEMS flaw allows remote code execution
Claude Desktop Extensions 0-Click RCE Vulnerability Exposes 10,000+ Users to Remote Attacks
Ivanti EPMM exploitation: Researchers warn of "sleeper" webshells - Help Net Security
83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure
Hackers breach SmarterTools network using flaw in its own software
Ransomware group breached SmarterTools via flaw in its SmarterMail deployment - Help Net Security
Dutch data watchdog caught up in Ivanti zero-day attacks • The Register
WordPress plugin with 900k installs vulnerable to critical RCE flaw
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.
Black Arrow Cyber Threat Intelligence Briefing 06 February 2026
Black Arrow Cyber Threat Intelligence Briefing 06 February 2026:
-From Clawdbot to OpenClaw: This Viral AI Agent Is Evolving Fast – and It’s Nightmare Fuel for Security Pros
-Why Moltbook Changes the Enterprise Security Conversation
-Beware of Weaponised Voicemail Messages Granting Hackers Remote Access to Your System
-Open the Wrong “PDF” and Attackers Gain Remote Access to Your PC
-AI Drives Doubling of Phishing Attacks in a Year
-Nitrogen Ransomware Is So Broken Even the Crooks Can’t Unlock Your Files
-The Human Layer of Security: Why People Are Still the Weakest Link in 2026
-What Is Cyber Risk Management and Why It Is Important for Businesses?
-The Growing Cyber Risk in Interconnected Supply Chains
-Over 75 Percent of Cyber Security Professionals Worry About AI Agent Risks
-Experts Show How Major UK Food Crisis Might Occur
Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Executive Summary
A new evolving business threat has come to the fore, caused by autonomous AI assistants such as OpenClaw (aka Clawdbot and Moltbot), with significant and developing cyber risk considerations. In our summaries below, we also give details of other developing attack methods, including voicemail alerts and fake PDFs. AI, as predicted, is also escalating the dangers of phishing emails and is a concern for 75% of cyber professionals.
We also look at how employees and supply chains represent significant security weaknesses and how to address them, further underlining why cyber security is not a technology subject but instead requires coordinated risk management across the business.
To address these risks, leadership teams need to ensure their cyber knowledge comes from impartial experts, to take greater command of the risks and avoid the same blind spots as their control providers across people, operations and technology. Contact us to discuss how to achieve this in a proportionate manner.
Top Cyber Stories of the Last Week
From Clawdbot to OpenClaw: This Viral AI Agent Is Evolving Fast – and It’s Nightmare Fuel for Security Pros
OpenClaw, a fast growing open source personal AI assistant, shows how quickly AI tools could reshape cyber risk. It can connect to everyday apps like WhatsApp, email and calendars, and needs broad permissions to take actions on a user’s behalf. That access creates new routes for cyber attack, including fake downloads and scams, malicious add-ons, unsafe settings that leak passwords or access keys, and hidden instructions that trick the AI into harmful actions. Despite 34 recent security fixes, leaders should treat autonomous assistants as high risk until governance and controls mature.
https://www.zdnet.com/article/clawdbot-moltbot-openclaw-security-nightmare/
Why Moltbook Changes the Enterprise Security Conversation
A new risk is emerging as artificial intelligence agents begin talking to each other on social platforms such as Moltbook, often without ongoing human oversight. Once an employee sets an agent in motion, it can continue reading and posting online for long periods, creating a largely invisible route for sensitive information to leak, including source code, customer data, or internal project details. There is also an inbound threat where agents may absorb harmful instructions or links posted by others, influencing behaviour and decisions. Organisations should consider blocking such platforms by default, with tightly governed exceptions where needed.
https://securityboulevard.com/2026/02/why-moltbook-changes-the-enterprise-security-conversation/
Beware of Weaponised Voicemail Messages Granting Hackers Remote Access to Your System
A new “Voicemail Trap” campaign is using fake voicemail notifications to trick staff into handing criminals remote access to their devices. The messages often impersonate trusted financial organisations and direct recipients to convincing, bank themed websites. Victims are told to download an “audio update” to hear the message, but the file is a script that silently installs legitimate remote management software, allowing attackers persistent access to steal data or deploy further malware. Researchers observed 86 websites linked to this activity on 12 January 2026. Leaders should reinforce click caution and block untrusted download prompts.
https://cybersecuritynews.com/beware-of-weaponized-voicemail-messages/
Open the Wrong “PDF” and Attackers Gain Remote Access to Your PC
A phishing campaign known as DEAD#VAX is tricking staff into opening what looks like a normal PDF invoice or purchase order, but is actually a virtual hard disk file. When opened, Windows mounts it as a new drive and runs a hidden script that installs AsyncRAT, giving attackers remote access and the ability to monitor and control the PC. Because the malicious code runs in memory and hides inside trusted Microsoft processes, it can be harder for security tools and later investigation to spot. This can lead to password theft, data exposure, and a foothold into wider networks.
AI Drives Doubling of Phishing Attacks in a Year
Cofense reports that security filters intercepted one phishing email every 19 seconds in 2025, more than double the rate in 2024. It warns that criminals are using AI to create faster, more convincing scams, including messages written in near flawless local languages. Nearly one in five phishing emails now relies on conversation alone, a tactic often linked to business email compromise, where attackers impersonate trusted contacts to trick staff into making payments or sharing sensitive information. Cofense also saw a 105% rise in remote access tools abuse and a 204% increase in phishing emails delivering malware.
https://www.infosecurity-magazine.com/news/ai-double-volume-phishing-attacks/
Nitrogen Ransomware Is So Broken Even the Crooks Can’t Unlock Your Files
Researchers at Coveware have found that the Nitrogen ransomware group has a serious flaw in its file unlocking tool, meaning victims may be unable to recover data even if they pay. The issue affects attacks against VMware ESXi, a common virtualisation platform used to run servers, where the malware encrypts files using a corrupted key that cannot be matched to any working unlock code. Active since 2023 and extorting organisations since around September 2024, Nitrogen is not the most prolific group, but this bug turns its attacks into purely destructive cyber crime.
https://www.theregister.com/2026/02/04/nitrogen_ransomware_broken_decryptor/
The Human Layer of Security: Why People Are Still the Weakest Link in 2026
Despite major investment in tools and automation, people remain the primary cause of cyber security incidents. Gartner expects human error and social engineering, where criminals trick staff into unsafe actions, to drive 85% of data breaches by 2026, and Verizon links roughly two thirds of incidents to mistakes or misuse of login details. Threat actors are increasingly using AI to scale deception, with CrowdStrike’s 2025 report showing 79% of intrusions were malware-free and voice phishing rising 442%. Leaders should prioritise stronger day-to-day security habits, not just annual training, so staff become a resilient first line of defence.
What Is Cyber Risk Management and Why It Is Important for Businesses?
Cyber risk management is how organisations identify, understand and reduce the risks that come with using digital systems, networks and data. It is a continuous process, not a one-off exercise, because threats evolve as technology and working practices change. Effective cyber risk management considers people, processes and technology together, covering areas such as staff awareness, access controls, software updates, backups and monitoring. With around 39% of UK businesses reporting a cyber security breach or cyber attack in the last year, this approach helps reduce financial loss, disruption and reputational harm, while supporting compliance and stakeholder trust.
The Growing Cyber Risk in Interconnected Supply Chains
Supply chains are now a major driver of cyber risk across the UK, as disruption can spread quickly beyond a single organisation. Jaguar Land Rover, M&S, Heathrow and the Co-op were among hundreds impacted last year, with reported losses in the hundreds of millions, affecting thousands of suppliers, partners and customers. Human error contributes to over 60% of breaches, while attackers increasingly use convincing impersonation techniques to trick staff. Leaders can reduce exposure by setting clear security expectations for third parties, investing in staff training, and strengthening business continuity so essential services can keep running during disruption.
https://www.techuk.org/resource/the-growing-cyber-risk-in-interconnected-supply-chains.html
Over 75 Percent of Cyber Security Professionals Worry About AI Agent Risks
A survey of more than 1,500 cyber security professionals found that 73% say AI-powered threats are already significantly affecting their organisation, yet nearly half feel unprepared, even as 92% report major upgrades to defences. While 96% say AI improves the speed and efficiency of their work, concerns remain around data exposure (61%), regulatory breaches (56%) and misuse of AI tools (51%). Only 37% have a formal policy for deploying AI securely, highlighting that oversight of AI agents, including who and what they can access, is now a board-level issue.
Experts Show How Major UK Food Crisis Might Occur
A new study involving 39 experts from institutions including Anglia Ruskin University and the University of York warns that shocks such as extreme weather, a cyber attack or war could quickly disrupt the UK’s just-in-time food supply networks, driving price spikes and shortages. The report argues these pressures would hit low-income households hardest, increasing food insecurity and raising the risk of fraud, black market sales and illness, with worst case outcomes including social unrest. It recommends improving energy security, diversifying supply chains and supporting more resilient diets, alongside better cross-government planning.
https://www.aru.ac.uk/news/experts-show-how-major-uk-food-crisis-might-occur
Governance, Risk and Compliance
The Human Layer of Security: Why People are Still the Weakest Link in 2026 - Security Boulevard
Global tech spending is skyrocketing, and European firms are doubling down on investment | IT Pro
Novel Cyber Expectations for 2026 Reveal a Grab Bag of Risk
Why boards should be obsessed with their most 'boring' systems | CyberScoop
What is cyber risk management and why it is important for businesses? | The Global Recruiter
Threats
Ransomware, Extortion and Destructive Attacks
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
Ransomware gangs focus on winning hearts and minds | Computer Weekly
Hackers exploit unsecured MongoDB instances to wipe data and demand ransom
Experts show how major UK food crisis might occur - ARU
CVE-2025-22225 in VMware ESXi now used in active ransomware attacks
Nitrogen can't unlock its own ransomware after coding error • The Register
DragonForce Ransomware Attacking Critical Business to Exfiltrate Sensitive Information
Ransomware gang uses ISPsystem VMs for stealthy payload delivery
CISA quietly updated ransomware flags on 59 flaws last year • The Register
Critical SmarterMail Vulnerability Exploited in Ransomware Attacks - SecurityWeek
The Case for a Ransom Payment Ban and When It Might Happen
Researchers Warn of New “Vect” RaaS Variant - Infosecurity Magazine
Ransomware Victims
M&S attackers hit German insurance giant – HanseMerkur | Cybernews
Ransomware leaves Belgian hospitals unable to pay staff | Cybernews
Panera Bread breach affected 5.1 Million accounts, HIBP Confirms
Quarterly losses top £300m at JLR in wake of cyber attack | Insider Media
One of Europe's largest universities knocked offline for days after cyberattack | TechCrunch
Italian university La Sapienza goes offline after cyberattack
Romanian oil pipeline operator Conpet discloses cyberattack
Qilin claims Tulsa airport cyberattack | Cybernews
Spain's Ministry of Science shuts down systems after breach claims
Phishing & Email Based Attacks
AI Drives Doubling of Phishing Attacks in a Year - Infosecurity Magazine
Beware of New Compliance Emails Weaponizing Word/PDF Files to Steal Sensitive Data
Cybercriminals' Key Attack Vector is 'Trust', VIPRE's Q4 2025 Email Threat Report Reveals
Open the wrong “PDF” and attackers gain remote access to your PC | Malwarebytes
Private school parents targeted by fraudsters stealing fee payments | Scams | The Guardian
Cloud storage payment scam floods inboxes with fake renewals
Attackers Harvest Dropbox Logins Via Fake PDF Lures
Don't get caught out by Apple Pay phishing scams | Stuff
Beware of Weaponized Voicemail Messages Granting Hackers Remote Access to Your System
Zendesk spam wave returns, floods users with 'Activate account' emails
Other Social Engineering
Cybercriminals' Key Attack Vector is 'Trust', VIPRE's Q4 2025 Email Threat Report Reveals
Attackers Harvest Dropbox Logins Via Fake PDF Lures
Beware of Weaponized Voicemail Messages Granting Hackers Remote Access to Your System
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
2FA/MFA
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
Artificial Intelligence
AI Drives Doubling of Phishing Attacks in a Year - Infosecurity Magazine
OpenClaw AI Runs Wild in Business Environments
Alarm Grows as Social Network Entirely for AI Starts Plotting Against Humans
OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
MoltBot Skills exploited to distribute 400+ malware packages in days
Moltbook, the AI social network, exposed human credentials due to vibe-coded security flaw
Researchers Hacked Moltbook and Accessed Thousands of Emails and DMs - Business Insider
Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
It Turns Out 'Social Media for AI Agents' Is a Security Nightmare
DIY AI bot farm OpenClaw is a security 'dumpster fire' • The Register
Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw - Infosecurity Magazine
Over 75 percent of cybersecurity professionals worry about AI agent risks - BetaNews
95% of AI Projects Are Unproductive and Not Breach Ready - Security Boulevard
2026: The Year Agentic AI Becomes the Attack-Surface Poster Child
82 percent of hackers now use AI - BetaNews
Cybersecurity in 2026: How AI will reshape the Digital Battlefield
AWS intruder pulled off AI-assisted cloud break-in in 8 mins • The Register
Autonomous attacks ushered cybercrime into AI era in 2025 - TechCentral.ie
AI-Enabled Voice and Virtual Meeting Fraud Surges 1000%+ - Infosecurity Magazine
Deepfake job seeker applied to work for an AI security firm • The Register
Paris Prosecutors Raid Elon Musk’s X Offices in France - Infosecurity Magazine
ICO Launches Investigation into X Over AI Non Consensual Sexual Images - Infosecurity Magazine
Bots/Botnets
Wave of Citrix NetScaler scans use thousands of residential proxies
Global SystemBC Botnet Found Active Across 10,000 Infected Systems - Infosecurity Magazine
Polish cops bail 20-year-old bedroom botnet operator • The Register
Careers, Roles, Skills, Working in Cyber and Information Security
Cyber Success Trifecta: Education, Certifications & Experience
How risk culture turns cyber teams predictive | CSO Online
Cloud/SaaS
AWS intruder pulled off AI-assisted cloud break-in in 8 mins • The Register
Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
Attackers Harvest Dropbox Logins Via Fake PDF Lures
Mandiant details how ShinyHunters abuse SSO to steal cloud data
Cloud storage payment scam floods inboxes with fake renewals
Cloud sovereignty is no longer just a public sector concern • The Register
Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain
Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw - Infosecurity Magazine
Step Finance says compromised execs' devices led to $40M crypto theft
Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
Coinbase confirms insider breach linked to leaked support tool screenshots
Cyber Crime, Organised Crime & Criminal Actors
Holiday Hits: Hackers Love to Strike When Defenders Are Away
Cybercriminals set sites on identities | CSO Online
China carries out further executions of Myanmar scam centre suspects | Crime News | Al Jazeera
Data Breaches/Leaks
Exposed MongoDB instances still targeted in data extortion attacks
Step Finance says compromised execs' devices led to $40M crypto theft
Moltbook, the AI social network, exposed human credentials due to vibe-coded security flaw
Researchers Hacked Moltbook and Accessed Thousands of Emails and DMs - Business Insider
Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
Coinbase confirms insider breach linked to leaked support tool screenshots
Police Service of Northern Ireland officer names published on courts website - BBC News
Betterment breach scope pegged at 1.4M users • The Register
Hacker claims theft of data from 700,000 Substack users; Company confirms breach
Researcher reveals evidence of private Instagram profiles leaking photos
PSNI to compensate officers £7,500 for 2023 data breach • The Register
Panera Bread breach affected 5.1 Million accounts, HIBP Confirms
The Government Published Dozens of Nude Photos in the Epstein Files - The New York Times
Redditors breached Epstein’s email account using #1Island | Cybernews
Iron Mountain: Data breach mostly limited to marketing materials
Data Protection
Why Data Protection Matters | Cohen Seglias Pallas Greenhall & Furman PC - JDSupra
Data/Digital Sovereignty
Cloud sovereignty is no longer just a public sector concern • The Register
Denial of Service/DoS/DDoS
Polish cops bail 20-year-old bedroom botnet operator • The Register
Pro-Russian group Noname057(16) launched DDoS attacks on Milano Cortina 2026 Winter Olympics
Police shut down global DDoS operation, arrest 20-year-old - Help Net Security
Fraud, Scams and Financial Crime
Cloud storage payment scam floods inboxes with fake renewals
AI-Enabled Voice and Virtual Meeting Fraud Surges 1000%+ - Infosecurity Magazine
Private school parents targeted by fraudsters stealing fee payments | Scams | The Guardian
National Crime Agency and NatWest Issue Warning Over Invoice Fraud - Infosecurity Magazine
China carries out further executions of Myanmar scam centre suspects | Crime News | Al Jazeera
Google's disruption rips millions out of devices out of malicious network | CyberScoop
Identity and Access Management
Cybercriminals set sites on identities | CSO Online
Rising Risk of Compromised Credentials in AD - Security Boulevard
Insider Risk and Insider Threats
Ransomware gangs focus on winning hearts and minds | Computer Weekly
Step Finance says compromised execs' devices led to $40M crypto theft
The Human Layer of Security: Why People are Still the Weakest Link in 2026 - Security Boulevard
The best cyber defence is employee awareness, not technology
Human risk management: CISOs’ solution to the security awareness training paradox | CSO Online
Coinbase confirms insider breach linked to leaked support tool screenshots
Deepfake job seeker applied to work for an AI security firm • The Register
Law Enforcement Action and Take Downs
Paris raid on X focuses on child abuse material allegations
Empire Market co-founder faces 10 years to life after guilty plea
Polish cops bail 20-year-old bedroom botnet operator • The Register
Smartphones Now Involved in Nearly Every Police Investigation - Infosecurity Magazine
Google's disruption rips millions out of devices out of malicious network | CyberScoop
Police shut down global DDoS operation, arrest 20-year-old - Help Net Security
Paris Prosecutors Raid Elon Musk’s X Offices in France - Infosecurity Magazine
ICO Launches Investigation into X Over AI Non Consensual Sexual Images - Infosecurity Magazine
Alleged 764 member arrested, charged with CSAM possession in New York | CyberScoop
International sting dismantles illegal streaming empire serving millions - Help Net Security
Four held in £3m illegal TV streaming raids - BBC News
Linux and Open Source
Open-source attacks move through normal development workflows - Help Net Security
Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
Malware
Beware of New Compliance Emails Weaponizing Word/PDF Files to Steal Sensitive Data
Open the wrong “PDF” and attackers gain remote access to your PC | Malwarebytes
Attackers Use Windows Screensavers to Drop Malware, RMM Tools
OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
MoltBot Skills exploited to distribute 400+ malware packages in days
Global SystemBC Botnet Found Active Across 10,000 Infected Systems - Infosecurity Magazine
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider - SecurityWeek
New GlassWorm attack targets macOS via compromised OpenVSX extensions
This stealthy Windows RAT holds live conversations with its operators | CSO Online
eScan Antivirus Delivers Malware in Supply Chain Attack - SecurityWeek
GlassWorm Returns to Shatter Developer Ecosystems
China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
Mobile
9 Million Android Devices Hijacked in Secret Proxy Network - Tech Advisor
IPE - Are printers and mobile devices your Achilles heel?
Smartphones Now Involved in Nearly Every Police Investigation - Infosecurity Magazine
Google's disruption rips millions out of devices out of malicious network | CyberScoop
Apple's new privacy feature limits how precisely carriers track your location - Help Net Security
Models, Frameworks and Standards
NIST’s AI guidance pushes cybersecurity boundaries | CSO Online
Passwords, Credential Stuffing & Brute Force Attacks
From credentials to cloud admin in 8 minutes: AI supercharges AWS attack chain | CSO Online
Rising Risk of Compromised Credentials in AD - Security Boulevard
McDonald's tells customers to use better passwords • The Register
Regulations, Fines and Legislation
UK government must get its hands dirty on security, report says | Computer Weekly
The Case for a Ransom Payment Ban and When It Might Happen
The Government Published Dozens of Nude Photos in the Epstein Files - The New York Times
Five updates on the Trump admin’s cybersecurity agenda | Federal News Network
CISA tells agencies to stop using unsupported edge devices | CyberScoop
Social Media
Researcher reveals evidence of private Instagram profiles leaking photos
Paris raid on X focuses on child abuse material allegations
ICO Launches Investigation into X Over AI Non Consensual Sexual Images - Infosecurity Magazine
Supply Chain and Third Parties
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider - SecurityWeek
The Growing Cyber Risk in Interconnected Supply Chains
Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
eScan Antivirus Delivers Malware in Supply Chain Attack - SecurityWeek
Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity
Cyber Warfare and Cyber Espionage
Cyberspy Group Hacked Governments and Critical Infrastructure in 37 Countries - SecurityWeek
UK government must get its hands dirty on security, report says | Computer Weekly
Cyber Terrorism: A New Threat To World Security – OpEd – Eurasia Review
Cyber Insights 2026: Cyberwar and Rising Nation State Threats - SecurityWeek
Cybersecurity planning keeps moving toward whole-of-society models - Help Net Security
UK warns of rising Russian, Chinese activity in High North
Nation State Actors
How does cyberthreat attribution help in practice?
Cybersecurity planning keeps moving toward whole-of-society models - Help Net Security
China
Cyberspy Group Hacked Governments and Critical Infrastructure in 37 Countries - SecurityWeek
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider - SecurityWeek
FUD on the line as telcos contemplate the cost of quitting Chinese kit | Euractiv
UK warns of rising Russian, Chinese activity in High North
China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware
China carries out further executions of Myanmar scam centre suspects | Crime News | Al Jazeera
Chinese organized crime networks moved $16 billion in crypto in 2025, according to report
Russia
Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks - Infosecurity Magazine
Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days
Russian ship anchors over trans-Atlantic cables in Bristol Channel
Pro-Russian group Noname057(16) launched DDoS attacks on Milano Cortina 2026 Winter Olympics
ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid - SecurityWeek
Poland traces December cyberattacks on 30 energy sites to Russian spy agency - Euromaidan Press
UK warns of rising Russian, Chinese activity in High North
North Korea
Labyrinth Chollima Evolves into Three North Korean Hacking Groups - Infosecurity Magazine
Iran
Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence
Cybersecurity planning keeps moving toward whole-of-society models - Help Net Security
Tools and Controls
IPE - Are printers and mobile devices your Achilles heel?
Attackers Use Windows Screensavers to Drop Malware, RMM Tools
Open-source attacks move through normal development workflows - Help Net Security
The Human Layer of Security: Why People are Still the Weakest Link in 2026 - Security Boulevard
Global tech spending is skyrocketing, and European firms are doubling down on investment | IT Pro
Open-source AI pentesting tools are getting uncomfortably good - Help Net Security
We moved fast and broke things. It’s time for a change. | CyberScoop
eScan Antivirus Delivers Malware in Supply Chain Attack - SecurityWeek
Rising Risk of Compromised Credentials in AD - Security Boulevard
Onboarding new AI hires calls for context engineering - here's your 3-step action plan | ZDNET
Smartphones Now Involved in Nearly Every Police Investigation - Infosecurity Magazine
Holiday Hits: Hackers Love to Strike When Defenders Are Away
AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities - Schneier on Security
AI May Supplant Pen Testers, But Trust Is Not There Yet
What Are Risk Sciences? A New Framework for Understanding Risk and Uncertainty | Newswise
Why boards should be obsessed with their most 'boring' systems | CyberScoop
Reports Published in the Last Week
Cybercriminals' Key Attack Vector is 'Trust', VIPRE's Q4 2025 Email Threat Report Reveals
Other News
Experts show how major UK food crisis might occur - ARU
UK government must get its hands dirty on security, report says | Computer Weekly
Dark Patterns Undermine Security, One Click at a Time
DOJ releases details alleged talented hacker working for Jeffrey Epstein
Advice firms' lack of focus on cybersecurity 'worrying'
Energy infrastructure cyberattacks are suddenly in fashion • The Register
Vulnerability Management
We moved fast and broke things. It’s time for a change. | CyberScoop
EU’s answer to CVE solves dependency issue, adds fragmentation risks | CSO Online
AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities - Schneier on Security
Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries
Vulnerabilities
Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days
CVE-2025-22225 in VMware ESXi now used in active ransomware attacks
Microsoft 365 Outlook Add-ins Weaponized to Exfiltrate Sensitive Email Data Without Leaving Traces
Microsoft fixes Outlook bug blocking access to encrypted emails
Cisco, F5 Patch High-Severity Vulnerabilities - SecurityWeek
Threat actors hijack web traffic after exploiting React2Shell vulnerability | CSO Online
Critical SmarterMail Vulnerability Exploited in Ransomware Attacks - SecurityWeek
Ivanti’s EPMM is under active attack, thanks to two critical zero-days | CyberScoop
CISA flags critical SolarWinds RCE flaw as exploited in attacks
SQL Injection Flaw Affects 40,000 WordPress Sites - Infosecurity Magazine
Malicious Commands in GitHub Codespaces Enable RCE - Infosecurity Magazine
Microsoft to disable NTLM by default in future Windows releases
Critical React Native Vulnerability Exploited in the Wild - SecurityWeek
Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
Vulnerabilities Allowed Full Compromise of Google Looker Instances - SecurityWeek
Sector Specific
Industry specific threat intelligence reports are available.
Contact us to receive tailored reports specific to the industry/sector and geographies you operate in.
· Automotive
· Construction
· Critical National Infrastructure (CNI)
· Defence & Space
· Education & Academia
· Energy & Utilities
· Estate Agencies
· Financial Services
· FinTech
· Food & Agriculture
· Gaming & Gambling
· Government & Public Sector (including Law Enforcement)
· Health/Medical/Pharma
· Hotels & Hospitality
· Insurance
· Legal
· Manufacturing
· Maritime & Shipping
· Oil, Gas & Mining
· OT, ICS, IIoT, SCADA & Cyber-Physical Systems
· Retail & eCommerce
· Small and Medium Sized Businesses (SMBs)
· Startups
· Telecoms
· Third Sector & Charities
· Transport & Aviation
· Web3
Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.