FISA

A cybersecurity-focused webinar titled “Mythos Reality Check: Beating Automated Exploitation at AI Speed” highlighted a fundamental shift in the threat landscape driven by artificial intelligence. The session emphasized that modern attackers are increasingly leveraging AI to automate vulnerability discovery and exploitation at unprecedented speed, fundamentally changing how organizations must approach security. The concept introduced as the “collapsing exploit window” describes the rapidly shrinking time between the discovery of a vulnerability and its active exploitation in the wild. The webinar underscores that traditional security practices, particularly those relying on manual vulnerability management and delayed patching cycles, are no longer sufficient. In the past, organizations had a measurable window of time to identify, prioritize, and remediate vulnerabilities before attackers could weaponize them. However, with AI-driven tools capable of scanning, identifying, and exploit...

Google-owned Mandiant has published new research exposing a previously undocumented threat group called UNC6692 , which is carrying out sophisticated social engineering attacks through Microsoft Teams to deploy a custom-built malware suite against corporate targets. The Attack Begins With an Email Flood The operation starts by overwhelming the victim's inbox with a massive wave of spam emails, creating a sense of panic and urgency. Shortly after, the attacker reaches out to the same victim over Microsoft Teams, impersonating an IT helpdesk employee from outside the organization and offering to resolve the email issue. The victim is then manipulated into clicking a phishing link shared via the Teams chat disguised as a "Mailbox Repair and Sync Utility v2.1.5", which triggers the download of a malicious AutoHotkey script from an attacker-controlled Amazon S3 bucket. This tactic of combining inbox flooding with Teams-based helpdesk impersonation has been a hallmark of for...

Security researchers have uncovered a serious supply chain attack affecting Bitwarden CLI , the command-line version of the popular open-source password manager. The compromised package was published to npm as part of a broader ongoing campaign linked to the threat actor group TeamPCP , previously connected to the Checkmarx supply chain attacks. What Happened? According to application security firm Socket, the affected package version was @bitwarden/cli@2026.4.0 , where malicious code was injected into a file called bw1.js included in the published package. The attackers managed to push this rogue version by exploiting a compromised GitHub Actions workflow within Bitwarden's own CI/CD pipeline, the same attack vector identified in earlier Checkmarx campaign incidents. Security firm JFrog confirmed that the malicious version was designed to steal a wide range of sensitive data, including GitHub and npm authentication tokens, SSH keys, environment files, shell history, GitHub Act...

A significant security incident emerged involving unauthorized access to Anthropic’s highly restricted AI model, Claude Mythos. The model, designed as an advanced cybersecurity tool capable of identifying software vulnerabilities, was intended to be accessible only to a limited number of trusted organizations under a controlled testing initiative. However, reports revealed that a small group of individuals operating through a private Discord community managed to gain access to the system, raising serious concerns about the security and governance of high-risk artificial intelligence technologies. The unauthorized access reportedly occurred on the same day the model was introduced to selected partners. Instead of exploiting a traditional vulnerability in Anthropic’s core infrastructure, the group leveraged weaknesses in a third-party vendor environment connected to the system. By analyzing Anthropic’s existing URL structures and conventions, the attackers were able to guess or discover...

Cybersecurity researchers at Kaspersky have uncovered a previously unknown data wiper malware, dubbed Lotus Wiper , that was used in a targeted destructive campaign against Venezuela's energy and utilities sector in late 2025 and early 2026. What Is a Wiper? Unlike ransomware, which locks data and demands payment, a wiper malware has one purpose: to permanently destroy data and render systems completely inoperable. Notably, Lotus Wiper contains no ransom demands or payment instructions, meaning the attack was not financially motivated, it was purely destructive. How the Attack Unfolded The attack chain begins with two batch scripts that work together to prepare the environment and deploy the wiper payload. The first script attempts to stop a Windows service related to background process alerts, checks for a NETLOGON network share, and retrieves a remote XML file — a step that researchers believe is used to confirm the machine is part of an Active Directory domain before proceed...

Cybersecurity researchers revealed a large-scale compromise linked to the SystemBC malware infrastructure, uncovering a command-and-control server associated with more than 1,570 infected victims worldwide. The activity is tied to a rapidly growing ransomware-as-a-service operation known as “The Gentlemen,” which has emerged as a significant threat actor since mid-2025. The discovery provides rare visibility into the internal scale and operational reach of a modern ransomware ecosystem. SystemBC is a proxy-based malware that plays a critical role in advanced intrusion campaigns by establishing covert communication channels between compromised systems and attacker-controlled infrastructure. It operates by creating SOCKS5 tunnels, allowing attackers to route traffic through infected machines while maintaining anonymity and persistence. The malware communicates with its command-and-control servers using encrypted protocols and is capable of downloading and executing additional payloads d...

  Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed a sophisticated cyber campaign attributed to a threat cluster tracked as UAC-0247. The operation specifically targeted government entities and municipal healthcare institutions, including clinics and emergency hospitals, with the primary objective of stealing sensitive data and establishing persistent access within compromised systems. The campaign was observed between March and April 2026, and its origin remains unknown, raising concerns about ongoing espionage activity. The attack begins with a carefully crafted phishing email, often disguised as a humanitarian aid proposal to exploit trust during wartime conditions. Victims are lured into clicking a link that redirects either to a compromised legitimate website exploiting cross-site scripting vulnerabilities or to a convincingly generated fake website. This initial step is designed to appear credible while initiating the infection chain in a stealthy manner. Once...

In April 2026, a cybersecurity-focused webinar highlighted one of the fastest-growing and often overlooked risks in modern enterprise environments: orphaned non-human identities. The session focused on how organizations can identify, prioritize, and eliminate gaps in identity security, particularly those involving machine-driven accounts such as service accounts, API keys, tokens, and AI agents. The findings presented are based on recent research indicating that even mature identity programs continue to struggle with visibility and control over these identities. Non-human identities represent digital credentials assigned to systems, applications, and automated processes rather than human users. These identities are essential for modern infrastructure, enabling automation across cloud platforms, DevOps pipelines, and AI-driven environments. However, their rapid growth has introduced significant security challenges, as they often outnumber human identities and operate with elevated priv...

 In April 2026, a significant cybersecurity exposure was identified involving more than 25,000 endpoints affected by software distributed by Dragon Boss Solutions. What initially appeared to be a relatively low-risk adware issue quickly escalated into a critical supply chain security concern after researchers discovered a fundamental weakness in the application’s update mechanism. The flaw stemmed from an insecure update infrastructure tied to an unregistered domain, which could have been acquired by any attacker for a minimal cost and used to distribute malicious updates at scale. The affected software, characterized as aggressive adware, was commonly installed through deceptive advertisements or bundled installations, often without the user’s full awareness. Once present on a system, it functioned as a browser hijacker, redirecting user traffic and generating monetization through search manipulation. However, the real risk extended far beyond nuisance-level behavior. The insecur...

 In April 2026, OpenAI announced the release of GPT-5.4-Cyber, a specialized variant of its flagship GPT-5.4 model designed specifically for defensive cybersecurity operations. The launch comes at a time of increasing competition in the AI security space, particularly following the introduction of similar models by other major AI vendors. This development represents a significant shift in how artificial intelligence is being positioned as an active participant in cybersecurity defense rather than just a general-purpose tool. GPT-5.4-Cyber is engineered to assist security professionals in identifying vulnerabilities, analyzing malicious code, and strengthening overall software security. Unlike traditional AI models that enforce strict limitations on sensitive tasks, this version is intentionally designed with reduced restrictions for verified users, enabling deeper and more practical engagement with cybersecurity workflows. This includes capabilities such as binary analysis, vulner...

 In April 2026, a critical zero-day vulnerability affecting Adobe Acrobat Reader was identified as actively exploited in real-world attacks. The vulnerability, which had remained undiscovered and unpatched, allowed threat actors to compromise systems through specially crafted PDF documents. This campaign had been ongoing since at least December 2025, indicating a prolonged period of undetected exploitation and highlighting the sophistication of the attack. The attack is particularly dangerous because it requires minimal user interaction. In most observed cases, the exploit is triggered simply by opening a malicious PDF file, without the need for enabling macros or performing additional actions. This significantly lowers the barrier for successful exploitation and increases the effectiveness of phishing and social engineering campaigns, as PDF documents are widely trusted and commonly used across organizations. From a technical standpoint, the exploit leverages a previously unknow...

In April 2026, a critical cybersecurity incident was identified involving the Smart Slider 3 Pro plugin, a widely used component in WordPress and Joomla environments. The incident was the result of a software supply chain compromise, where attackers gained unauthorized access to the vendor’s update infrastructure and distributed a malicious version of the plugin through the official update channel. The compromised version, identified as 3.5.1.35, was made available to users for a limited period of approximately six hours before being detected and removed. This attack is particularly significant because it did not rely on exploiting a vulnerability within the plugin itself, but instead leveraged the inherent trust placed in legitimate software updates. As a result, any system that performed an update during the affected timeframe may have unknowingly installed a backdoored version of the plugin. This significantly increases the risk level, as traditional security controls often conside...

  Google   released  security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability,   CVE-2026-5281   (CVSS score: N/A), concerns a use-after-free bug in   Dawn , an open-source and cross-platform implementation of the WebGPU standard. Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD). As is customary for these alerts, Google did not provide any further details on how the shortcoming is being exploited and who may be behind the effort. This is typically done so as to ensure that a majority of users are updated with a fix and prevent other actors from joining the exploitation bandwagon. Google is aware that an exploit f...

What Is Masjesu? Cybersecurity researchers at Trellix have pulled back the curtain on a sophisticated and deliberately low-profile botnet known as Masjesu, a DDoS-for-hire operation that has been quietly recruiting customers and compromising devices globally since it first appeared in 2023. Marketed openly on Telegram, Masjesu offers paying clients the ability to launch volumetric Distributed Denial-of-Service (DDoS) attacks against virtually any target. What makes it particularly dangerous is not its raw power, but its design philosophy: stealth, persistence, and strategic evasion over aggressive widespread infection. How It Works Once Masjesu's malware lands on a compromised IoT device, typically a router or gateway, it follows a precise sequence of actions: It attempts to bind a socket to a hard-coded TCP port (55988), which allows the attacker to connect to the device directly. If this fails, the execution chain terminates immediately, a deliberate fail-safe to avoid dete...

  Artificial Intelligence (AI) company Anthropic announced a new cybersecurity initiative called  Project Glasswing  that will use a preview version of its new frontier model,  Claude Mythos , to find and address security vulnerabilities. The model will be   used   by a small set of organizations, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, along with Anthropic, to secure critical software. The company said it's forming this initiative in response to capabilities observed in its general-purpose frontier model that demonstrate a "level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.Because of its cybersecurity capabilities and concerns that they could be abused, Anthropic has opted not to m...