The flaw affects Windows servers configured as domain controllers and allows unauthenticated remote attackers to execute arbitrary code with SYSTEM-level privileges by sending specially crafted Netlogon network requests.

Disclosed and patched as part of Microsoft’s May 2026 Patch Tuesday release, CVE-2026-41089 is rated critical due to its combination of remote exploitability, lack of required user interaction, and the potential for complete domain takeover.

The Center for Cybersecurity Belgium (CCB) has issued a dedicated warning highlighting this vulnerability among the 118 flaws addressed in the May 2026 patch bundle, 16 of which are classified as critical.

Windows Netlogon 0-Click RCE Exploited

To exploit CVE-2026-41089, an attacker only needs network access to a vulnerable domain controller’s Netlogon service. By sending a specially crafted Netlogon network request, the adversary can trigger improper handling within the service, leading to arbitrary code execution under SYSTEM privileges.

No prior authentication, local access, or user interaction is required, making this an ideal candidate for automated exploitation, lateral movement, and rapid domain compromise once an attacker gains a foothold in the network.

Microsoft has released security updates for all supported versions of Windows Server from 2012 onward, covering domain controllers across a wide range of enterprise deployments.

Given the central role of Active Directory in identity, access control, and authentication, compromise of a domain controller via Netlogon can enable attackers to deploy malware, create or modify accounts, disable security controls, and pivot across critical systems.

Urgent Patch, Monitoring, and Detection Guidance

The CCB strongly recommends that organizations prioritize the deployment of patches for CVE-2026-41089 after appropriate testing, treating this as a top-tier emergency remediation item.

Domain controllers, especially those exposed to untrusted or segmented networks, should be patched first to reduce the window of exposure.

In addition to patching, organizations are urged to upscale monitoring and detection efforts for suspicious Netlogon-related activity. This includes scrutinizing anomalous authentication behavior, unusual domain controller traffic, and potential signs of privilege escalation or new administrative account creation following Netlogon events. Early detection is critical to contain intrusions leveraging this vulnerability, especially given its active exploitation status.

Security teams should also revisit network segmentation and access controls around domain controllers, ensuring that only necessary systems and services can communicate with Netlogon over the relevant ports.

Combined with rapid patch deployment and enhanced monitoring, these steps are essential to mitigate the immediate threat posed by CVE-2026-41089 in ongoing exploitation campaigns.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild appeared first on Cyber Security News.

The update brings OS builds to 26200.8524 and 26100.8524, respectively, resolving a widely reported error that prevented many systems from completing the monthly security update.

The May 2026 Patch Tuesday security update (KB5089549) triggered installation failures on a subset of Windows 11 devices, with error code 0x800f0922 halting the process.

The failure specifically targeted devices with limited free space on the EFI System Partition (ESP), particularly those with 10 MB or less available. Affected systems would progress through the initial installation phases but crash during the reboot phase at approximately 35–36% completion, leaving devices in an inconsistent state.

Microsoft had previously issued a Known Issue Rollback (KIR) as a temporary workaround, automatically propagating relief to consumer and non-managed business devices.

An alternative registry-based workaround — modifying the EspPaddingPercent value under HKLM\SYSTEM\CurrentControlSet\Control\Bfsvc — was also available for enterprise admins. However, KB5089573, released on May 26, 2026, permanently resolves the issue and eliminates the need for either workaround.

KB5089573 – Cumulative Update

Beyond the critical ESP fix, KB5089573 is a production-quality cumulative update delivered via two phases: a gradual rollout for staged device delivery and a normal rollout for broad general availability. The update incorporates several notable components:

• AI Component Refresh: Image Search, Content Extraction, Semantic Analysis, and Settings Model are all updated to version 1.2605.856.0, reflecting Microsoft’s continued push to deepen on-device AI capabilities in Windows 11.
• Personalization Improvements: Added on May 28, 2026, as part of the gradual rollout phase.
• Servicing Stack Update (KB5092734): Build 26100.8519 improves the reliability and robustness of the Windows update installation infrastructure itself, ensuring devices can cleanly receive future patches.

The update is available through multiple channels with no prerequisites beyond having a compatible Windows 11 25H2 or 24H2 device:

1. Navigate to Start → Settings → Windows Update → Advanced options → Optional updates
2. Select the available update and click Download and Install
3. Alternatively, download the standalone package directly from the Microsoft Update Catalog using the KB number
4. Enterprise environments can be deployed via Windows Update for Business or WSUS

Microsoft has confirmed there are no known issues with KB5089573 at the time of release.

Should removal be necessary, Microsoft advises using the DISM /online /get-packages command to identify the package name, followed by the DISM/Remove-Package option with the LCU package name as the argument.

Notably, running the Windows Update Standalone Installer (wusa.exe) with the /uninstall switch will not work because the combined package includes the Servicing Stack Update (SSU), which cannot be removed post-installation. Microsoft strongly recommends against removing security updates given the inherent risk exposure.

Given the critical nature of the ESP space issue impacting a broad segment of enterprise and consumer devices, IT administrators and end users alike are advised to prioritize KB5089573 during their next maintenance window.

The post Microsoft Releases KB5089573 for Windows 11 to Fix Patch Tuesday Install Issues appeared first on Cyber Security News.

On May 27, 2026, GitLab shipped versions 19.0.1, 18.11.4, and 18.10.7 as security patch releases for self‑managed instances.

These builds fix several vulnerabilities across Duo AI workflow runners, the Wiki component, GraphQL WorkItem APIs, operations, pipelines, and authentication endpoints, and GitLab is urging all administrators to upgrade without delay.

GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action.

GitLab Fixes Duo AI, DoS Flaws

The most severe issue is a high‑impact access control flaw in Duo AI workflow runners, tracked as CVE‑2026‑4868, which affects GitLab EE from 18.8 up to but not including 18.10.7, 18.11.4, and 19.0.1.

Under specific conditions, an authenticated user could trigger certain Duo AI workflows to execute under another user’s identity due to improper user identity resolution in the workflow runner logic, with a CVSS 3.1 score of 8.2.

This could enable lateral movement or privilege abuse within AI‑assisted workflows if left unpatched.

GitLab also fixed a denial‑of‑service vulnerability in the Wiki component, tracked as CVE‑2026‑1402, which impacts GitLab CE/EE from 17.1 through unpatched 18.10, 18.11, and 19.0 branches.

Due to insufficient input validation, an authenticated user could craft content that exhausts resources and renders the Wiki unavailable, earning a CVSS score of 6.5.

In parallel, CVE‑2026‑6713 addresses incorrect authorization checks in the GraphQL WorkItem API that could allow unauthenticated users to enumerate private projects under certain conditions, rated 5.3 on the CVSS scale.

Several medium‑severity authorization issues have also been resolved in GitLab EE operations and Duo features.

CVE‑2026‑5296 fixes improper authorization in the Duo Workflows API that could let a developer‑role user bypass flow restrictions when foundational flows are enabled at the group level.

CVE‑2026‑2601 corrects missing authorization checks that could expose sensitive deployment data to developer‑level users.

Additionally, CVE‑2026‑8716 corrects an incorrect name resolution behavior in pipelines that could allow access to CI data from a different ref type.

CVE‑2026‑2710 ensures that blocked Project Access Tokens cannot access private resources via certain authentication endpoints.

All of these flaws are remediated in versions 19.0.1, 18.11.4, and 18.10.7, which also bundle multiple stability and performance backports, including updates to zlib, nginx, Mattermost, Elasticsearch indexer, and GitLab Shell.

The updates do not introduce new database migrations and, in typical multi‑node deployments, can be rolled out without downtime when following GitLab’s zero‑downtime guidance.

Organizations running affected versions are strongly advised to prioritize upgrades, monitor their instances for abuse of Duo AI or Wiki features, and align with GitLab’s published best practices for securing self‑managed deployments.

Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime.

The post GitLab Patches Multiple Duo AI, DoS, and Authorization Flaws in Community and Enterprise Edition appeared first on Cyber Security News.

Developed by Armur AI, it gives security professionals live, coordinated access to the full offensive stack, including nmap, SQLMap, Burp Suite, ZAP, and Metasploit, all driven by an AI model of your choice.

What Makes It a True Swarm

Most tools marketed as “multi-agent” are actually pipelines — a single planner LLM dispatching specialists in a predetermined order: recon → classify → exploit → report. Pentest Swarm AI breaks this mold with three swarm-intelligence primitives:

• Stigmergy — agents coordinate by reading and writing findings to a shared PostgreSQL-backed blackboard (pgvector), not via a central planner. Each finding carries a pheromone weight that biases other agents toward high-value paths and decays over time, letting stale attack paths die naturally.
• Emergence — attack chains form without any agent prescribing them; a recon finding wakes the classifier, a high-severity CVE match triggers the exploit agent, and exploit results cycle back into the board.
• Decentralization — each agent runs its own trigger predicate, so adding or removing an agent requires no orchestrator rewrite.

The platform ships with eight ProjectDiscovery tools stable out of the box — subfinder, httpx, nuclei, naabu, katana, dnsx, gau — plus a fully parsed nmap XML adapter with scope validation. sqlmap, Burp MCP bridge, Metasploit, and ZAP adapters are queued for Wave 2 of the roadmap, making the platform progressively more powerful without requiring a platform overhaul.

Getting started requires just one API key and one command:

bashexport PENTESTSWARM_ORCHESTRATOR_API_KEY=sk-ant-your-key-here
pentestswarm scan example.com --scope example.com --swarm --follow

It supports Claude (default, with prompt caching enabled for recon and classifier agents), Ollama for fully air-gapped local deployments, and any OpenAI-compatible model, giving teams the flexibility to balance cost, privacy, and capability. No GPU, no local model download required when using the cloud path.

Every campaign produces submission-ready output across four formats Markdown, HTML, JSON, and SARIF queried directly from the blackboard by a dedicated report agent.

Findings are automatically deduplicated, CVSS v3.1 scored per the FIRST specification, and scoped: the --scope flag is enforced both at the tool layer and the executor layer for defense-in-depth, making it safe for CI/CD pipelines and bug-bounty programs.

Tool	Architecture	Executes	Memory	True Swarm
Pentest Swarm AI	Stigmergic blackboard	Yes	pgvector + pheromones
PentestGPT	Single-agent ReAct	Suggests	None
PentAGI	4 agents + planner	Yes	pgvector	Pipeline only
HexStrike	MCP tool wrapper	Delegates	Stateless

GitHub Actions & MCP Integration

A ready-made GitHub Action ships with SARIF output, enabling automated pentesting directly within any CI/CD workflow. The pentestswarm mcp serve command exposes the entire swarm as an MCP server, integrating natively with Claude Desktop and Cursor for IDE-level offensive security testing.

Licensed under AGPL-3.0, Pentest Swarm AI is free for red teams, bug-bounty hunters, and internal security pipelines, with the copyleft clause ensuring that any commercial SaaS fork must return improvements to the open-source community. The project is available on GitHub.

Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime.

The post Pentest Swarm AI Tool With Live Access to nmap, sqlmap, Burp, Metasploit, and Others appeared first on Cyber Security News.

Previously available in beta for Google Workspace users, DBSC is now enabled by default across all Workspace customers, Individual subscribers, and personal Google accounts.

Session cookies are small files websites use to remember authenticated users, but they’ve long been a lucrative target for threat actors. Malware families like infostealer trojans routinely harvest these cookies to hijack active sessions, bypassing multi-factor authentication entirely, a technique known as a pass-the-cookie attack.

DBSC directly counters this threat by cryptographically binding a session cookie to the specific device the user authenticated from. Even if malware successfully exfiltrates a cookie from the compromised endpoint, that cookie becomes essentially useless on any other machine. This significantly raises the operational cost for attackers relying on stolen session tokens to maintain persistent access.

Google has further amplified DBSC’s defensive value by integrating it with Context-Aware Access (CAA). Organizations leveraging both capabilities can enforce more granular access policies based on device attributes, user behavior, and environmental signals, adding an additional layer of verification beyond initial authentication.

Workspace administrators can now monitor DBSC binding events directly through the security investigation tool’s audit logs, enabling security teams to detect anomalies and track session integrity across their environment.

Notably, DBSC requires no administrative action to enable; it is active by default and cannot be disabled through the Admin console.

Rollout Timeline and Availability

Google began a gradual rollout on May 25, 2026, covering both Rapid Release and Scheduled Release domains, with full feature visibility expected within 60 days. The feature is broadly available to:

• All Google Workspace customers
• Workspace Individual subscribers
• Users with personal Google accounts

DBSC represents a meaningful architectural shift in post-authentication security. Rather than relying solely on perimeter controls or MFA at login, it extends trust verification throughout the session lifecycle.

For enterprise security teams, this reduces exposure to credential-based lateral movement and post-exploitation persistence techniques commonly used by advanced threat actors.

Security teams are encouraged to review audit logs within the Google Admin console to baseline normal DBSC binding behavior and flag any deviations that may indicate active session hijacking attempts.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers appeared first on Cyber Security News.

The campaign, active since at least August 2025, primarily targets Ukraine and related entities across the government, military, and civilian sectors, highlighting a growing convergence between artificial intelligence and modern cyber warfare.

WithSecure researchers identified GREYVIBE as a previously untracked threat group exhibiting consistent overlaps in infrastructure, tooling, and operational behavior across multiple campaigns.

While no definitive attribution has been established, the group’s activities strongly align with Russian state interests, particularly intelligence-gathering objectives linked to the ongoing Russia-Ukraine conflict.

Supporting evidence includes Russian-language artifacts, Moscow time zone activity patterns, and targeting aligned with Ukrainian institutions.

GREYVIBE Abuses ChatGPT, Gemini AI

GREYVIBE employs a multi-vector attack strategy, combining spear-phishing emails, fake CAPTCHA verification pages, and fraudulent websites to distribute malware.

In spear-phishing campaigns, attackers impersonate Ukrainian government agencies and distribute malicious archives via cloud services such as Google Drive.

These payloads execute decoy documents while silently initiating infection chains using custom loaders.

Another notable tactic involves fake CAPTCHA pages designed to trick victims into executing malicious commands under the guise of verification steps.

Additionally, the group operates deceptive “adult club” websites targeting Ukrainian individuals, particularly military personnel.

These platforms not only deliver malware such as FallSpy for Android and PhantomRelay for Windows, but also engage in social engineering through fake personas on messaging platforms like Telegram.

A key finding in the report is GREYVIBE’s systematic use of generative AI across the attack lifecycle.

Tools such as ChatGPT, Google Gemini, and Ideogram AI were reportedly used to generate phishing lures, develop malware components, and support post-compromise activities.

Researchers observed AI-generated code patterns in obfuscators and loaders such as DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell-based remote access trojan.

This AI-assisted approach appears to help the group compensate for limited technical sophistication while accelerating development cycles.

It also reduces reliance on reused code, making traditional attribution methods more difficult. However, the group’s reliance on AI has introduced flaws.

WithSecure identified design weaknesses in LegionRelay that exposed backend functionality, enabling researchers to monitor attacker activity over time.

GREYVIBE’s malware toolkit includes PhantomRelay, a modular RAT that uses WebSockets for command execution, and FallSpy, an Android spyware that exfiltrates sensitive data, including contacts, location, and device information.

LegionRelay further extends its capabilities by enabling file theft, screenshot capture, and exfiltration of messaging data.

Despite its effectiveness, GREYVIBE demonstrates signs of operational immaturity. Researchers noted poor operational security practices, including uploading test samples to public platforms and inconsistent tooling.

At the same time, overlaps with known cybercrime infrastructure suggest possible links to former or active cybercriminal actors, indicating a hybrid threat model.

The emergence of GREYVIBE underscores how generative AI is reshaping the threat landscape. By lowering technical barriers and enabling rapid tool development, AI is empowering even moderately skilled actors to conduct complex cyber operations, complicating detection, attribution, and defense efforts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks appeared first on Cyber Security News.

Palo Alto Networks published its security advisory on May 13, 2026, warning that CVE-2026-0257 enables a remote unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway.

The vulnerability exists in a non-default feature called “authentication override,” which allows GlobalProtect portals and gateways to issue session cookies to authenticated users similar to a bearer token, so users don’t need to re-authenticate each session.

The flaw is triggered only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway.

Because the decryption process in the /usr/local/bin/gpsvc binary performs no signature verification after decrypting the cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie and bypass authentication entirely.

Rapid7 has identified the earliest exploitation on May 17, 2026, with a first wave of attacks originating from IPs hosted on Vultr. On May 18, Rapid7 detected suspicious cookie-based authentication to local admin accounts across multiple customer environments.

The attacker used the machine name GP-CLIENT and a spoofed MAC address (aa:bb:cc:dd:ee:ff) to masquerade as a legitimate endpoint.

A second exploitation wave occurred on May 21, 2026, this time originating from the hosting provider Dromatics Systems, using machine name DESKTOP-GP01.

In this wave, some victims had full VPN IP assignments granted after the cookie authentication, giving attackers direct access to internal networks. Across both waves, the consistent spoofed MAC address suggests a single threat actor behind both campaigns. Notably, 8 out of 10 impacted MDR customers saw only authentication probes, not full VPN session establishment.

Indicators of Compromise

Organizations must upgrade to patched versions immediately. Key fixed versions include PAN-OS 12.1.4-h6 / 12.1.7, PAN-OS 11.2.12, PAN-OS 11.1.15, and PAN-OS 10.2.18-h6, among others. Prisma Access 11.2.0 requires 11.2.7-h13 or later, and Prisma Access 10.2.0 requires 10.2.10-h36 or later.

Mitigations

Organizations should take the following actions immediately:

• Upgrade all affected PAN-OS and Prisma Access instances to vendor-patched versions
• Disable the authentication override feature if not operationally required
• Generate a dedicated certificate exclusively for authentication override cookie encryption — never share it with the HTTPS service
• Hunt for IOCs listed above across VPN and GlobalProtect authentication logs
• Deploy detection rules available for InsightIDR/MDR: including “Suspicious Authentication – Palo Alto GlobalProtect Cookie Authentication to Local Admin Account”

Despite its medium CVSSv4 score, Rapid7 urges organizations to treat CVE-2026-0257 as a critical-priority vulnerability. An authentication bypass on an internet-facing enterprise VPN appliance represents a significant initial access vector, and with active exploitation confirmed and a public proof-of-concept script now available, the window for safe remediation is closing fast.

Uncover Shadow APIs, close OWASP gaps — Join a Free Webinar to secure every API at runtime.

The post Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild appeared first on Cyber Security News.

That conversation is over. It ended this week. 

In the span of a few days, five separate signals landed. Each on its own is significant. Together, they are impossible to ignore. Western Digital announced PQC support in its product line. CNN ran a primetime segment on the quantum threat. The U.S. government committed roughly two billion dollars toward quantum computing initiatives.

Reports surfaced of an executive order accelerating federal PQC adoption. And Apple publicly endorsed ML-KEM and ML-DSA, the NIST-finalized post-quantum algorithms, for protecting iMessage. 

Pick any one of those in isolation, and it’s notable. Stack them on the same week, and they’re a pattern. The companies, governments, and infrastructure providers who actually run the world’s encryption are not waiting anymore. They are building, shipping, and deploying. 

The question for everyone reading this is no longer whether post-quantum cryptography matters. It’s whether your organization is moving with the industry or quietly drifting behind it. 

The two threats that don’t need a quantum computer 

The most expensive misconception in PQC strategy is the assumption that nothing bad happens until a cryptographically relevant quantum computer exists. That framing makes the threat feel distant, which makes it easy to defer, which is exactly why so many programs are still in planning instead of execution. 

Two threats are already active today, and neither one requires a working quantum computer to do damage. 

The first is Harvest Now, Decrypt Later, or HNDL. Adversaries, nation-states in particular, are intercepting and storing encrypted traffic right now. They don’t need to read it today. They need to read it in 2030, or 2035, or whenever a sufficiently powerful quantum computer comes online. Storage is cheap. Patience is free.

The encryption protecting your VPN traffic, your TLS-secured APIs, and your long-lived sensitive communications becomes retroactively breakable the moment that hardware exists. For any data that needs to stay confidential for ten years or more (healthcare records, financial archives, intellectual property, government communications), the exposure window has already opened. 

The second is Trust Now, Forge Later, or TNFL. This is the integrity side of the same problem. Digital signatures that establish trust today, including root CA keys, code-signing keys, firmware signatures, and certificate hierarchies, can be forged retroactively once quantum capability arrives.

The thing being attacked isn’t confidentiality. Its authenticity. Software supply chains, identity systems, secure boot, legal signatures, all of it depends on signatures whose security assumptions are quietly aging. 

Neither threat is theoretical. Both are operational right now. And both are why the organizations leading on PQC are not waiting for hardware to exist before they act. 

The visibility problem nobody is talking about 

Here is the part that doesn’t make it into the headlines. 

When organizations finally do start their PQC programs, they almost always run into the same wall. Not algorithm selection. Not vendor support. Not budget. The wall is visible. 

Cryptography in a modern enterprise lives in six places at once, and most of them are not on anyone’s map. There is the application layer, where legacy systems hardcode RSA and ECC implementations that nobody on the current team built. There is the infrastructure layer (load balancers, VPN gateways, SSH endpoints), where deprecated cipher suites and long-lived keys often have no documented owner.

There is cloud and SaaS, where the cryptographic boundary frequently lives outside the customer’s direct control. There is OT and IoT, where firmware-level cryptography can be operational for fifteen or twenty years without ever being upgraded.

There is the PKI layer, where root and issuing CAs anchor trust for the entire organization. And there is the third-party and supply-chain layer, where vendors choose algorithms on your behalf and rarely tell you what they picked. 

When you actually run discovery against an enterprise environment, the findings are almost always the same. RSA-1024 running in production on services nobody maintains. Certificates with ten-year validity periods were issued before the current governance existed. Cryptographic keys hardcoded into application configs and CI/CD pipelines, with no rotation history and no dependency map. Third-party integrations using algorithms that the security team has no contractual right to audit. 

You cannot migrate cryptography you cannot see. You cannot prioritize what you have not inventoried. And you cannot defend a posture you cannot describe to your board. 

The sequence that actually works 

The most consistent pattern across industries and organization sizes is that PQC programs fail in roughly the same way. They start with algorithm selection. They pick a pilot system. They get a small proof of concept working. And then they hit the wall of trying to scale that pilot across thousands of systems, they don’t have a complete inventory of. 

The sequence that works runs in the opposite direction. 

It starts with a Cryptography Bill of Materials, or CBOM. This is a live, continuously updated inventory of every cryptographic asset across the enterprise: algorithms, key lengths, certificates, libraries, protocols, ownership, business criticality. Not a one-time spreadsheet that goes stale within weeks. Operational infrastructure that stays current as your environment changes. 

With a CBOM in place, the second phase becomes possible: crypto-agility. This is the architectural property that lets you swap algorithms without rebuilding systems, deploy hybrid classical-plus-PQC key exchange without breaking compatibility, automate certificate lifecycle operations at enterprise scale, and migrate in phases instead of all at once. Crypto-agility does not replace your infrastructure. It is a capability layered on top of it. 

Once both are in place, the third phase, prioritization, becomes a rational exercise instead of a guessing game. Score every asset on three axes: algorithm vulnerability, data longevity, and business criticality. The intersection tells you what migrates immediately, what migrates in the next twelve to eighteen months, and what stays under continuous monitoring. 

Skip the inventory step, and everything downstream becomes guesswork. You make architectural decisions on incomplete information. You execute migration waves and discover dependencies mid-deployment. You spend resources on the wrong assets in the wrong order. The sequence is non-negotiable: inventory first, then agility, then prioritization. 

Why this matters now, specifically 

NIST finalized the first three PQC standards in August 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). That moment changed PQC from research to deployable engineering. Within months, organizations like Cloudflare, Google, Apple, Akamai, AWS, and Microsoft began shipping production deployments.

Chrome made ML-KEM the default key exchange. Apple’s PQ3 protocol moved iMessage to hybrid ML-KEM ratcheting. Google set an internal target to complete its PQC migration by 2029. Cloudflare reports that over half of human internet traffic now runs through post-quantum key agreement. 

Behind those deployments, the regulatory floor is rising. CNSA 2.0 enforces PQC signing requirements for new National Security Systems acquisitions starting in 2027. NIST has signalled the deprecation of RSA and ECC after 2030.

The September 2026 transition of legacy FIPS 140-2 validations to the historical list creates a convergence point: organizations modernizing to FIPS 140-3 are doing it under the same engineering load as the PQC migration itself. 

What this means in practice: organizations that started foundational work (the CBOM, the vendor conversations, the hardware assessments) in 2024 and 2025 are now executing migrations. Organizations starting that work today are still on the bridge. Both can get to the other side. The runway is different. 

What the visibility layer actually looks like 

This is where CBOM Secure fits into the conversation. It is the cryptographic posture management platform Encryption Consulting built specifically for this problem: the visibility gap that sits underneath every PQC program, every compliance audit, and every certificate lifecycle automation initiative. 

The platform runs nineteen production discovery sensors across the layers where cryptography actually lives. Cloud KMS (AWS, Azure, GCP). HSM APIs including Entrust nCipher, Thales Luna, IBM 4767/4768/4769, Yubico YubiHSM 2, and Fortanix DSM. KMIP servers, versions 1.0 through 2.1. Database TDE. Source code across seven languages.

OS trust stores. Active Directory, LDAP, HashiCorp Vault, and the major filesystem formats. Everything normalizes into a single CBOM-compliant inventory exported in CycloneDX format. Every asset gets a risk score. Quantum-vulnerable cryptography is flagged automatically. Audit evidence for NIST SP 800-131A, FIPS 140-3, CNSA 2.0, CMMC 2.0, PCI DSS 4.0, and FedRAMP comes out of the same dataset, on demand. 

The pattern most organizations adopt: start with the CBOM, because without visibility, everything downstream is guesswork, and build from what the inventory reveals. The certificate automation, the PQC migration planning, and the compliance reporting all run off the same source of truth. 

What path is your organization on? 

This is the question worth taking back to your team this week. 

The headlines aren’t going to slow down. Western Digital, CNN, the U.S. government, the executive branch, and Apple. That was one week. There will be another week like it, and another after that. Every one of those announcements compresses the timeline for organizations that haven’t started, and widens the gap for organizations that have. 

There are roughly three paths from here. The first is to start the foundational work now. Build the CBOM. Identify the assets with the longest lead times. Begin the hybrid deployment conversations with vendors. Treat crypto-agility as an operating model rather than a project.

The second is to wait one more quarter, one more budget cycle, one more strategic planning meeting, and start the same work later under more pressure. The third is to do nothing and discover, somewhere around 2028 or 2029, that the migration window has narrowed faster than the program can execute. 

Organizations on path one are building cryptographic agility by the way they push configuration updates. Organizations on path two are still buying themselves time. Organizations on path three are building a gap that compounds every quarter. 

The technology is ready. The standards are finalized. The deployments are happening at scale, in production, this week. 

What path is your organization on? 

Encryption Consulting builds CBOM Secure, the cryptographic posture management platform behind the inventory layer described in this article. To see how a continuously updated CBOM maps against your environment, visit www.encryptionconsulting.com or reach out at info@encryptionconsulting.com. 

The post Post-quantum cryptography is not the future. It is your current reality.   appeared first on Cyber Security News.

Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention.

Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already felt its damaging impact.

The Gentlemen operates as a ransomware-as-a-service (RaaS) platform, meaning its core developers rent access to the malware to other criminals known as affiliates.

It first emerged around mid-2025 as a closed group, then opened its doors to affiliates in September 2025.

More recently, its operators forged a formal partnership with BreachForums, a well-known cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf.

Microsoft Threat Intelligence, which tracks the group behind the malware as Storm-2697, noted that the operators use double extortion tactics.

They encrypt a victim’s data and simultaneously steal sensitive files, threatening to release the stolen information publicly if the ransom is not paid.

Microsoft said in a report shared with Cyber Security News (CSN) that the threat is already widely adopted and this new partnership could attract an even broader pool of criminal actors going forward.

What sets The Gentlemen apart is its layered attack strategy. It disables antivirus tools, deletes backups, clears system logs, and wipes forensic traces before encryption even begins.

Once active, it can reach across a network and plant itself on other machines automatically, making containment far more difficult for incident responders and security teams.

The ransomware requires a build-specific password to execute, and operators can control nearly every aspect of its behavior through command-line arguments.

These options include setting encryption speed, enabling network spreading, and choosing how the malware persists after a reboot. That level of operational control makes it unusually flexible and customizable for a criminal tool deployed at scale.

Ransomware Uses SYSTEM Scheduled Task

One of the most technically notable behaviors in The Gentlemen is how it achieves the highest possible system privileges before encrypting local drives.

When the ransomware receives the right command-line instruction, it creates a Windows scheduled task named gentlemen_system that runs the malware executable under the SYSTEM account, which is the most powerful level of access on a Windows machine.

To do this cleanly, it first deletes any existing task with that name, then registers and immediately triggers a fresh one. Once running under this elevated context, the malware sets an internal environment variable called LOCKER_BACKGROUND=1 to signal that it is operating as a background encryption process with full privileges.

This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts.

Self-Propagation Across the Network

The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm capable of deploying itself to every system it can reach on the local network.

It stages its own binary in a shared folder, copies it across administrative network shares, and attempts to execute it on remote hosts using eight different methods simultaneously.

These methods include PsExec, Windows Management Instrumentation, scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting.

The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy because even if most methods are blocked, a single successful execution on one new host is enough to restart the entire propagation cycle.

Defenders can reduce exposure by enabling controlled folder access, turning on cloud-delivered antivirus protection, and blocking process creations originating from PsExec and WMI commands through attack surface reduction rules.

Running endpoint detection and response tools in block mode is also strongly recommended, as is configuring automatic attack disruption to contain active threats before they spread further across the environment.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges appeared first on Cyber Security News.

Active since at least mid-2025, the group has combined social engineering, credential theft, and supply chain sabotage into a seamless operation that puts the entire software development pipeline at risk.

The attacks begin with a convincingly crafted LinkedIn profile reaching out to targets under the guise of a business opportunity or a job offer.

Once trust is established, victims receive a meeting invitation linked to a fake conferencing platform page designed to look like Microsoft Teams or similar services.

Clicking the link triggers the download of a macOS-specific remote access tool that silently begins stealing sensitive data from the moment it runs.

Researchers at Wiz.io identified and named the threat cluster JINX-0164 after investigating multiple intrusions targeting cryptocurrency companies. 

Wiz CIRT and Wiz Research said in a report shared with Cyber Security News that this actor is financially motivated and has been deploying two distinct malware families, AUDIOFIX and MINIRAT, with a clear focus on macOS devices.

AUDIOFIX is a compiled Python-based infostealer and backdoor that harvests browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and even clipboard data in real time.

It communicates with its command-and-control server over encrypted HTTPS, using AES-256-CBC encryption, and can quietly switch to randomized polling intervals to avoid detection.

The malware also targets active sessions on communication platforms like Discord, Slack, and Telegram, giving attackers a wide view into a victim’s digital life.

The threat actor masked their network activity by routing connections through commercial VPN services, making attribution harder.

To further cover their tracks, they tampered with Git commit metadata to impersonate legitimate developers and pushed malicious code directly into internal repositories, turning the organization’s own development infrastructure into a delivery mechanism for further infections.

JINX-0164 Threat Actor Using LinkedIn Social Engineering

The attack chain unfolded over a two-week period in one documented case, moving from a LinkedIn message to full infrastructure compromise.

Once a developer clicked the fake meeting link, AUDIOFIX was downloaded via a bash dropper script hosted on a fake driver update domain.

The payload disguised itself as a system audio component named coreaudiod and was saved as ChromeUpdater, launched through launchctl to establish persistence.

After gaining a foothold, the malware harvested credentials from macOS Keychain, browsers, and cloud configuration files, including AWS, GCP, and Azure keys, as well as Cloudflare API tokens.

GitHub tokens were then used to exfiltrate secrets from CI/CD pipelines using an open-source tool called nord-stream. The attacker pushed infected code into shared repositories, which then spread AUDIOFIX to every developer who pulled and built from those branches.

Supply Chain Attack via Trojanized npm Package

On April 7, 2026, JINX-0164 escalated by targeting the broader software supply chain. The group quietly modified version 4.9.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK, appending code that would download and execute a shell script whenever the package was imported by any project.

That shell script delivered MINIRAT, a lightweight Go-based backdoor that registers infected machines with the same command-and-control infrastructure used by AUDIOFIX.

Although MINIRAT does not perform the same broad automated data theft, it provides operators with persistent remote access and the ability to execute commands and move files.

Only npm credentials were compromised in this incident, as the source code on GitHub remained unmodified.

Organizations are advised to deploy an Endpoint Detection and Response solution and enable audit logging across all cloud platforms and version control systems by default.

Security teams should watch for unverified commits in GitHub, unexpected VPN usage from providers like ExpressVPN, Astrill VPN, and Mullvad VPN, and any anomalous workflow activity in CI/CD pipelines.

Enabling GitHub Vigilant Mode can help surface developer impersonation attempts through unsigned or mismatched commits. Teams should also monitor for the use of nord-stream and flag any new code package publications originating from unfamiliar IP addresses.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware appeared first on Cyber Security News.