Cybersecurity News and Magazine

The Cyber Express Weekly Roundup: Cloud Extortion, Long-Term Espionage, Android Zero-Days, and Public Sector Security Reviews

Ashish Khaitan — Fri, 05 Jun 2026 11:39:19 +0000

The cybersecurity landscape in this weekly roundup continues to show a clear shift toward identity-driven attacks, long-term persistence operations, and exploitation of trusted cloud environments. Threat actors are increasingly focusing on stealing credentials, abusing administrative access, and leveraging legitimate platforms to scale impact across organizations. Rather than relying on one-off intrusions, attackers are now building sustained access paths into enterprise systems, enabling repeated exploitation, data theft, and extortion from within trusted environments.

The Cyber Express Weekly Roundup

Pink Extortion Group Targets Microsoft 365 Users via Voice Phishing

A newly identified cyber extortion group known as “Pink” is using voice phishing (vishing) campaigns to steal credentials for Microsoft 365 accounts. Once access is gained, the group rapidly exfiltrates data from cloud platforms such as SharePoint and OneDrive and sends extortion messages directly from compromised internal accounts to pressure victims. Read more…

China-Linked VerdantBamboo Maintains 18-Month Network Access

Researchers have uncovered an 18-month intrusion attributed to the China-linked threat group VerdantBamboo. The attackers maintained long-term access using compromised MSP credentials, multiple malware families, and repeated re-entry techniques after remediation attempts. Read more…

DPDP and Cybersecurity: Why Less Data Means Better Security

India’s DPDP framework promotes data minimization as a key cybersecurity strategy. Organizations are urged to collect only necessary data, store it briefly, and delete unused information to reduce breach risk. Excess data increases attack surface and impact, making deletion as important as protection in modern security practices. Read more...

Google Patches Actively Exploited Android Zero-Day (CVE-2025-48595)

Google’s June 2026 security update addresses 124 vulnerabilities in Android, including CVE-2025-48595, a high-severity zero-day that was actively exploited in targeted attacks. The flaw enables local privilege escalation without user interaction, underscoring the growing focus of sophisticated threat actors on mobile devices as high-value entry points. Read more…

CBSE Launches Security Review of OSM Platform After Vulnerability Reports

The Central Board of Secondary Education (CBSE) has engaged experts from the Indian Institute of Technology Madras and the Indian Institute of Technology Kanpur to review security concerns in its On-Screen Marking (OSM) system used for Class 12 board examinations. The audit follows reports of weak authentication controls and potential cloud storage exposure, prompting a full-scale security assessment and hardening exercise. Read more…

Weekly Cybersecurity Takeaway

This week’s incidents reinforce a consistent pattern: attackers are prioritizing identity compromise and trusted cloud platforms over traditional perimeter breaches. From phishing-as-a-service extortion campaigns targeting Microsoft 365 to long-term espionage operations and mobile zero-days, the common thread is the abuse of legitimate access rather than forced intrusion. As organizations continue to expand cloud and mobile reliance, the attack surface is increasingly defined not by infrastructure boundaries, but by identity trust and administrative privilege.

DPDP and Cybersecurity: Why the Safest Data May Be the Data You Delete

Samiksha Jain — Fri, 05 Jun 2026 07:40:45 +0000

By Malcolm Gomes, COO, IDfy

Seventy percent of all sensitive data sitting in enterprise systems right now has not been accessed, used, or reviewed in years, according to a Data Risk report from 2021. It was never deleted when it should have been and, in a breach, it is just as exposed as everything else. For years, enterprises treated personal data as an asset to be collected first and governed later. More data meant better personalization, sharper analytics, stronger fraud models, and business intelligence. But in DPDP and cybersecurity, that equation is changing. Data without a clear purpose is no longer an asset. It is an attack surface.

India’s cyber risk environment makes this urgent. In 2025, CERT-In handled over 29.44 lakh cyber incidents. IBM’s 2025 breach research pegged the average cost of a data breach in India at ₹220 million, while the global average stood at USD 4.44 million. Verizon’s 2026 Data Breach Investigations Report found that 31% of breaches now start with software vulnerability exploitation, overtaking stolen credentials as the leading entry point.

What that figure means in practice is that attackers are no longer just looking for weak passwords. They are looking for unguarded data stores, and enterprises that hold more data than they need are giving attackers more to find.

Why DPDP and Cybersecurity Are Now Closely Connected

This is why the Digital Personal Data Protection (DPDP) framework should not be viewed only as privacy compliance. It is also a cybersecurity reset. It forces enterprises to ask a fundamental security question: why are we holding this data in the first place?

Data minimization is not about doing less business. It is about reducing unnecessary exposure. Every extra field collected, every duplicated customer record, every old document retained beyond its purpose, and every vendor copy sitting outside the organization’s control expands the blast radius of a breach.

Security teams can encrypt systems and monitor networks, but they cannot fully protect data that the business does not know exists, no longer needs, or cannot justify.

How DPDP Is Reshaping Data Governance

DPDP and cybersecurity changes that conversation. Organizations must be able to explain what they collect, why they collect it, how long they keep it, whom they share it with, and when it must be deleted.

These are not just legal requirements. They are security design principles.

The law also carries serious consequences. Failure to maintain reasonable security safeguards can attract penalties of up to ₹250 crore, while failure to notify the Board or affected individuals of a personal data breach can attract penalties of up to ₹200 crore.

The most secure piece of personal data is the one you never collected unnecessarily. The second most secure is the one you deleted when its purpose was fulfilled.

Data Minimization as a Cybersecurity Strategy

For Indian enterprises, digital journeys have become data-heavy by default. Onboarding, lending, insurance, healthcare, ecommerce, and fraud prevention journeys may all have legitimate reasons to process personal data. The challenge is to distinguish necessary data from convenient data.

Cyber risk is no longer limited to firewalls and endpoint protection. It includes data hoarding, excessive access, old records, test data, unused integrations, shadow databases, and third-party copies.

When a breach happens, regulators, customers, and partners will not only ask how the attacker got in. They will ask why so much data was there to be exposed.

Data minimization reduces three risks.

First, it reduces data breach risk. If expired data has already been deleted, it cannot be stolen. If a system contains ten required fields instead of fifty collected by habit, the harm is lower.
Second, it improves visibility. Many organizations struggle not because they lack security tools, but because they lack a reliable map of personal data across applications, databases, documents, cloud environments, and third parties. You cannot secure what you cannot see.
Third, it strengthens accountability. Product, operations, legal, vendor, and security teams must now work from the same understanding of purpose, consent, retention, and safeguards.

Together, these three elements create a mature enterprise cybersecurity posture.

Balancing Fraud Prevention and Personal Data Protection

The hardest balancing act will be fraud prevention.

Banks, insurers, fintechs, marketplaces, and digital platforms need strong controls to detect synthetic identities, account takeover, mule activity, payment fraud, and suspicious behavior. But fraud prevention cannot become a blanket justification for collecting everything.

The way forward is not to weaken fraud controls. It is to make them sharper.

Purpose-bound fraud prevention means collecting only the data required for a specific risk decision, using it with clear controls, retaining it for a justified period, and restricting access to systems that genuinely need it.

Good security does not require unlimited data. It requires the right data, governed well.

Why Trust Is Becoming a Competitive Advantage

This is where trust becomes a competitive advantage. Enterprises that can demonstrate why they collect data, how they protect it, and when they delete it will earn customer and partner confidence.

In a market where cyber threats are rising and regulatory scrutiny is increasing, trust will influence both customer choice and institutional credibility.

For boards and leadership teams, the question is no longer, “Are we DPDP compliant?”

The sharper question is, “Can we prove that our data practices reduce risk?”

Answering that question requires more than a compliance audit. It requires a live view of personal data across the enterprise: what exists, where it goes, who can access it, and whether it still needs to.

Privacy and security used to be treated as separate disciplines with separate teams, budgets, and agendas. That separation is no longer viable. A security team that does not know what personal data the business holds cannot protect it. A privacy team that does not have technical visibility into data flows cannot govern them.

The Future of DPDP and Cybersecurity

DPDP is not asking enterprises to choose between innovation and protection. It is asking them to build digital systems where innovation does not depend on uncontrolled data accumulation.

For too long, “collect more” was seen as the safer business strategy. In the DPDP era, the safer cybersecurity strategy may be the opposite: collect with purpose, protect with discipline, and delete with confidence.

Data minimization is no longer a privacy checkbox. It is becoming one of the most practical security controls an enterprise can deploy.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official position of The Cyber Express. This article is published as part of our contributed content program and is intended for informational purposes only.)

China’s VerdantBamboo Experimented With Three Re-Entries and Three Malware in a Company Network

Mihir Bagwe — Fri, 05 Jun 2026 06:48:31 +0000

China's VerdantBamboo spent 18 months inside a company's network. The entry point was the managed service provider next door.

The incident response started with a suspicious connection from a Linux appliance. It ended with the discovery of a Chinese state-sponsored threat actor that had been silently present in two interconnected networks for at least a year and a half — and that came back through a different door within days of being evicted through the first one.

Researchers at Volexity, documented a multi-stage intrusion campaign by the threat actor it tracks as VerdantBamboo, also known as WARP PANDA and UNC5221 by other vendors, that began with a compromised file sync appliance, expanded through a breached managed service provider, and persisted through three separate re-entry attempts, each one exploiting a different piece of infrastructure that lacked endpoint detection coverage.

A File Sync Box No One Was Watching

In September 2025, Volexity was called in after a customer noticed suspicious outbound traffic from a Linux virtual machine running Egnyte Storage Sync, software designed to synchronize on-premise files with cloud storage.

Instead of connecting to Egnyte infrastructure, the appliance was making encrypted TLS connections to a threat-actor-controlled domain hidden behind Cloudflare IP addresses. It was also querying Google's public DNS server at 8.8.8.8 via DNS over HTTPS, a technique that allows DNS lookups to masquerade as ordinary HTTPS traffic, bypassing DNS-based network monitoring.

Also read: China Sits at the Top of America’s Cyber Threat List

Forensic analysis of the appliance revealed two backdoors. The primary implant was BRICKSTORM, a Golang-based remote access trojan previously documented by CISA, Google Cloud, and NVISO in the context of Ivanti zero-day exploitation campaigns. The secondary was a previously undocumented Python reverse shell that the researchers named AGENTPSD, packaged as a native binary using PyInstaller and configured to execute once a month on the 15th as a fallback should BRICKSTORM become unavailable. Both had been on the system for at least 18 months before discovery.

VerdantBamboo's initial foothold came through the appliance's default service account, egnyteservice, accessed via SSH using credentials the attacker had obtained from the organization's managed service provider. A misconfigured sudo rule on the appliance, which allowed the egnyteservice account to run the Linux tee command as root, gave the attacker an inadvertent local privilege escalation path. Using tee, they could write files anywhere on the filesystem as root, which they used to install BRICKSTORM in /usr/sbin/ and create a cron-based execution mechanism. Volexity reported the sudo misconfiguration to Egnyte, which fixed it in Storage Sync v13.13.

The MSP Was Already Compromised

As researchers examined the supply chain of the compromise, it turned its attention to the managed service provider — the third-party firm that administered the victim organization's systems. The MSP's pfSense firewall, a popular open-source firewall running on FreeBSD, had been compromised by multiple threat actors simultaneously: web shells, cryptocurrency miners, alternate VPN configurations, and a FreeBSD-compatible BRICKSTORM implant deployed by VerdantBamboo, disguised as a file named "blacklist" in the IPsec directory and persisted via a modified cron file. That implant beaconed to a different C2 domain than those found on the victim organization's systems. It had also been present for at least 18 months.

Volexity assesses with medium confidence that the victim organization was first compromised via VerdantBamboo's prior breach of the MSP — with the attacker using MSP-held administrative credentials and infrastructure access as the initial foothold into the primary target's environment.

Three Evictions, Three Re-entries

The operational persistence VerdantBamboo demonstrated after initial discovery is the most important finding. Within days of the Storage Sync appliance and SSL VPN being taken offline, the organization's Synology NAS device began beaconing to the same C2 domain found on the Storage Sync server.

The re-entry path was when the MSP retired the SSL VPN device during remediation, the organization's firewall became directly accessible to the internet. VerdantBamboo connected to its administrative interface using stolen credentials that were not protected by multi-factor authentication, configured a new SSL VPN network on the firewall itself, and used that access to pivot back into the internal network.

From there, the attacker connected via SSH to the Synology NAS and deployed a third previously undocumented malware family, tracked by Volexity as PLENET — a .NET Core backdoor compiled to native code using the Native AOT framework introduced in .NET 7, which Google Cloud independently tracked under the name GRIMBOLT.

Researchers also found that VerdantBamboo had validated administrative credentials for the organization's VMware vCenter infrastructure via web-based logins but did not proceed to deploy malware on ESXi or vCenter systems in this incident, despite public reporting that ESXi persistence is a standard behavior for this group.

The Technique That Made All of This Work

Across the entire operation, VerdantBamboo consistently used compromised devices to proxy connections into the victim organization's Microsoft 365 environment. By routing M365 access through the organization's own SSL VPN IP address space, the attacker's logins appeared to originate from trusted internal infrastructure — bypassing Conditional Access policies specifically designed to block external access. Conditional Access policies in Microsoft Entra ID allow organizations to restrict cloud access by device, location, or network; VerdantBamboo rendered those controls useless by making its traffic look like it came from inside.

The entire attack surface VerdantBamboo operated against — the Egnyte appliance, the pfSense firewall, the Synology NAS — shared one characteristic; none of these devices support endpoint detection and response software. BRICKSTORM, PLENET, and AGENTPSD were all deployed on infrastructure that sits permanently outside the EDR visibility layer that most security teams treat as their primary detection surface.

VerdantBamboo did not breach this organization through a zero-day exploit on a managed Windows endpoint. It entered through the blind spots — the devices that sit on the network and are administered via web interface and SSH, with no agent, no behavioral monitoring, and no MFA on their administrative accounts.

Researchers recommended enforcement of MFA on all administrative accounts without exception, including those managing firewalls and network appliances; audit sudo configurations on Linux appliances for inadvertent privilege escalation paths; ensure that network appliances are never exposed directly to the internet following remediation work; and extend network monitoring coverage to all devices capable of making outbound connections, regardless of whether they support EDR agents.

Study of AI-Assisted Cyberattacks May Reshape How Security Industry Measures Risk

Mihir Bagwe — Fri, 05 Jun 2026 04:36:25 +0000

The threat intelligence community has spent decades building frameworks to assess how dangerous a cyberattacker is. Anthropic just published data suggesting those frameworks are failing — not because they were poorly designed, but because AI has fundamentally changed the relationship between attacker skill and attacker capability, and AI-assisted cyberattacks are now becoming a norm.

Anthropic's Frontier Red Team published findings drawn from 832 accounts banned for malicious cyber activity between March 2025 and 2026, mapping each case against MITRE ATT&CK, the industry's most widely used taxonomy of attacker tactics and techniques.

A subset of those findings appeared in Verizon's 2026 Data Breach Investigations Report. The full analysis, published simultaneously with an interactive visualization on Anthropic's Red blog, delivers three conclusions that should unsettle security teams relying on traditional risk-scoring models.

AI Is Moving Deeper Into the Attack Chain

The most common AI-assisted activity in the dataset is also the most expected - writing malware. Of the 832 accounts studied, 560 or 67.3% used AI for that purpose. But the more significant finding is directional. Across the twelve-month study period, AI use shifted measurably from initial-access techniques toward post-compromise activity. It's the harder, more technically demanding work that happens after an attacker is already inside a network.

AI-assisted account discovery — identifying valid accounts inside a compromised environment — rose 8.9% across the period. AI-assisted phishing, a standard initial-access technique, fell 8.6%. Lateral movement, the process of navigating deeper inside a compromised network to reach high-value targets, was used with AI assistance by 54 of the 832 actors, or 6.5%. These are precisely the techniques that have historically required sophisticated operators to execute effectively. AI is democratizing them.

The risk-scoring data makes that democratization concrete. In the first six months of the study period, 33% of actors were classified as medium risk or higher. By the second six months, that share had jumped to 56% — a roughly 1.7-fold increase in just six months.

The Old Signals for Measuring Threat Level No Longer Work

Security teams have traditionally assessed actor sophistication by counting how many distinct techniques they employ and observing what tools or interfaces they use. Anthropic's data shows those signals have decoupled from actual risk in an AI-enabled environment.

The least-skilled actors in the dataset used an average of 16 distinct techniques. The most skilled used an average of 20. The gap is so small as to be operationally meaningless for triage purposes. Similarly, whether an attacker used Claude Code, the API, or a chat interface showed no correlation with risk level.

What does distinguish higher-risk actors is where in the attack lifecycle they apply AI. Higher-risk operators concentrate AI use on operationally demanding techniques — account discovery, lateral movement, privilege escalation — rather than merely on initial-access tasks. But even that signal is eroding. Those post-compromise techniques are exactly where the broader attacker population is now heading, as more actors get reclassified as higher risk and the behavior diffuses downward through the threat actor ecosystem.

The more durable differentiator, Anthropic found, is architectural. The highest-risk actors build scaffolding around models that allows AI to chain together discrete stages of a cyberattack and execute them with minimal human input. That capability — agentic attack orchestration — is the real frontier of AI-enabled threat activity, and it is not captured anywhere in the current MITRE ATT&CK framework.

MITRE ATT&CK Was Not Built for AI Agents

Researchers show the framework gap with an example of a state-sponsored cyber espionage operation the company disrupted in November 2025, in which a malicious actor manipulated Claude Code into attempting to infiltrate targets worldwide with minimal human intervention.

Read: Chinese Hackers Weaponize Claude AI to Execute First Autonomous Cyber Espionage Campaign at Scale

Mapping that operation against MITRE ATT&CK produced a count of 30 techniques across 13 tactics — a profile comparable to many medium-risk actors in the dataset, and one that drastically understates how dangerous the operation actually was. Anthropic's own risk-scoring methodology, applied to the same operation, returned a maximum score of 100.

The gap exists because MITRE ATT&CK was designed to document what attackers do, not how they orchestrate it. An AI agent that executes commands, exploits vulnerabilities, steals credentials, and makes real-time tactical decisions across a full attack chain — requiring human input only at a few key moments — is a categorically different threat actor than a human operator executing those same steps manually. There is no ATT&CK ID for agentic orchestration. There is no technique entry for autonomous chaining of attack stages. There is no tactic that captures the removal of human decision bottlenecks from the attack lifecycle.

Anthropic says it is in active discussions with MITRE about how the ATT&CK framework might evolve to include these AI-enabled behaviors. The company has also used the findings from this analysis to inform the cyber safeguards built into its most capable models — including detection and blocking mechanisms for malware development and mass data exfiltration activities documented in the dataset.

Risk triage models built on technique counts, tool-type signals, or initial-access sophistication are now systematically underclassifying AI-enabled actors. A threat actor who uses 16 techniques with AI assistance may pose the same operational risk as one using 25 techniques manually. An attacker deploying a free-tier chat interface may be running the same agentic attack chain as one using a direct API connection.

The more meaningful questions for detection and triage are behavioral and architectural. Is this actor using AI post-compromise rather than merely for initial access? Is there evidence of automated chaining between attack stages? Is human intervention being removed from operationally demanding steps? Those questions are not yet embedded in standard detection frameworks — and closing that gap, researchers argue, is now an urgent priority for the industry.

New Threat Actor Targets Crypto Firms’ Development Infrastructure

Mihir Bagwe — Thu, 04 Jun 2026 18:22:27 +0000

A previously undocumented threat actor is conducting highly targeted attacks against cryptocurrency organizations, using fake recruitment opportunities, custom macOS malware, and software supply chain compromises to gain access to development environments and cloud infrastructure.

Researchers at Wiz Research have identified the group as JINX-0164, a financially motivated actor that has been active since at least mid-2025. Unlike many crypto-focused threat groups that target wallets and exchanges directly, JINX-0164 is going after the software development infrastructure that powers crypto companies.

The Attack Starts on LinkedIn

According to Wiz's investigation, the threat actor's operations begin with carefully crafted social engineering campaigns.

Developers and technical employees at cryptocurrency firms are approached on LinkedIn by profiles posing as recruiters, business partners, or industry professionals. The interactions often appear legitimate and may continue for days before the target is invited to a virtual meeting.

The meeting invitation directs victims to a website masquerading as a teleconferencing platform. However, instead of joining a video call, users unknowingly download malware specifically designed for macOS systems.

This level of targeting suggests the attackers have conducted reconnaissance beforehand and are deliberately selecting employees with access to development resources and sensitive corporate systems.

From Developer Laptop to Production Infrastructure

Once the malware is executed, attackers establish remote access to the compromised machine and begin harvesting credentials.

What makes JINX-0164 particularly dangerous is its focus on developer environments. Rather than stopping at endpoint compromise, the group pivots toward software repositories, build pipelines, cloud environments, and CI/CD systems.

Researchers observed attackers moving laterally from employee devices into development infrastructure, enabling them to access source code, authentication tokens, and deployment systems.

In at least one incident investigated by Wiz, the campaign escalated into a software supply chain attack, showing the potential for downstream impact beyond the initial victim organization.

A Shift in Crypto Threat Actor Tactics

Historically, many crypto-focused threat actors have concentrated on stealing digital assets directly through wallet compromise or exchange breaches.

JINX-0164 appears to be taking a different route.

By targeting developers and the systems they use to build and distribute software, the group gains access to a broader attack surface. Compromising a CI/CD pipeline can potentially provide access to production environments, customer-facing applications, and software updates distributed to thousands of users.

Custom Tooling and Long-Term Access

Wiz researchers noted that the actor relies on custom-built malware rather than publicly available tools. This enables the group to maintain stealth, evade traditional security controls, and adapt quickly when defenses change.

The malware serves as a foothold into the victim environment, after which the attackers focus heavily on credential collection and infrastructure access.

Particular attention appears to be paid to cloud resources and development secrets—assets that can provide privileged access across an organization's environment.

Why Cryptocurrency Firms Are Being Targeted

Cryptocurrency companies remain among the most lucrative targets for cybercriminals.

Beyond direct access to digital assets, these organizations often manage large volumes of financial transactions, proprietary code, and privileged infrastructure. Developers within these firms frequently have access to production environments, signing keys, cloud platforms, and deployment pipelines.

For attackers, compromising a single engineer can become a gateway to an entire ecosystem.

Also read: $15M Grinex Hack Forces Trading Halt After Major Crypto Wallet Breach

Pink Extortion Group Emerges Targeting Microsoft 365 Data

Mihir Bagwe — Thu, 04 Jun 2026 16:38:36 +0000

A newly identified cyber extortion operation is gaining attention among incident responders after security researchers uncovered a threat group using voice phishing, cloud data theft and aggressive extortion tactics to target organizations.

Researchers at Unit 42 have begun tracking the activity under the cluster designation CL-CRI-1147, while the threat actors themselves operate under the newly established "Pink" extortion brand. The group's leak site reportedly became active on May 31, and already lists multiple victims, signaling an effort to establish an independent reputation within the cybercrime ecosystem.

A New Brand With Familiar Tactics

While Pink is a new name, its techniques are anything but.

Researchers assess that CL-CRI-1147 is likely affiliated with the broader "Com" cybercriminal ecosystem—a loosely used term for financially motivated actors linked to several high-profile extortion campaigns. The group's tradecraft closely resembles that of cybercrime crews such as ShinyHunters and Blackfile, both known for targeting cloud environments and stealing corporate data for extortion purposes.

Also read: ShinyHunters, CL0P Return with New Claimed Victims

The emergence of Pink suggests that rather than a completely new threat actor entering the scene, an existing operator may be rebranding or spinning off under a new identity.

Voice Phishing Opens the Door

Unlike ransomware groups that rely on malware deployment, Pink appears focused on manipulating employees.

According to Unit 42, attacks begin with vishing—voice phishing calls in which attackers impersonate internal IT staff. During these conversations, victims are persuaded to visit phishing websites and enter their credentials.

Researchers identified several domains used in these campaigns, including:

passkeyadd[.]com
passkeydeploy[.]com
deploypasskey[.]com

The domains mimic legitimate password and authentication workflows, helping attackers convince users that they are participating in a routine security process.

Once credentials are captured, the threat actors gain access to Microsoft 365 accounts, including multi-factor authentication sessions.

Cloud Data Theft Within Minutes

After compromising an account, the attackers move quickly.

Rather than deploying ransomware or attempting to establish long-term persistence, Pink appears focused on immediate data theft from cloud collaboration platforms such as SharePoint and OneDrive.

Researchers observed activity associated with tools and user-agent strings commonly used to automate cloud data collection, including:

Microsoft.Graph.Client/5.62.0
python-requests/2.28.1
python-requests/2.33.1

The use of Microsoft Graph APIs suggests the actors are leveraging legitimate cloud functionality to identify and exfiltrate sensitive corporate files at scale while blending into normal administrative activity.

Using the Victim's Own Accounts

One of the more notable aspects of Pink's operations is how quickly attackers weaponize compromised accounts.

Shortly after stealing data, the actors reportedly use the victim's Microsoft 365 account to distribute extortion messages internally. These communications are sent both via email and Microsoft Teams, creating immediate credibility and increasing pressure on the organization.

This tactic allows attackers to demonstrate access while amplifying confusion among employees and incident responders.

Infrastructure Reuse Points to Organized Operations

Researchers also identified infrastructure patterns that suggest a structured operation rather than opportunistic attacks.

Pink reportedly reuses second-level phishing domains across multiple campaigns while customizing third-level subdomains to match the targeted organization. The infrastructure has been observed leveraging services associated with DDoS-Guard hosting.

Among the indicators identified by researchers are:

185[.]178.208[.]153 (hosting phishing infrastructure)
172[.]93.100[.]252 (accessing compromised accounts)
96[.]232.20[.]66 (linked to extortion email creation via residential proxy services)

The reuse of infrastructure combined with consistent phishing themes indicates an operation designed for repeatable, scalable attacks.

AI-Powered Bots Are Blurring the Line Between Users and Cyber Threats

Samiksha Jain — Thu, 04 Jun 2026 12:19:25 +0000

For years, security teams have relied on behavioral clues to identify malicious activity. However, the rise of AI-powered bots is making that task far more challenging. Unlike traditional automated tools, these bots can imitate legitimate user behavior with remarkable accuracy, allowing them to blend into normal traffic patterns. A new study examining enterprise security readiness suggests that artificial intelligence is fundamentally changing how bot attacks are carried out. Rather than behaving like traditional automated tools, modern AI-powered bots are now capable of mimicking legitimate users with a level of sophistication that many organizations struggle to detect. The report, based on a survey of 300 enterprise leaders across North America, highlights a growing concern among cybersecurity professionals: attackers are no longer trying to force their way into systems. Instead, they are increasingly blending into normal digital activity.

AI-Powered Bot Threats Are Becoming More Advanced

According to the findings, AI-driven bot threats are reshaping the threat landscape by enabling attackers to automate reconnaissance, optimize targeting, and operate within normal user behavior patterns. Credential-based attacks remain the most common form of bot-related activity, with 74% of respondents identifying them as a major concern. DDoS attacks followed at 51%, while 40% reported dealing with AI-driven scraping campaigns designed to harvest sensitive information from websites and online platforms. What makes these attacks particularly challenging is not just their scale, but their ability to imitate legitimate traffic. Modern bots can browse websites, submit forms, test stolen credentials, and interact with applications in ways that closely resemble human behavior. Security experts warn that this evolution is making traditional bot detection methods less effective.

Many Organizations Still Rely on Slow Defensive Processes

While attackers are increasingly operating at machine speed, many organizations continue to update their defenses at a much slower pace. The survey found that only 25% of enterprises continuously update bot detection rules. In contrast, nearly half of respondents update protections on a weekly basis, creating potential windows of opportunity for attackers. This gap between attack speed and response speed is becoming a growing concern as AI lowers the barriers to launching automated campaigns. Researchers noted that the cost of executing large-scale bot attacks has dropped significantly, allowing threat actors to conduct more reconnaissance, launch more credential attacks, and scale operations faster than ever before.

The Challenge of Distinguishing Good Bots From Bad Bots

One of the most notable findings from the study is the difficulty organizations face when trying to classify bot activity. Nearly one-quarter of respondents said they cannot reliably distinguish malicious bots from legitimate automated traffic. That challenge is becoming increasingly relevant as businesses themselves rely on automation. Organizations commonly use bots for search engine optimization, website monitoring, analytics, and performance testing. As a result, security teams are often managing environments where beneficial and malicious automation can appear remarkably similar. Industry experts warn that threat actors are taking advantage of this overlap. By designing attacks that resemble trusted automated activity, they can reduce the likelihood of detection and remain active for longer periods.

Confidence Does Not Always Reflect Readiness

Despite growing concerns around AI-driven bot threats, many organizations remain confident in their ability to detect malicious activity. The survey found that 79% of enterprise leaders believe they can identify bot traffic. However, only 23% reported having mature, governance-driven programs designed to manage automated threats proactively. Meanwhile, 44% continue to rely primarily on reactive approaches, while many depend on default protections provided by web application firewalls and content delivery networks. This disconnect suggests that confidence may be outpacing actual preparedness. The report also found that only one-third of respondents said their existing tools successfully blocked more than half of AI-generated bot traffic over the past year.

Business Impact Extends Beyond Security Teams

The consequences of AI-driven bot threats are no longer limited to cybersecurity departments. More than half of surveyed organizations expect AI-powered bots to negatively affect customer experience during the next 12 months. Others anticipate increased exposure of sensitive data and growing operational challenges. Bots can create subtle but costly disruptions. Slower website performance, disrupted transactions, account takeover attempts, and unauthorized data collection can all affect customer trust and business performance. For large organizations handling millions of monthly website visits, even small disruptions can translate into significant financial and operational consequences.

A Shift Toward Bot Governance

As AI continues to reshape cyber threats, security leaders are increasingly being encouraged to move beyond traditional bot detection strategies. The report argues that organizations should begin treating bots as identity-bearing actors rather than simply another source of internet traffic. This approach places greater emphasis on understanding intent, verifying identities, and continuously assessing behavior rather than relying solely on signature-based detection methods. The broader message from the research is clear: as automated threats become more intelligent, organizations will need to focus not only on identifying malicious activity but also on understanding and governing it. The challenge is no longer just stopping bots. It is determining which automated actors can be trusted and which are actively working against the organization.

The NHS Was Lucky. The Next Victim Might Not Be.

Mihir Bagwe — Thu, 04 Jun 2026 12:17:53 +0000

In May 2026, malicious code appeared inside packages used across NHS software projects. The software supply chain attack named Mini Shai-hulud by researchers spread through CI/CD systems, package registries, and developer tooling before anyone noticed something was wrong. It was caught quickly. Damage was limited.

The UK's National Cyber Security Centre is using that near-miss to bring into focus a more urgent case. The underlying conditions that made Mini Shai-hulud possible are not unique to that attack, and subsequent similar campaigns have gone undetected for longer and spread far more widely.

The Problem Is Structural

NCSC National Resilience Officer Jack F, is not mainly interested in a particular threat actor or a CVE but in how modern software development works — because that architecture is the vulnerability.

A single application today may rely on dozens, sometimes hundreds, of third-party packages like libraries, frameworks, SDKs, and code snippets pulled in automatically when a developer runs a single install command. Node.js, Python, and Rust are singled out as especially exposed because their minimal standard libraries push developers toward external registries for even basic functionality. Once a package is in a dependency tree, it often pulls in further packages of its own — transitive dependencies that the original developer never consciously chose.

This is not a flaw in the ecosystem's design. It is the design. The efficiency gains from reusable, trusted components are real, and the NCSC is not arguing against open source development. The argument is more specific to the combination of automation, implicit trust, and scale that turns a single compromised package into a vector capable of spreading malicious code across hundreds of organizations before any single one of them detects it.

Four Techniques Defenders Need to Know

The NCSC documents four attacker techniques active in recent campaigns. The first is maintainer account compromise — attackers steal credentials or tokens that allow them to push malicious updates to a trusted, legitimate package. This is how the Axios npm attack in March 2026 worked. The maintainer account was hijacked, a malicious dependency injected, and the backdoor distributed to an estimated 80% of cloud environments before the window closed.

Read: Axios Supply Chain Attack Exposes Developers to Hidden Malware

The second technique is abandoned package takeover where attackers claim ownership of packages whose original maintainers have let their domains lapse or transferred control elsewhere. The third is typosquatting, in which, publishing packages with names that closely mimic popular legitimate ones, waiting for a developer to make a spelling error in an install command. The fourth is self-propagation, meaning, using credentials stolen from one package compromise to access or modify additional packages, creating a cascading contamination chain across an ecosystem.

All four techniques exploit the same structural feature. Once a package enters a trusted registry, downstream consumers inherit whatever trust that registry confers, automatically, at scale, with no human checkpoint.

What Defenders Are Being Asked to Do

The NCSC's immediate guidance falls into three categories. The first is visibility. Organizations must audit recent package updates and version changes, identify newly introduced or unexpected dependencies, and maintain a software bill of materials — a documented inventory of every component a codebase relies on. Without that inventory, it is impossible to know whether a compromised package is present at all.

The second is detection. Teams should monitor CI/CD activity, network traffic, and credential use for anomalies, and run dependency scanning tools against known indicators of compromise published after supply chain incidents.

And the third is remediation posture. If a compromise is suspected, automatic dependency updates should be paused immediately, new updates and versions reviewed manually before redeployment, and any potentially exposed API keys, tokens, and credentials rotated without waiting for confirmation of active exploitation. Enforcing multi-factor authentication on developer and package registry accounts is singled out specifically — the absence of universally enforced MFA on registry accounts is identified as a structural gap that maintainer account compromises directly exploit.

The NCSC also flags developer environments themselves as a soft target. Developer devices are typically less tightly controlled than managed corporate endpoints, making credential theft from developer workstations a reliable path to registry access that bypasses enterprise security controls entirely.

As supply chain attacks on PyPI and npm packages have become a near-weekly occurrence across security news feeds, rhe NCSC's guidance refers defenders to the Software Security Code of Practice as the authoritative framework for strengthening development and supply chain management. It also notes that its SSCoP implementation guidance will be updated shortly to reflect the specific attack scenarios.

Ransomware and Geopolitical Tensions Drive Cyber Threats Across META in Q1 2026

Samiksha Jain — Thu, 04 Jun 2026 06:44:20 +0000

Cyber threats across the Middle East, Turkey, and Africa (META) continued to intensify in the first quarter of 2026, with ransomware groups, hacktivist campaigns, and large-scale data breaches shaping a volatile threat landscape for organizations across the region. According to Cyble’s latest META Threat Landscape Report, ransomware remained one of the most disruptive threats during Q1 2026, with attacks targeting industries ranging from government and construction to banking and energy. The findings also point to a growing overlap between financially motivated cybercrime and geopolitically driven cyber activity.

Ransomware Attacks Continue to Rise

Researchers observed 116 ransomware incidents publicly disclosed across the META region during the first three months of 2026. Turkey recorded the highest number of attacks, followed by the UAE, while countries including South Africa and Egypt also faced significant ransomware activity. Among the most active threat groups was Gentlemen, which accounted for a notable share of observed attacks during the quarter. Other ransomware operators including INC Ransom, Qilin, Tengu, and LockBit also remained highly active. Construction emerged as the most targeted industry, followed closely by government agencies, law enforcement organizations, financial services, and energy companies. These sectors often manage sensitive operations and critical infrastructure, making them attractive targets for cybercriminals seeking maximum disruption and financial leverage. The Cyble report also highlights how ransomware operations are becoming increasingly organized, with many groups continuing to operate under ransomware-as-a-service models that allow affiliates to scale attacks rapidly.

Data Breaches Expose Sensitive Information

Beyond ransomware, underground forums remained flooded with stolen databases and claims of unauthorized access linked to organizations across the region. Threat actors allegedly offered access to sensitive data connected to sectors such as hospitality, healthcare, sports, influencer marketing, and energy. In one case, a threat actor claimed to possess terabytes of information linked to Qatar’s energy sector, including credentials and cloud backups. Government and public sector organizations also remained frequent targets, reflecting growing concerns around espionage, politically motivated operations, and long-term intelligence gathering.

Vulnerability Exploitation Driving Intrusions

The report notes that attackers continue to move quickly after new vulnerabilities become public. Several high-severity flaws disclosed during the quarter were rapidly added to the CISA Known Exploited Vulnerabilities catalog, reinforcing how threat actors are actively monitoring enterprise technologies for exploitable weaknesses. Enterprise management systems, security tools, and internet-facing applications remained among the most targeted technologies. One of the more notable cases involved a critical Ivanti Endpoint Manager Mobile vulnerability that could allow unauthenticated remote code execution. Researchers say such flaws continue to attract threat actors because they provide a pathway into enterprise environments without requiring stolen credentials.

META Threat Landscape Report Highlights Geopolitical Tensions

Hacktivist activity also remained elevated throughout Q1 2026. Researchers tracked hundreds of posts related to data leaks, website defacements, and distributed denial-of-service attacks affecting thousands of domains across the META region. Much of this activity appeared linked to ongoing geopolitical tensions, particularly conflicts involving Israel, Iran, and neighboring regions. Threat actors increasingly used cyber operations not just for disruption, but also to amplify political messaging and influence public narratives online. The report suggests that organizations operating in politically sensitive regions may continue to face elevated cyber risks throughout the year.

A Growing Need for Proactive Cyber Defense

The findings from Q1 2026 reflect a broader shift in the threat landscape, where cyberattacks are becoming faster, more coordinated, and more difficult to contain. For organizations across the META region, visibility into emerging threats, exposed assets, ransomware activity, and vulnerability exploitation is becoming increasingly important as attackers continue to evolve their tactics. The full META Threat Landscape Report offers a closer look at the threat groups, industries, and attack trends shaping the region’s cybersecurity environment in early 2026. Readers interested in ransomware trends, regional targeting patterns, and emerging cyber risks can explore the Cyble report for deeper insights into how the threat landscape is evolving.

Ransomware Attacks Surge 30% in 2026 as Qilin and INC Ransom Intensify Operations

Ashish Khaitan — Wed, 03 Jun 2026 06:59:01 +0000

Ransomware attacks surged 30% in the first half of 2026 compared to the same period in 2025, with Qilin and INC Ransom emerging as two of the most prolific and dangerous operators in a crowded criminal ecosystem. Healthcare continues to be the top targeted industry, with 27 incidents in January 2026 alone, a figure that reflects both the sector's operational sensitivity and the premium value of health records on darknet markets.

Qilin: The Dominant Force

Qilin — also known as Agenda — is a ransomware group that entered 2026 accelerating, not slowing down. By early 2026, Qilin had already posted 55 confirmed victims, placing it ahead of its own 2025 pace. By June 2026, tracking data, Qilin had accumulated 168 confirmed victims in the healthcare sector alone, behind only manufacturing (291) and business services (245) in overall victim count. Qilin operates as a Ransomware-as-a-Service (RaaS) platform, recruiting affiliates who conduct attacks using Qilin's ransomware builder and infrastructure in exchange for a percentage of ransom proceeds. This model allows the core group to expand operational throughput without directly executing every attack. The group's double extortion model — encrypting victim data while simultaneously exfiltrating it and threatening public release on their leak site — has proven effective at pressuring victims into paying ransom demands even when robust backups exist. Public exposure of sensitive patient records creates regulatory, legal, and reputational pressure that many healthcare organisations find more immediately damaging than operational downtime. A notable recent case involves Covenant Health, which suffered a Qilin ransomware breach that exposed 478,188 patient records. The Covenant Health incident highlights Qilin's willingness to attack hospitals and health systems regardless of the direct patient safety implications.

INC Ransom: Targeting Critical Sectors

INC Ransom is another highly active operator that was among the top ransomware groups by victim count in January 2026, with 47 known attacks that month. The group targets organisations across multiple sectors, including healthcare, legal services, and public administration. INC Ransom gained significant attention in 2025 for its attack on NHS Scotland, which exposed 3 terabytes of patient data. The group continues to operate aggressively in 2026, targeting entities including healthcare practices, municipal agencies, and regional service providers. Recent INC Ransom victims include healthcare organisations such as Lymphedema Therapy Specialists, Inc. (February 2026, affecting 378 Texas patients) and various municipal and public sector entities, including Champaign-Urbana Public Health District.

The 2026 Ransomware Landscape

Beyond Qilin and INC Ransom, the broader 2026 ransomware ecosystem is characterised by:

AI-assisted operations: Multiple ransomware groups are now using AI tools to accelerate phishing campaign creation, target research, and initial access operations, reducing the operational cost of launching attacks.
Healthcare as a premium target: Patient records sell for up to 10 times as much as financial records on darknet markets, making it a persistently attractive target. Operational disruption of healthcare services also creates patient-safety leverage that can pressure organisations to make faster payment decisions.
The Play and SafePay operators were also confirmed in recent June 2026 attack disclosures, targeting organisations including Clínica Maitenes and various regional businesses.

Why It Matters

The 30% year-over-year increase in ransomware incidents confirms that neither law enforcement action nor improved defensive capabilities has materially reduced the operational tempo of ransomware criminal enterprises. The professionalisation of RaaS platforms, combined with AI-assisted tooling and shortened attack timelines, is creating conditions in which even well-defended organisations face materially elevated risk. For healthcare specifically, the combination of operational sensitivity, high data value, and historically underfunded security programmes creates a structural vulnerability that the industry has not yet resolved despite years of high-profile attacks.