π¨ Brutal showing: security researcher Orange Tsai just made $375,000 in 24 hours at Pwn2Own Berlin 2026. He landed both Microsoft Edge AND Microsoft Exchange in back-to-back demos.
- Day 1: Chained 4 logic bugs to escape the Microsoft Edge sandbox. Payout: $175,000
- Day 2: Took down Microsoft Exchange in the Server category. Payout: $200,000
Congrats π₯
- Day 1: Chained 4 logic bugs to escape the Microsoft Edge sandbox. Payout: $175,000
- Day 2: Took down Microsoft Exchange in the Server category. Payout: $200,000
Congrats π₯
π₯13π6β€2π1
βοΈπ¨ BREAKING: Researchers used Mythos Preview to find the first public macOS kernel memory corruption exploit on Apple's M5 silicon, they give a glimpse into Mythos say itβs really powerful.
Apple spent five years and an estimated several billion dollars building Memory Integrity Enforcement (MIE), the hardware-assisted memory safety system built around ARM's MTE. It was the flagship security feature of the M5 and A19, designed specifically to kill the entire memory corruption bug class.
Researchers from Calif built a working exploit in five days.
According to Apple's own research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword kits. Calif walked into Apple Park this week and handed over the report in person.
Full 55-page technical report drops after Apple patches the vulnerability.
Source: https://blog.calif.io/p/first-public-kernel-memory-corruption
Apple spent five years and an estimated several billion dollars building Memory Integrity Enforcement (MIE), the hardware-assisted memory safety system built around ARM's MTE. It was the flagship security feature of the M5 and A19, designed specifically to kill the entire memory corruption bug class.
Researchers from Calif built a working exploit in five days.
According to Apple's own research, MIE disrupts every public exploit chain against modern iOS, including the recently leaked Coruna and Darksword kits. Calif walked into Apple Park this week and handed over the report in person.
Full 55-page technical report drops after Apple patches the vulnerability.
Source: https://blog.calif.io/p/first-public-kernel-memory-corruption
π₯΄6π₯2β€1
π¨ Public PoC dropped for an unpatched Apple Maildrop flaw. The bug itself is modest. The disclosure record is the real story. Apple is sitting on the minor iCloud Maildrop bug for 34 months and counting.
Maildrop attachment URLs ship 3 unsigned, client-controlled parameters (f= filename, sz= size, uk= user key). Anyone holding a valid Maildrop link can rewrite f= and sz=. The link still resolves on icloud[.]com, still serves the original uploader's file (uk= is locked, so this isn't arbitrary malware delivery), and the spoofed filename is stamped into the Content-Disposition response header. The file saves to disk under whatever name the attacker chose.
Again it's not the way it should work, but it's no biggie. But the timeline is interesting:
πΉ Reported: 7 Jul 2023 to Apple Security Bounty (case OE1950888220).
πΉ Status: "Prioritised for review" since 8 Apr 2026.
πΉ Elapsed: 34 months. ~10Γ a standard 90-day disclosure window.
Source: https://stuart-thomas.com/research/maildrop-spoofed-params/
Maildrop attachment URLs ship 3 unsigned, client-controlled parameters (f= filename, sz= size, uk= user key). Anyone holding a valid Maildrop link can rewrite f= and sz=. The link still resolves on icloud[.]com, still serves the original uploader's file (uk= is locked, so this isn't arbitrary malware delivery), and the spoofed filename is stamped into the Content-Disposition response header. The file saves to disk under whatever name the attacker chose.
Again it's not the way it should work, but it's no biggie. But the timeline is interesting:
πΉ Reported: 7 Jul 2023 to Apple Security Bounty (case OE1950888220).
πΉ Status: "Prioritised for review" since 8 Apr 2026.
πΉ Elapsed: 34 months. ~10Γ a standard 90-day disclosure window.
Source: https://stuart-thomas.com/research/maildrop-spoofed-params/
π1π₯΄1
βΌοΈπ¨ Ledger customers are receiving physical scam letters impersonating a "Quantum Resistance" security update signed by CTO Charles Guillemet.
There's a QR code that leads to a phishing site harvesting 24-word recovery seed phrases.
Letters are localized per region (Italian recipient in the wild got an Italian-language version, matching Global-e's cross-border checkout data).
The data is probably sourced from the January 2026 Global-e breach (Ledger's e-commerce processor).
Confirmed by Ledger: https://support.ledger.com/article/scams-targeting-crypto-holders
There's a QR code that leads to a phishing site harvesting 24-word recovery seed phrases.
Letters are localized per region (Italian recipient in the wild got an Italian-language version, matching Global-e's cross-border checkout data).
The data is probably sourced from the January 2026 Global-e breach (Ledger's e-commerce processor).
Confirmed by Ledger: https://support.ledger.com/article/scams-targeting-crypto-holders
π€£6π€2β€1
This media is not supported in your browser
VIEW IN TELEGRAM
βΌοΈπ¦ Mozilla's security team says there were 6 Firefox entries at Pwn2Own, of which 5 had to withdraw due to them releasing a last-minute security fix in 150.0.3.
One of the participants, kiddo-pwn, released a PoC that works on versions before the patch:
https://github.com/kiddo-pwn/ffffirefox
One of the participants, kiddo-pwn, released a PoC that works on versions before the patch:
https://github.com/kiddo-pwn/ffffirefox
π4π©2β€1
βΌοΈπ¨ Google's Threat Intelligence warns UNC6671 aka BlackFile is running a high-tempo vishing campaign against Microsoft 365 and Okta since early 2026.
Callers pose as IT, push passkey/MFA migration pretexts, harvest credentials and MFA in real time, and register attacker-controlled MFA devices for persistence.
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
Callers pose as IT, push passkey/MFA migration pretexts, harvest credentials and MFA in real time, and register attacker-controlled MFA devices for persistence.
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
β€1π₯°1
π¨πΊπΈ Federal jury just convicted Sohaib Akhter in the case of 96 wiped US government databases, including FOIA and sensitive federal records.
DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours.
Sentencing September 9, with up to 21 years in prison expected.
Worth noting: court records still call the contractor "Company-1." Public reporting has identified it as Opexus, but DOJ's indictment keeps the company anonymized.
Source: https://www.justice.gov/usao-edva/united-states-vs-muneeb-akhter-and-sohaib-akhter-case-number-125-cr-307-rda
DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours.
Sentencing September 9, with up to 21 years in prison expected.
Worth noting: court records still call the contractor "Company-1." Public reporting has identified it as Opexus, but DOJ's indictment keeps the company anonymized.
Source: https://www.justice.gov/usao-edva/united-states-vs-muneeb-akhter-and-sohaib-akhter-case-number-125-cr-307-rda
π€£7π4β€3
International Cyber Digest
π¨πΊπΈ Federal jury just convicted Sohaib Akhter in the case of 96 wiped US government databases, including FOIA and sensitive federal records. DOJ says he and his twin Muneeb were fired by a federal contractor, then nuked the systems over several hours. Sentencingβ¦
π¨πΊπΈ New detail in the Akhter twins case: after being fired, Sohaib and Muneeb forgot to stop the Teams meeting in which they were fired, and recorded themselves planning and executing the wipe of 96 US government databases tied to FOIA and federal records.
Full transcript from the DOJ filing:
SOHAIB: "Still connected? Still on the VPN?"
SOHAIB: "Delete all their databases?"
MUNEEB: "Eh, they can recover themβ¦backups, I'm pretty sure."
SOHAIB: "Daily backups?"
MUNEEB: "Yup."
SOHAIB: "What's the plan [then]? We gonna take care of severance or are we gonna do something aboutβ¦" "Should we retort to whatever they send us by saying we need $25,000 each? Hm?"
MUNEEB: "We are doing petty shit now."
MUNEEB: "I'm going to wipe my computer clean."
SOHAIB: "I can't access the system but I still have the email address for their customers for eCase and FOIAXpress."
MUNEEB and SOHAIB discuss being compensated by Company-1.
MUNEEB: "I'm not gonna threaten them shit, that's like could be shown as some sort of . . ."
SOHAIB: "It depends on how you write it. Just say, 'according to our previous agreement, this is the tally of the amount that I've been [paid], if you pay it up front, then I have no reason to communicate with customers.'"
MUNEEB: "I'm good."
SOHAIB: "Whatcha working on man?"
MUNEEB: "Nothing important, man."
SOHAIB: "Why won't you tell me? I ain't gonna snitch."
MUNEEB: "Don't need to. Don't worry about it."
MUNEEB: "People are logged out for the day, this is the perfect time."
SOHAIB: "How do you still have access? When did you connect to their VPN?"
MUNEEB: "10 minutes before their stupid meeting."
SOHAIB: "You might still have access to it until the end of the day. Until at least 6 hours."
MUNEEB: "Don't worry about it man. Don't worry about it."
SOHAIB: "I see you are cleaning out their database backups."
MUNEEB: "Don't worry about it. You don't do nothing. Don't try nothin'. They are looking at you, they are not looking at me."
SOHAIB: "[G]oing to RDP into their systems and delete all their data."
[inaudible]
SOHAIB: "The ramifications for that would be worse though."
MUNEEB: "What are you talking about? I didn't do nothing. They closed my access when they had that meeting."
SOHAIB: "Alright, if you have good plausible deniability."
SOHAIB and MUNEEB then have additional discussion about deleting backups and changing DNS information.
MUNEEB: "Eh, they can recover from yesterday. [The IT manager] will have some work to do."
MUNEEB and SOHAIB discuss Company-1 customers, including Veteran's Affairs OIG, Education Department OIG, DHS OIG, and customer data.
MUNEEB: "DHS was a big [customer]."
SOHAIB: "Just go into each of them and start the delete process. It will take its time. . . It will eventually delete all their files."
MUNEEB: "Sabes, don't say nothin', OK, don't worry about it."
SOHAIB: "I ain't sayin' shit."
SOHAIB: "You should have thought about it prior, man."
MUNEEB: "What do you mean? Like had a kill script, what do you mean?"
SOHAIB: "Blackmailing them in for some money would've beenβ¦"
MUNEEB: "No, you do not do that. That's proof of guilt, man."
SOHAIB: "No but the thing was you always have your opinion, I could just communicate with their customers."
MUNEEB: "Communicate with their customers is a different thing!"
SOHAIB: "So you're saying these are two separate things?"
MUNEEB: "There ya go. Go say that man, go argue for that, then they'll think you're the one behind this shit."
SOHAIB: ". . . They're gonna probably raid this place."
MUNEEB: "Eh, I'll clean this shit up. I don't got shit."
SOHAIB: "We also gotta clean stuff up from the other house man."
MUNEEB: "Get rid of that shit."
SOHAIB: "Deleting their filesystems would be a harder fix."
MUNEEB: "Mhhmm, especially if you clear it out."
MUNEEB: "Everything that I did, I'm making sure it's protected. That it's clean."
MUNEEB: "Don't worry, we'll go to Texas."
Full transcript from the DOJ filing:
SOHAIB: "Still connected? Still on the VPN?"
SOHAIB: "Delete all their databases?"
MUNEEB: "Eh, they can recover themβ¦backups, I'm pretty sure."
SOHAIB: "Daily backups?"
MUNEEB: "Yup."
SOHAIB: "What's the plan [then]? We gonna take care of severance or are we gonna do something aboutβ¦" "Should we retort to whatever they send us by saying we need $25,000 each? Hm?"
MUNEEB: "We are doing petty shit now."
MUNEEB: "I'm going to wipe my computer clean."
SOHAIB: "I can't access the system but I still have the email address for their customers for eCase and FOIAXpress."
MUNEEB and SOHAIB discuss being compensated by Company-1.
MUNEEB: "I'm not gonna threaten them shit, that's like could be shown as some sort of . . ."
SOHAIB: "It depends on how you write it. Just say, 'according to our previous agreement, this is the tally of the amount that I've been [paid], if you pay it up front, then I have no reason to communicate with customers.'"
MUNEEB: "I'm good."
SOHAIB: "Whatcha working on man?"
MUNEEB: "Nothing important, man."
SOHAIB: "Why won't you tell me? I ain't gonna snitch."
MUNEEB: "Don't need to. Don't worry about it."
MUNEEB: "People are logged out for the day, this is the perfect time."
SOHAIB: "How do you still have access? When did you connect to their VPN?"
MUNEEB: "10 minutes before their stupid meeting."
SOHAIB: "You might still have access to it until the end of the day. Until at least 6 hours."
MUNEEB: "Don't worry about it man. Don't worry about it."
SOHAIB: "I see you are cleaning out their database backups."
MUNEEB: "Don't worry about it. You don't do nothing. Don't try nothin'. They are looking at you, they are not looking at me."
SOHAIB: "[G]oing to RDP into their systems and delete all their data."
[inaudible]
SOHAIB: "The ramifications for that would be worse though."
MUNEEB: "What are you talking about? I didn't do nothing. They closed my access when they had that meeting."
SOHAIB: "Alright, if you have good plausible deniability."
SOHAIB and MUNEEB then have additional discussion about deleting backups and changing DNS information.
MUNEEB: "Eh, they can recover from yesterday. [The IT manager] will have some work to do."
MUNEEB and SOHAIB discuss Company-1 customers, including Veteran's Affairs OIG, Education Department OIG, DHS OIG, and customer data.
MUNEEB: "DHS was a big [customer]."
SOHAIB: "Just go into each of them and start the delete process. It will take its time. . . It will eventually delete all their files."
MUNEEB: "Sabes, don't say nothin', OK, don't worry about it."
SOHAIB: "I ain't sayin' shit."
SOHAIB: "You should have thought about it prior, man."
MUNEEB: "What do you mean? Like had a kill script, what do you mean?"
SOHAIB: "Blackmailing them in for some money would've beenβ¦"
MUNEEB: "No, you do not do that. That's proof of guilt, man."
SOHAIB: "No but the thing was you always have your opinion, I could just communicate with their customers."
MUNEEB: "Communicate with their customers is a different thing!"
SOHAIB: "So you're saying these are two separate things?"
MUNEEB: "There ya go. Go say that man, go argue for that, then they'll think you're the one behind this shit."
SOHAIB: ". . . They're gonna probably raid this place."
MUNEEB: "Eh, I'll clean this shit up. I don't got shit."
SOHAIB: "We also gotta clean stuff up from the other house man."
MUNEEB: "Get rid of that shit."
SOHAIB: "Deleting their filesystems would be a harder fix."
MUNEEB: "Mhhmm, especially if you clear it out."
MUNEEB: "Everything that I did, I'm making sure it's protected. That it's clean."
MUNEEB: "Don't worry, we'll go to Texas."
π€£12β€5π1
π¨π₯ Threat actor DragonForce has claimed a new healthcare-sector extortion hit involving ouradvancedhealth[.]com. The listing claims the group obtained 2.3 million lines of "full patient data," along with partner agreements, management files, payroll records, and HR files.
After deduplication across 179 patient files, the dataset resolves to almost 2 million unique patient records, including minors. Folder NetData/ also contains eClinicalWorks artifacts, and Departments/Payor Contracting holds carrier contracts with major insurers.
DragonForce told us they gained access through a vulnerable remote monitoring and management tool that was exposed.
The actor also posted a timed pressure tactic, claiming it will leak 1,000 lines of patient data per day until it is paid or the countdown expires.
A file tree linked to the alleged exfil suggests the scope is far broader than a single clinic. The folder PatientData/ contains roughly 200 subdirectories, one per medical practice.
We have not verified the entirety of the stolen-data claim, reviewed the alleged sample, or confirmed the incident with the victim organization. Public records for ouradvancedhealth[.]com point to AdvancedHEALTH in Nashville, Tennessee, while the ransomware listing names Advanced Medical Consultants.
If confirmed, the incident would represent a significant healthcare data exposure with possible patient privacy, payroll, HR, and partner-contract impact, and likely federal HIPAA and state-level reporting obligations given the volume of minor records.
After deduplication across 179 patient files, the dataset resolves to almost 2 million unique patient records, including minors. Folder NetData/ also contains eClinicalWorks artifacts, and Departments/Payor Contracting holds carrier contracts with major insurers.
DragonForce told us they gained access through a vulnerable remote monitoring and management tool that was exposed.
The actor also posted a timed pressure tactic, claiming it will leak 1,000 lines of patient data per day until it is paid or the countdown expires.
A file tree linked to the alleged exfil suggests the scope is far broader than a single clinic. The folder PatientData/ contains roughly 200 subdirectories, one per medical practice.
We have not verified the entirety of the stolen-data claim, reviewed the alleged sample, or confirmed the incident with the victim organization. Public records for ouradvancedhealth[.]com point to AdvancedHEALTH in Nashville, Tennessee, while the ransomware listing names Advanced Medical Consultants.
If confirmed, the incident would represent a significant healthcare data exposure with possible patient privacy, payroll, HR, and partner-contract impact, and likely federal HIPAA and state-level reporting obligations given the volume of minor records.
π3π€3
βΌοΈπ¨ BREAKING: We found out Italian newspaper la Repubblica and other outlets are spreading a fake photo of the suspect of the Modena car attack, Salim el Koudri.
We used OSINT techniques to find his real photo and location.
As of today, la Repubblica has still not removed the photo of the fake suspect.
We located the Strava account of Modena car attack suspect Salim el Koudri. Full name, location, and profile picture are all visible on the profile.
We used OSINT techniques to find his real photo and location.
As of today, la Repubblica has still not removed the photo of the fake suspect.
We located the Strava account of Modena car attack suspect Salim el Koudri. Full name, location, and profile picture are all visible on the profile.
π±8π4β€3π―1
βΌοΈπ¨ BREAKING: Cloudflare's CISO just published what Anthropic's unreleased Mythos did against more than 50 of their own production repos. According to him, Mythos is too powerful and must "include additional safeguards" before releasing to the public.
Turns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at "interesting bug, unclear if exploitable."
At triage time, that means fewer hedged findings and less time spent asking "is this even real?" A finding that arrives with a PoC is a finding you can act on.
Cloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.
Interesting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on.
https://blog.cloudflare.com/cyber-frontier-models/
Turns out the model can chain multiple low-severity bugs into a single severe exploit with a working PoC, where previous frontier models would stop at "interesting bug, unclear if exploitable."
At triage time, that means fewer hedged findings and less time spent asking "is this even real?" A finding that arrives with a PoC is a finding you can act on.
Cloudflare is also explicit about the safety side. The Mythos Preview build provided for Project Glasswing did not include the safeguards present in generally available models like Opus 4.7 or GPT-5.5. The model's organic refusals are real, but Cloudflare states they are not consistent enough to serve as a complete safety boundary on their own, and that any cyber frontier model made generally available in the future must ship with additional safeguards on top of that baseline.
Interesting detail: Cloudflare was not on the original Project Glasswing launch partner list with Apple, AWS, Google, Microsoft, CrowdStrike, and others. Instead they got invited later on.
https://blog.cloudflare.com/cyber-frontier-models/
π5π5β€2
π¨π INTERPOL carried out Operation Ramz, the first cyber operation in the MENA region with 201 arrests, 382 additional suspects identified, 3,867 victims, and 53 servers seized across 13 countries.
The operation ran from October 2025 to February 28, 2026, and targeted phishing, malware, and cyber scam infrastructure. Around 8,000 pieces of data and intelligence were shared between participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and UAE.
Jordanese Police pinpointed a computer running fraudulent "trading platform" scams. A raid found 15 people running the scams, but investigators determined they were victims of human trafficking, recruited under false employment promises from Asia, passports confiscated on arrival, and forced into the scheme. Two suspects orchestrating the operation were arrested.
Other notable hits:
- Algeria dismantled a phishing-as-a-service operation, with one arrest and a server, computer, phone, and hard drives seized
- Morocco seized devices containing banking data and phishing tools, with three individuals in judicial proceedings
- Qatar identified compromised devices whose owners were themselves cyberattack victims unknowingly spreading malware
- Oman disabled a private-residence server holding sensitive information that had been infected with malware
Private-sector partners included Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and TrendAI.
https://www.interpol.int/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
The operation ran from October 2025 to February 28, 2026, and targeted phishing, malware, and cyber scam infrastructure. Around 8,000 pieces of data and intelligence were shared between participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and UAE.
Jordanese Police pinpointed a computer running fraudulent "trading platform" scams. A raid found 15 people running the scams, but investigators determined they were victims of human trafficking, recruited under false employment promises from Asia, passports confiscated on arrival, and forced into the scheme. Two suspects orchestrating the operation were arrested.
Other notable hits:
- Algeria dismantled a phishing-as-a-service operation, with one arrest and a server, computer, phone, and hard drives seized
- Morocco seized devices containing banking data and phishing tools, with three individuals in judicial proceedings
- Qatar identified compromised devices whose owners were themselves cyberattack victims unknowingly spreading malware
- Oman disabled a private-residence server holding sensitive information that had been infected with malware
Private-sector partners included Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and TrendAI.
https://www.interpol.int/News-and-Events/News/2026/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region
π±4