🔫 Telegram Mini Apps weaponized for crypto fraud and malware delivery
Researchers have identified a large-scale fraud operation dubbed FEMITBOT exploiting Telegram's Mini App feature to run cryptocurrency scams, impersonate major brands including Apple, NVIDIA, and Disney, and distribute Android malware. The platform uses Telegram bots to launch phishing pages within the app's WebView, creating fake dashboards with fraudulent balances and countdown timers to pressure victims into deposits, while some campaigns push malicious APK files.
CTM360's analysis shows the operation employs shared API responses across multiple domains, tracking pixels, and TLS-validated hosting for rapid rebranding. Users should avoid sideloading APK files and exercise caution with bots requesting deposits or app downloads.
🛰️ Open sources - closed narratives
@sitreports
Researchers have identified a large-scale fraud operation dubbed FEMITBOT exploiting Telegram's Mini App feature to run cryptocurrency scams, impersonate major brands including Apple, NVIDIA, and Disney, and distribute Android malware. The platform uses Telegram bots to launch phishing pages within the app's WebView, creating fake dashboards with fraudulent balances and countdown timers to pressure victims into deposits, while some campaigns push malicious APK files.
CTM360's analysis shows the operation employs shared API responses across multiple domains, tracking pixels, and TLS-validated hosting for rapid rebranding. Users should avoid sideloading APK files and exercise caution with bots requesting deposits or app downloads.
🛰️ Open sources - closed narratives
@sitreports
⚡ CISA Adds Linux Root Escalation Flaw to Active Exploit Catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux privilege escalation vulnerability enabling root access, to its Known Exploited Vulnerabilities catalog. The agency confirmed active exploitation in the wild, triggering mandatory patching requirements for federal agencies under Binding Operational Directive 22-01.
The inclusion signals threat actors are actively leveraging the flaw in ongoing campaigns. Linux systems across enterprise and containerized environments face elevated risk, particularly where privilege boundaries are critical to segmentation and containment strategies.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-31431, a Linux privilege escalation vulnerability enabling root access, to its Known Exploited Vulnerabilities catalog. The agency confirmed active exploitation in the wild, triggering mandatory patching requirements for federal agencies under Binding Operational Directive 22-01.
The inclusion signals threat actors are actively leveraging the flaw in ongoing campaigns. Linux systems across enterprise and containerized environments face elevated risk, particularly where privilege boundaries are critical to segmentation and containment strategies.
🛰️ Open sources - closed narratives
@sitreports
🔍 Google Restructures Bug Bounty Programs Amid AI Surge
Google has overhauled its Vulnerability Reward Programs for Android and Chrome, responding to AI-driven automation flooding submissions with low-quality reports. Android's top reward for Pixel Titan M zero-click exploits rises to $1.5M, while Chrome base payouts drop to $500 as Google shifts focus toward quality over quantity. The company now prioritizes complete proof-of-concept submissions with proposed fixes.
Despite individual payout reductions, Google expects total 2026 rewards to exceed 2025's record $17.1M, signaling an evolution in how tech giants balance automation with meaningful security research.
🛰️ Open sources - closed narratives
@sitreports
Google has overhauled its Vulnerability Reward Programs for Android and Chrome, responding to AI-driven automation flooding submissions with low-quality reports. Android's top reward for Pixel Titan M zero-click exploits rises to $1.5M, while Chrome base payouts drop to $500 as Google shifts focus toward quality over quantity. The company now prioritizes complete proof-of-concept submissions with proposed fixes.
Despite individual payout reductions, Google expects total 2026 rewards to exceed 2025's record $17.1M, signaling an evolution in how tech giants balance automation with meaningful security research.
🛰️ Open sources - closed narratives
@sitreports
🔫 Progress patches critical MOVEit Automation authentication bypass
Progress Software fixed two vulnerabilities in MOVEit Automation, including CVE-2026-4670, a critical authentication bypass flaw, and CVE-2026-5174, a privilege escalation issue. The bugs affect versions up to 2025.1.4, 2025.0.8, and 2024.1.7, with no workarounds available. Airbus SecLab researchers discovered and reported the flaws to Progress.
The vulnerabilities pose mass exploitation risk similar to 2023's MOVEit Transfer incident, when Cl0p ransomware gang compromised approximately 1,000 organizations and exposed over 60 million records. Authentication bypass flaws in widely-deployed enterprise file transfer systems enable rapid lateral movement and data theft at scale.
🛰️ Open sources - closed narratives
@sitreports
Progress Software fixed two vulnerabilities in MOVEit Automation, including CVE-2026-4670, a critical authentication bypass flaw, and CVE-2026-5174, a privilege escalation issue. The bugs affect versions up to 2025.1.4, 2025.0.8, and 2024.1.7, with no workarounds available. Airbus SecLab researchers discovered and reported the flaws to Progress.
The vulnerabilities pose mass exploitation risk similar to 2023's MOVEit Transfer incident, when Cl0p ransomware gang compromised approximately 1,000 organizations and exposed over 60 million records. Authentication bypass flaws in widely-deployed enterprise file transfer systems enable rapid lateral movement and data theft at scale.
🛰️ Open sources - closed narratives
@sitreports
🔫 Weaver E-cology RCE Exploited Days After Patch
Critical unauthenticated RCE vulnerability CVE-2026-22679 in Weaver E-cology office automation platform exploited in wild since mid-March, five days post-patch release. Attackers leveraged exposed debug API endpoint to execute system commands, deploying reconnaissance tooling and PowerShell payloads against primarily Chinese enterprise deployments. Exploitation attempts blocked by endpoint defenses; no persistent access achieved.
Vendor removed vulnerable debug endpoint entirely in March 12 build. No workarounds available—organizations running E-cology 10.0 must upgrade immediately, as documented by Vega researchers. Attack pattern indicates opportunistic scanning post-disclosure rather than targeted intrusion campaign.
🛰️ Open sources - closed narratives
@sitreports
Critical unauthenticated RCE vulnerability CVE-2026-22679 in Weaver E-cology office automation platform exploited in wild since mid-March, five days post-patch release. Attackers leveraged exposed debug API endpoint to execute system commands, deploying reconnaissance tooling and PowerShell payloads against primarily Chinese enterprise deployments. Exploitation attempts blocked by endpoint defenses; no persistent access achieved.
Vendor removed vulnerable debug endpoint entirely in March 12 build. No workarounds available—organizations running E-cology 10.0 must upgrade immediately, as documented by Vega researchers. Attack pattern indicates opportunistic scanning post-disclosure rather than targeted intrusion campaign.
🛰️ Open sources - closed narratives
@sitreports
🔍 Critical cPanel Vulnerability Exploited in Global Campaign
Attackers are actively exploiting CVE-2026-41940, a critical flaw in cPanel infrastructure, to compromise government and managed service provider networks. Security Affairs reports that campaigns have been detected across Southeast Asia, the United States, and Canada, targeting high-value administrative environments.
The focus on MSPs represents a supply chain approach, enabling attackers to pivot into multiple downstream client networks through compromised hosting infrastructure. The vulnerability's severity and confirmed exploitation indicate immediate patching priority for organizations running affected cPanel versions.
🛰️ Open sources - closed narratives
@sitreports
Attackers are actively exploiting CVE-2026-41940, a critical flaw in cPanel infrastructure, to compromise government and managed service provider networks. Security Affairs reports that campaigns have been detected across Southeast Asia, the United States, and Canada, targeting high-value administrative environments.
The focus on MSPs represents a supply chain approach, enabling attackers to pivot into multiple downstream client networks through compromised hosting infrastructure. The vulnerability's severity and confirmed exploitation indicate immediate patching priority for organizations running affected cPanel versions.
🛰️ Open sources - closed narratives
@sitreports
🔫 Army Seeks VTOL Battalion Drone to Close Tactical Reconnaissance Gaps
The U.S. Army issued an urgent call for a production-ready vertical take-off drone to address "reconnaissance and security gaps" at battalion level. The Battalion Reconnaissance UAS must weigh under 55 pounds, fly over 40 kilometers for more than five hours, operate autonomously in contested spectrum, and integrate AI-enabled target detection with modular lethal munitions, according to the solicitation notice. Industry responses are due May 5.
The requirement reflects lessons from Ukraine's drone-saturated battlefield, where legacy fixed-wing systems like the RQ-11 Raven proved inadequate.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Army issued an urgent call for a production-ready vertical take-off drone to address "reconnaissance and security gaps" at battalion level. The Battalion Reconnaissance UAS must weigh under 55 pounds, fly over 40 kilometers for more than five hours, operate autonomously in contested spectrum, and integrate AI-enabled target detection with modular lethal munitions, according to the solicitation notice. Industry responses are due May 5.
The requirement reflects lessons from Ukraine's drone-saturated battlefield, where legacy fixed-wing systems like the RQ-11 Raven proved inadequate.
🛰️ Open sources - closed narratives
@sitreports
📡 Amazon SES Hijacked for Large-Scale Phishing Operations
Amazon Simple Email Service is facing widespread abuse as threat actors exploit exposed AWS IAM credentials to send authenticated phishing emails that bypass standard security filters. Kaspersky researchers report an uptick in attacks leveraging leaked access keys from GitHub repositories, Docker images, and public S3 buckets, with automated bots scanning for exposed secrets at scale.
The abuse enables high-quality phishing campaigns including fake DocuSign notifications and sophisticated BEC attacks with fabricated email threads. Because SES emails pass SPF, DKIM, and DMARC checks, traditional reputation-based blocking proves ineffective without disrupting legitimate AWS email traffic.
🛰️ Open sources - closed narratives
@sitreports
Amazon Simple Email Service is facing widespread abuse as threat actors exploit exposed AWS IAM credentials to send authenticated phishing emails that bypass standard security filters. Kaspersky researchers report an uptick in attacks leveraging leaked access keys from GitHub repositories, Docker images, and public S3 buckets, with automated bots scanning for exposed secrets at scale.
The abuse enables high-quality phishing campaigns including fake DocuSign notifications and sophisticated BEC attacks with fabricated email threads. Because SES emails pass SPF, DKIM, and DMARC checks, traditional reputation-based blocking proves ineffective without disrupting legitimate AWS email traffic.
🛰️ Open sources - closed narratives
@sitreports
🔫 Phishing Campaign Targets 80+ Organizations via RMM Tools
A coordinated phishing campaign has compromised over 80 organizations by weaponizing legitimate remote monitoring and management platforms SimpleHelp and ScreenConnect. Attackers delivered credential-harvesting pages and deployed remote access tools through phishing lures, according to reporting published May 4.
The abuse of trusted RMM software enables attackers to maintain persistent access while evading security controls designed to block malicious binaries. Organizations using these platforms face elevated risk of lateral movement and data exfiltration once initial access is established through social engineering.
🛰️ Open sources - closed narratives
@sitreports
A coordinated phishing campaign has compromised over 80 organizations by weaponizing legitimate remote monitoring and management platforms SimpleHelp and ScreenConnect. Attackers delivered credential-harvesting pages and deployed remote access tools through phishing lures, according to reporting published May 4.
The abuse of trusted RMM software enables attackers to maintain persistent access while evading security controls designed to block malicious binaries. Organizations using these platforms face elevated risk of lateral movement and data exfiltration once initial access is established through social engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 PyTorch Lightning Supply Chain Attack Deploys Credential Stealer
Version 2.6.3 of the PyTorch Lightning package on PyPI was compromised to deliver ShaiWorm, an information stealer targeting browser credentials, environment files, API keys, and cloud service tokens. The malicious code executed automatically upon import, spawning a background process that downloaded a JavaScript runtime and obfuscated payload. The package, which had over 11 million downloads last month, was disclosed by developers on April 30 after Microsoft Defender detected the threat.
Users who imported version 2.6.3 are advised to immediately rotate all secrets, keys, and tokens. The package has been reverted to version 2.6.1 while maintainers investigate the pipeline breach.
🛰️ Open sources - closed narratives
@sitreports
Version 2.6.3 of the PyTorch Lightning package on PyPI was compromised to deliver ShaiWorm, an information stealer targeting browser credentials, environment files, API keys, and cloud service tokens. The malicious code executed automatically upon import, spawning a background process that downloaded a JavaScript runtime and obfuscated payload. The package, which had over 11 million downloads last month, was disclosed by developers on April 30 after Microsoft Defender detected the threat.
Users who imported version 2.6.3 are advised to immediately rotate all secrets, keys, and tokens. The package has been reverted to version 2.6.1 while maintainers investigate the pipeline breach.
🛰️ Open sources - closed narratives
@sitreports
🔍 Trellix Discloses Source Code Repository Breach
Cybersecurity firm Trellix, formed from the 2021 merger of McAfee Enterprise and FireEye, confirmed unauthorized access to a portion of its source code repository. The company, which serves over 50,000 business and government customers protecting 200 million endpoints, is working with forensic experts and has notified law enforcement. According to reporting, no evidence has been found that the code was exploited or altered.
The incident adds Trellix to a growing list of cybersecurity vendors breached in 2026, including Checkmarx, which confirmed LAPSUS$ leaked stolen GitHub data, and Cisco, whose development environment was compromised in the Trivy supply chain attack. Details remain limited on how attackers gained access or whether ransom demands were issued.
🛰️ Open sources - closed narratives
@sitreports
Cybersecurity firm Trellix, formed from the 2021 merger of McAfee Enterprise and FireEye, confirmed unauthorized access to a portion of its source code repository. The company, which serves over 50,000 business and government customers protecting 200 million endpoints, is working with forensic experts and has notified law enforcement. According to reporting, no evidence has been found that the code was exploited or altered.
The incident adds Trellix to a growing list of cybersecurity vendors breached in 2026, including Checkmarx, which confirmed LAPSUS$ leaked stolen GitHub data, and Cisco, whose development environment was compromised in the Trivy supply chain attack. Details remain limited on how attackers gained access or whether ransom demands were issued.
🛰️ Open sources - closed narratives
@sitreports
🔫 Army Awards AeroVironment Switchblade 400 Contract for LASSO Program
The U.S. Army has awarded AeroVironment a prototype agreement for its Switchblade 400 loitering munition to support the Low Altitude Stalking and Strike Ordnance (LASSO) program. The 39-pound SB 400 can destroy moving tanks and armored vehicles at ranges up to 65 kilometers with 35-minute endurance, featuring EO/IR sensors and aided target recognition. The system can be deployed by a single soldier in under five minutes.
LASSO addresses mobile brigade combat teams' shortfall in organic long-range direct fire against armored targets. The Army is requesting $110 million for LASSO procurement in FY2027, according to Defense Scoop reporting, with nearly $1.2 billion planned through FY2031.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Army has awarded AeroVironment a prototype agreement for its Switchblade 400 loitering munition to support the Low Altitude Stalking and Strike Ordnance (LASSO) program. The 39-pound SB 400 can destroy moving tanks and armored vehicles at ranges up to 65 kilometers with 35-minute endurance, featuring EO/IR sensors and aided target recognition. The system can be deployed by a single soldier in under five minutes.
LASSO addresses mobile brigade combat teams' shortfall in organic long-range direct fire against armored targets. The Army is requesting $110 million for LASSO procurement in FY2027, according to Defense Scoop reporting, with nearly $1.2 billion planned through FY2031.
🛰️ Open sources - closed narratives
@sitreports
🔍 Silver Fox Targets India and Russia with Tax-Themed Malware Campaign
The Silver Fox threat actor has deployed ABCDoor malware through phishing emails disguised as tax-related communications targeting organizations in India and Russia. The campaign leverages social engineering around tax filing deadlines to establish persistent network access through the custom backdoor.
The operation demonstrates continued threat actor preference for financial and governmental themes in initial compromise vectors. ABCDoor deployment indicates focus on sustained intelligence collection rather than immediate financial gain, consistent with espionage-motivated intrusion patterns in both target regions.
🛰️ Open sources - closed narratives
@sitreports
The Silver Fox threat actor has deployed ABCDoor malware through phishing emails disguised as tax-related communications targeting organizations in India and Russia. The campaign leverages social engineering around tax filing deadlines to establish persistent network access through the custom backdoor.
The operation demonstrates continued threat actor preference for financial and governmental themes in initial compromise vectors. ABCDoor deployment indicates focus on sustained intelligence collection rather than immediate financial gain, consistent with espionage-motivated intrusion patterns in both target regions.
🛰️ Open sources - closed narratives
@sitreports
🤖 India's securities regulator orders immediate infosec review amid Mythos threat
India's Securities and Exchange Board issued an advisory to 19 classes of financial entities directing immediate security audits in response to AI-driven vulnerability detection tools like Anthropic's Claude Mythos. The regulator warned such tools enable exploitation at unprecedented speed and scale, according to The Register. A dedicated taskforce will coordinate threat intelligence and review vendor security.
The directive mandates baseline controls—patch management, API hardening, zero-trust implementation—alongside AI-augmented SOC transformation. India's proactive alert differs from softer US, Singapore, and Australian guidance, positioning it as an operational readiness mandate rather than advisory.
🛰️ Open sources - closed narratives
@sitreports
India's Securities and Exchange Board issued an advisory to 19 classes of financial entities directing immediate security audits in response to AI-driven vulnerability detection tools like Anthropic's Claude Mythos. The regulator warned such tools enable exploitation at unprecedented speed and scale, according to The Register. A dedicated taskforce will coordinate threat intelligence and review vendor security.
The directive mandates baseline controls—patch management, API hardening, zero-trust implementation—alongside AI-augmented SOC transformation. India's proactive alert differs from softer US, Singapore, and Australian guidance, positioning it as an operational readiness mandate rather than advisory.
🛰️ Open sources - closed narratives
@sitreports
🔫 Quasar Linux implant weaponizes developer infrastructure
A previously undocumented Linux malware dubbed Quasar Linux (QLNX) is targeting software developers with combined rootkit, RAT, and credential-stealing capabilities. The implant operates in-memory, dynamically compiles rootkit modules using gcc, deploys seven persistence mechanisms including LD_PRELOAD and systemd, and harvests SSH keys, cloud credentials, and browser data from DevOps environments.
According to Trend Micro analysis, QLNX combines userland LD_PRELOAD hooks with kernel-level eBPF rootkit components to evade detection, enabling supply-chain compromise by positioning attackers inside development pipelines with stolen credentials. Only four security solutions currently flag the binary as malicious.
🛰️ Open sources - closed narratives
@sitreports
A previously undocumented Linux malware dubbed Quasar Linux (QLNX) is targeting software developers with combined rootkit, RAT, and credential-stealing capabilities. The implant operates in-memory, dynamically compiles rootkit modules using gcc, deploys seven persistence mechanisms including LD_PRELOAD and systemd, and harvests SSH keys, cloud credentials, and browser data from DevOps environments.
According to Trend Micro analysis, QLNX combines userland LD_PRELOAD hooks with kernel-level eBPF rootkit components to evade detection, enabling supply-chain compromise by positioning attackers inside development pipelines with stolen credentials. Only four security solutions currently flag the binary as malicious.
🛰️ Open sources - closed narratives
@sitreports
📄 ShinyHunters Claims 280M Records from 8,800 Educational Institutions
Education technology firm Instructure, operator of the Canvas learning management system, confirmed a data breach after the ShinyHunters extortion gang claimed theft of 280 million records spanning students, teachers, and staff across 8,809 colleges, school districts, and online platforms. The attackers allegedly exploited Canvas data export features including DAP queries, provisioning reports, and user APIs to harvest user records, private messages, and enrollment data.
Multiple universities including CU Boulder and Rutgers have issued breach notifications, though according to reporting, Instructure has not responded to media inquiries regarding the full scope of impact.
🛰️ Open sources - closed narratives
@sitreports
Education technology firm Instructure, operator of the Canvas learning management system, confirmed a data breach after the ShinyHunters extortion gang claimed theft of 280 million records spanning students, teachers, and staff across 8,809 colleges, school districts, and online platforms. The attackers allegedly exploited Canvas data export features including DAP queries, provisioning reports, and user APIs to harvest user records, private messages, and enrollment data.
Multiple universities including CU Boulder and Rutgers have issued breach notifications, though according to reporting, Instructure has not responded to media inquiries regarding the full scope of impact.
🛰️ Open sources - closed narratives
@sitreports
🤖 82nd Airborne Division operates AI-enabled C2 hub for Strait of Hormuz operations
The U.S. Army's 82nd Airborne Division is coordinating over 100 aircraft, drones, ships and sensors through AI-augmented joint all-domain command and control networks during Project Freedom operations in the Strait of Hormuz. Gen. Dan Caine stated the unit now functions beyond traditional airborne assault roles, synchronizing multi-domain effects in real time to protect commercial shipping. Over 1,550 vessels carrying 22,500 mariners remain trapped in the Arabian Gulf.
The deployment implements next-generation tactical networks, providing continuous overwatch against Iranian drone and small boat threats while maintaining the ceasefire established after Operation Epic Fury.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Army's 82nd Airborne Division is coordinating over 100 aircraft, drones, ships and sensors through AI-augmented joint all-domain command and control networks during Project Freedom operations in the Strait of Hormuz. Gen. Dan Caine stated the unit now functions beyond traditional airborne assault roles, synchronizing multi-domain effects in real time to protect commercial shipping. Over 1,550 vessels carrying 22,500 mariners remain trapped in the Arabian Gulf.
The deployment implements next-generation tactical networks, providing continuous overwatch against Iranian drone and small boat threats while maintaining the ceasefire established after Operation Epic Fury.
🛰️ Open sources - closed narratives
@sitreports
🤖 OpenAI Grants US Government Early Access to GPT-5.5 for Security Evaluation
OpenAI provided the U.S. government with pre-release access to its GPT-5.5 model for national security testing, according to company executive Chris Lehane. The disclosure marks a continuation of OpenAI's practice of allowing federal agencies to assess advanced AI systems before public deployment.
The arrangement reflects growing integration between frontier AI developers and national security apparatus, enabling government evaluation of potential risks including dual-use capabilities, information operations vulnerabilities, and emergent behaviors in increasingly capable language models.
🛰️ Open sources - closed narratives
@sitreports
OpenAI provided the U.S. government with pre-release access to its GPT-5.5 model for national security testing, according to company executive Chris Lehane. The disclosure marks a continuation of OpenAI's practice of allowing federal agencies to assess advanced AI systems before public deployment.
The arrangement reflects growing integration between frontier AI developers and national security apparatus, enabling government evaluation of potential risks including dual-use capabilities, information operations vulnerabilities, and emergent behaviors in increasingly capable language models.
🛰️ Open sources - closed narratives
@sitreports