🧐 “Microsoft Teams” download from X? It’s likely malware.

Read: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=Fake%20Microsoft%20Teams%20Sites%20Deliver%20ValleyRAT

Fake sites push trojanized ZIPs. NSIS installer drops real Teams (looks clean) + uses legit Tencent GameBox.exe to sideload Utility.dll → deploys ValleyRAT (SilverFox group).

Adds Defender exclusions, in-memory decryption, hidden files, and _CCGDAT service for persistence.

🔥 GlassWorm disrupted.

Read - https://thehackernews.com/2026/05/glassworm-malware-takedown-disrupts.html

The malware poisoned 300+ GitHub repositories through:

• Malicious VS Code extensions
• Compromised npm packages
• Trojanized Python packages

Its infrastructure used Solana, BitTorrent DHT, Google Calendar, and VPS servers as resilient C2 layers — all now neutralized.

AI agents aren't taking over humanity… yet. But they are multiplying in places you probably can't see, especially if you’re relying only on API-based agent discovery.

That limitation stops today. Nudge Security is the first solution provider to offer browser-based agentic AI discovery, extending agent visibility to more of the platforms where your teams are building agents.

With Nudge Security you can:
✅ Discover agents across 20+ platforms
✅ Inventory agent permissions, resources, and capabilities
✅ Surface risky integrations, publicly accessible agents, hardcoded credentials, and other risks
✅ Nudge agent creators to confirm purpose, justify use, and remediate risks

Take control of agentic AI risks with a free trial of Nudge Security. Get started here: https://thn.news/ai-agent-discovery

Employees are secretly using 3–5 AI tools every day — most unapproved by IT.

They’re connecting straight to company emails, docs & drives via OAuth, bypassing security entirely.

Smart fix: Don’t ban it. Build a fast, safe approval path instead.

Get new 5-step playbook to manage Shadow AI without slowing teams down → https://thehackernews.com/2026/05/5-steps-to-managing-shadow-ai-tools.html

Malware that can’t be taken down?

Void Botnet — Rust loader using Ethereum smart contracts for seizure-resistant C2.

https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=Void%20Botnet%20Uses%20Ethereum%20Smart%20Contracts%20for%20C2

Built by TheVoidStl, sold on crime forums. ~1.5MB Windows binary with dual modes:

🔸 Blockchain: Commands via smart contract, bots poll RPCs (3-5 min)
🔸 Direct: Web panel (<30s)

⚠️ WARNING - A malicious npm package was caught stealing files from Claude AI users’ /mnt/user-data directories and uploading them to attacker-controlled GitHub repositories.

Check your installed packages: https://thehackernews.com/2026/05/malicious-npm-package-stole-files-from.html

The package, “mouse5212-super-formatter,” used npm postinstall scripts, hard-coded GitHub tokens, and fake network logs to hide the theft.

Downloaded 676 times so far.

Most breaches slip in as “normal” activity.

Top SOCs shrink uncertainty before it becomes an incident using 3 steps:

◾️ Fresh sandbox IOCs (domains, C2s) auto-updating SIEM/EDR
◾️ One-click alert context: malware family, behavior & execution chain
◾️ Automated sandbox reports with AI summaries & visual chains

Prevention happens before the incident gets a name.
Read the full 3 steps → https://thehackernews.com/2026/05/3-soc-steps-that-shut-down-incident.html

🛑 Banking malware is hiding in WebRTC traffic on Windows while Android RATs spread via fake Google Play pages.

Read - https://thehackernews.com/2026/05/grandoreiro-malware-and-btmob-rat.html

• Grandoreiro targets Portugal, Spain, and Mexico using DLL side-loading.

• BTMOB targets Brazil with phishing, remote control, and banking theft features.

⚠️ JINX-0164, a new threat actor, targets crypto firms with fake LinkedIn recruiter messages and custom macOS malware.

Active since mid-2025, it deploys AUDIOFIX — a Python-based infostealer and RAT that steals credentials and targets CI/CD systems.

Victims are directed to rogue domains that mimic video calls or software driver updates. A bash script installs the malware, which disguises itself as a legitimate audio driver.

The actor also delivered MiniRAT — a Go-based backdoor — by compromising the npm package velora-dex/sdk.

Tactics resemble some North Korean groups, but no infrastructure links have been found.

Full report: https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html

Ransomware beats most "successful" backups.

Attackers poison identities, configs, and persistence — not just files.
Subramani Rao (Acronis) shows how to safely test full recovery in isolated clean-room environments, scan during restore, and validate complete systems.

Full guide: https://thehackernews.com/expert-insights/2026/05/how-to-test-ransomware-recovery-without.html

⚠️ Enterprise AI risk is heavily concentrated among a small group of power users and personal accounts.

LayerX Security’s 2026 report shows the top 5% of employees generate 144+ conversations each. Nearly half of all enterprise AI conversations use personal identities. Over 6% contain sensitive data.

Most organizations lack full visibility.

Full report: https://thehackernews.com/2026/05/new-ai-usage-report-enterprise-ai-risk.html

AI has changed phishing forever.

Today’s attacks are polished, personalized and often AI-generated — making them harder to detect than ever before.

The old “spot the typo” approach no longer works.

Modern phishing attacks can mimic executives, vendors and trusted brands with alarming accuracy, putting MSPs and their clients at greater risk.

To stay ahead, MSPs need:
✅ AI-powered threat detection
✅ Faster impersonation detection
✅ Real-time user coaching
✅ Layered cyber resilience

See how INKY by Kaseya helps stop advanced phishing and AI-powered email threats: https://thn.news/kaseya-inky-demo

⚡ ThreatsDay Bulletin (May 28, 2026) – Security teams, here are the 17 key updates you need today.

Key updates:
• Anthropic launches #Claude code security plugin
• Kali365 kit bypasses Microsoft 365 MFA
• 1,300+ malicious C2 servers found in Middle East
• FIFA World Cup 2026 scam surge begins
• #Microsoft patches Azure AKS priv-esc flaw
• Silent Ransom Group impersonates IT support
• GhostTree bypasses Windows security tools
• CISA adds DAEMON Tools to KEV catalog

Plus 9 more: Apple post-quantum crypto release, WaSteal #WhatsApp stealer extensions, fake GitHub installers, and phishing campaigns.

Full bulletin here: https://thehackernews.com/2026/05/threatsday-bulletin-claude-security.html

🔥 Microsoft Slams Public Zero-Day Disclosures for putting Windows users at risk.

A researcher recently disclosed multiple zero-days in Defender, BitLocker and other components. Three are now under active exploitation.

GitHub removed the researcher’s account. A new GitLab account was also blocked.

Read the full story: https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html

⚠️ Threat actors are exploiting a critical FortiClient EMS flaw to push credential-stealing malware to entire networks of managed endpoints.

CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation.

Hackers disguise the payload as a legitimate Fortinet update.

Read full report: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html

⚠️ Critical UNPATCHED 9.4 RCE flaw in Gogs lets any authenticated user execute arbitrary code on the server.

An attacker can simply use a malicious branch name during the rebase-before-merge process. No admin rights or victim interaction needed.

Full compromise can expose every repository on the instance, including private ones from other users, and open the door to further network attacks.

Rapid7 has published a Metasploit module that automates the exploit. Strong recommendation to lock down user and repository creation until a fix arrives.

No CVE issued. Full report and mitigations: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html

⚠️ Kimsuky is hitting South Korean military and corporate targets with HTTPSpy RAT through fake security software pages and spoofed Webex meetings.

The group is also expanding its arsenal with HelloDoor backdoor and VS Code tunneling for stealthier attacks.

Read full report: https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html

⚠️ Two new #Android NFC relay malware families — DevilNFC and NFCMultiPay — are targeting banking customers in Europe and Latin America.

These tools, developed with possible AI assistance, steal card PINs. DevilNFC even locks victims in a fake interface using Kiosk Mode while relaying card data.

Local threat actors are now building their own tools instead of relying on Chinese MaaS platforms.

Read this story: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=DevilNFC%20and%20NFCMultiPay%20Android%20NFC%20Relay%20Malware

⚠️ Malicious Sicoob NuGet steals Brazilian bank credentials while npm packages target AWS and CI/CD secrets.

The fake "Sicoob.Sdk" versions 2.0.0–2.0.4 exfiltrate client IDs, PFX certificates, and passwords. It was downloaded nearly 500 times.

Multiple npm packages from one actor also steal cloud and pipeline secrets.

Full report: https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html

⚠️ A previously unknown threat actor has been quietly targeting #Ukraine since at least August 2025.

GREYVIBE uses spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom #malware to military, government, civilian, and business targets.

Researchers also found evidence of AI-assisted malware development and links to the cybercrime ecosystem.

Full report: https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html

⚡ AI is making DDoS attacks faster, smarter, and far more dangerous.

Attackers are now using AI to discover weak spots, create new attack vectors, and scale assaults with terrifying efficiency.

Join our next expert webinar: "A New Perspective on #DDoS Attacks in the Age of AI"

Learn real-world examples of AI-powered attacks and practical ways to defend against them — before they hit you.

👉 Register Now (Free): https://thehacker.news/ai-ddos-attacks