Daily Digest

Prevention is dead. Long live recovery. Modern cyberattacks aren't just knocking on your door anymore—they're already inside, using AI-generated phishing, trusted SaaS platforms, and business email compromise to slip past your defenses before you even know they're there. That's why BleepingComputer is hosting a critical webinar on May 14, 2026, with Kaseya's Austin O'Saben. The message is stark: if your cybersecurity strategy stops at prevention, you're already vulnerable. Every MSP, IT team, and business leader needs to hear why backup and recovery are now non-negotiable layers of defense.

**What exactly happened** On Thursday, May 14, 2026, at 2:00 PM ET, BleepingComputer will host a live webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery." The session, featuring Austin O'Saben from Kaseya, tackles a painful truth: modern cyberattacks have evolved beyond simple malware or isolated phishing emails. Attackers now combine AI-generated phishing, business email compromise, ransomware, and SaaS abuse into multi-stage campaigns designed to bypass traditional defenses and cause maximum disruption. **Who is affected and how** MSPs and IT teams are on the front lines—but every organization that relies on SaaS platforms, email, and cloud infrastructure is at risk. Attackers exploit trusted infrastructure and legitimate platforms to launch highly personalized attacks. Even when suspicious activity is detected, most organizations struggle to contain the damage before operations are disrupted or data is lost. The webinar specifically targets those who manage IT for others, but the lessons apply broadly to any business leader responsible for cyber resilience. **The real-world impact and consequences** The core argument is simple but uncomfortable: prevention alone is no longer enough. Modern attacks are designed to bypass defenses, exploit trusted platforms, and disrupt operations before organizations can fully respond. But the real danger comes after the initial compromise. Without reliable backup and recovery strategies, even contained attacks can lead to prolonged downtime, permanent data loss, and severe operational disruption. The webinar argues that recovery is now a core component of cybersecurity—not an afterthought. **Technical breakdown** The session will dive into several key technical challenges: First, AI-driven phishing and brand impersonation are outpacing traditional email security tools. Attackers can now craft convincing messages at scale, making it harder for filters and training to keep up. Second, attackers leverage trusted infrastructure and legitimate SaaS platforms to bypass defenses. This means security tools that only look for "bad" signals often miss attacks that hide inside "good" services. Third, most security strategies fail after initial compromise. Detection alone isn't enough—organizations need rapid containment and recovery capabilities to minimize damage. The webinar will also cover why SaaS backups and business continuity and disaster recovery (BCDR) plans are now critical layers of cyber resilience. **What should be done** Attendees will learn how to combine prevention, detection, backup, and rapid recovery into a unified strategy. The key takeaway: organizations need to strengthen both their security posture and their recovery readiness. This means investing in SaaS backups, BCDR planning, and incident response processes that assume a breach will happen. Kaseya's approach focuses on providing solutions that help organizations improve resilience across all these areas, from cybersecurity to backup to IT management. **Why this matters in the bigger cybersecurity landscape** This webinar reflects a fundamental shift in how the industry thinks about defense. For years, the mantra was "prevent everything." But attackers have adapted, and the goalposts have moved. Now, the question isn't if you'll be breached—it's how quickly you can recover. For MSPs and IT teams, this means rethinking budgets, priorities, and strategies. Prevention still matters, but it's no longer the whole picture. Recovery is now a first-class citizen in cybersecurity. Don't miss this opportunity to learn why modern attacks require both strong security and fast recovery capabilities.

A new strain of the TrickMo Android banking malware is now using Telegram’s TON blockchain to hide its command-and-control traffic. This isn’t just another update—it’s a tactical shift that makes takedowns nearly impossible. The malware is currently targeting users in France, Italy, and Austria, disguised as TikTok or streaming apps. If you use a banking app or crypto wallet on Android, you’re in the crosshairs.

**What exactly happened** ThreatFabric researchers uncovered a new TrickMo variant, dubbed “TrickMo.C,” that’s been active since January 2025. The malware is delivered via fake TikTok and streaming apps, targeting banking credentials and cryptocurrency wallets. The headline feature? It now uses The Open Network (TON) for command-and-control (C2) communications. TON is a decentralized peer-to-peer network originally built around Telegram. **Who is affected and how** The campaign is currently focused on users in France, Italy, and Austria. The malware hides inside seemingly harmless apps, then steals login credentials, intercepts SMS-based OTPs, and even records your screen. If you’ve sideloaded an app from outside Google Play recently, you’re at higher risk. The malware doesn’t just target banks—it also goes after crypto wallets. **The real-world impact and consequences** Traditional takedown methods are now useless. Because TON uses .ADNL addresses instead of standard domains, security teams can’t just block a domain or IP. The C2 traffic is encrypted and mixed with regular TON traffic, making it invisible to network-level detection. This means the malware can operate for longer without being disrupted. **Technical breakdown** Here’s how it works: The malware embeds a local TON proxy on the infected device. This proxy communicates with the operator’s server using a 256-bit identifier instead of a normal domain. No public DNS, no exposed IPs. The operator’s endpoint exists only inside the TON overlay network. As ThreatFabric explains, “Traffic-pattern detection at the network edge sees only TON traffic, which is encrypted and indistinguishable from any other TON-enabled application's outbound flow.” The new variant also adds a toolkit of network commands: curl, dnsLookup, ping, telnet, traceroute, SSH tunneling, and even authenticated SOCKS5 proxy support. This turns infected devices into stealthy pivot points. **What should be done — mitigation and recommendations** First, only download apps from Google Play. Sideloading is the primary infection vector here. Keep Play Protect active and review app permissions regularly. If you notice unusual battery drain or data usage, run a security scan. Organizations should update their threat detection rules to watch for TON traffic patterns, even if they’re encrypted. **Why this matters in the bigger cybersecurity landscape** This is a wake-up call. Attackers are moving to decentralized networks to evade traditional defenses. TON, blockchain, and other peer-to-peer systems are becoming the new safe havens for malware C2. Security teams can no longer rely on domain blocklists or IP reputation alone. The game has changed—and TrickMo is just the beginning.

Hackers have found a clever new way to turn trust into a weapon. They are poisoning Google Ads and hijacking Claude.ai shared chats to trick Mac users into installing malware. If you search for "Claude mac download," you might see a sponsored ad that looks perfectly safe. But clicking it leads to a fake installation guide that tells you to paste a malicious command into Terminal. One wrong move, and your Mac is compromised. This isn't just a bug—it's a full-blown malvertising campaign targeting anyone looking for a popular AI tool.

**What exactly happened** Security researcher Berk Albayrak uncovered an active malvertising campaign abusing Google Ads and legitimate Claude.ai shared chats. Attackers created sponsored search results for "Claude mac download" that appear to link directly to claude.ai. But when users click, they are redirected to a malicious shared chat on Claude.ai itself. These shared chats are crafted to look like official "Claude Code on Mac" installation guides, complete with a fake "Apple Support" attribution. The chat walks victims through opening Terminal and pasting a Base64-encoded command. That command silently downloads and executes malware on the Mac. **Who is affected and how** Any macOS user searching for the Claude desktop app is at risk. The campaign targets both casual users and professionals who rely on AI tools. Because the attack uses Google Ads and Claude.ai's own platform, it bypasses many traditional security filters. The shared chats are publicly accessible and follow an identical social engineering script. BleepingComputer found a second chat using different domains and payloads, confirming this is a coordinated campaign—not a one-off incident. **The real-world impact and consequences** If a victim follows the instructions, their Mac gets infected with malware that can steal data, install backdoors, or join a botnet. The attack is particularly dangerous because it exploits trust in two legitimate platforms: Google's ad network and Anthropic's Claude.ai. Victims may not realize they've been compromised until it's too late. The malware can run silently in the background, exfiltrating credentials, financial information, or corporate secrets. For businesses, this could mean a full-scale data breach. **Technical breakdown—how it works** The malicious shared chat contains a Base64-encoded command. When pasted into Terminal, it decodes into a shell script that downloads a payload from attacker-controlled domains. In one variant, the payload came from `hxxp://cust...` (truncated for safety). The script then executes the malware with full system permissions. The attackers use different domains and payloads across separate shared chats, making detection harder. Each chat is a self-contained attack vector that can be easily shared or recreated. **What should be done—mitigation and recommendations** First, never paste commands into Terminal from a web page or chat interface—even if it looks official. Always download software directly from the developer's official website. For Claude, that means going to claude.ai and following the official download link. Second, treat sponsored search results with extreme caution. Google Ads can be abused by attackers just like any other ad platform. Bookmark the official download page for any tool you use regularly. Third, organizations should educate employees about this specific attack vector. A simple security awareness reminder can prevent a costly infection. **Why this matters in the bigger cybersecurity landscape** This campaign is a textbook example of "living off the land" attacks. By abusing trusted platforms like Google Ads and Claude.ai, attackers bypass traditional defenses like antivirus and web filters. It also shows how AI tools are becoming attack surfaces—not just for generating phishing emails, but for hosting malicious content. As more users turn to AI assistants for technical tasks, attackers will follow. This is a wake-up call that even legitimate shared chats can be weaponized. The line between helpful and harmful is getting thinner every day.

German authorities just pulled off a takedown that reads like a cybercrime thriller—and it has a twist. They shut down a rebooted version of the infamous Crimenetwork marketplace, arrested its 35-year-old admin in Mallorca, and proved that even the darknet isn't a safe hiding place. This isn't just another bust. It's a warning shot across the bow of every cybercriminal who thinks they can resurrect a dead marketplace overnight. If you're buying or selling stolen data, drugs, or hacking services on the darknet, your risk just went up—big time.

**What exactly happened** German police, working with Spain's National Police, arrested a 35-year-old German man at his home in Mallorca. He was running a rebooted version of Crimenetwork, Germany's largest cybercrime marketplace, just days after the original was taken down in late 2024. The original Crimenetwork had been operating since 2012 with 100,000 registered users. When authorities seized it and arrested its first admin, the new operator rebuilt the entire infrastructure from scratch. He even kept the same name. That bold move backfired spectacularly. **Who is affected and how** The rebooted marketplace quickly attracted 22,000 users and over 100 vendors. Anyone who bought or sold on this platform is now exposed. Police seized transaction data, user records, and approximately €194,000 in illicit assets. For buyers, that means their digital footprints are now in law enforcement's hands. For vendors, the risk is even higher—they're facing potential charges for everything from drug trafficking to data theft. The admin himself faces charges under Germany's Criminal Code and Narcotics Act, both carrying prison time. **The real-world impact and consequences** The new Crimenetwork generated at least €3.6 million in revenue in just a few months. That's $4.2 million flowing into the underground economy. But the bigger story is the message this sends: rebooting a seized marketplace isn't a smart business move. German authorities placed a seizure banner on the site, telling visitors exactly what happened. It's a digital trophy and a deterrent. The original Crimenetwork operator was already sentenced to seven years and 10 months in prison, plus forfeiture of over €10 million. The new admin can expect similar treatment. **Technical breakdown** How did the admin pull off such a fast reboot? He built a completely new technical infrastructure, likely using different servers, domains, and encryption methods. The marketplace offered the same range of illicit goods—stolen data, hacking tools, illegal substances—but on a fresh foundation. Police didn't reveal exactly how they traced the new admin. But the speed of the arrest suggests they had monitoring tools in place, possibly tracking cryptocurrency transactions, server logs, or communication patterns. The European arrest warrant allowed Spanish police to move quickly. **What should be done — mitigation and recommendations** For anyone who used Crimenetwork, the safest move is to assume your data is compromised. Change passwords, monitor financial accounts, and consider legal counsel. For businesses, this bust means stolen data from the marketplace may soon be analyzed, potentially exposing new breaches. Law enforcement agencies should continue this playbook: fast international cooperation, seizure banners, and publicizing arrests. The "cybercrime doesn't pay" message only works when it's backed by visible results. **Why this matters in the bigger cybersecurity landscape** This takedown proves that darknet marketplaces aren't as resilient as criminals think. The admin's mistake was arrogance—rebooting with the same name and similar infrastructure. But the real lesson is that international police coordination is getting faster and smarter. With 22,000 users exposed and €3.6 million seized, this operation shows that even the darknet has blind spots. For cybersecurity professionals, it's a reminder that proactive monitoring and cross-border partnerships are the future of fighting cybercrime. For criminals, it's a clear signal: the reboot failed, and the next one probably will too.

A Brazilian anti-DDoS company, Huge Networks, was caught red-handed launching the very attacks it claims to prevent. An exposed archive revealed the firm’s CEO private SSH keys and custom malware used to power a botnet that has been hammering Brazilian ISPs for years. The CEO blames a security breach and a rival trying to frame him. But the evidence tells a different story, and the implications are staggering: if your DDoS protector is also your attacker, who can you trust?

**What exactly happened** Security researchers tracking a long-running DDoS campaign targeting Brazilian ISPs finally hit a jackpot. An anonymous source shared an exposed archive containing Portuguese-language Python malware and the private SSH keys of Huge Networks CEO. Huge Networks is a Miami-based firm that specializes in DDoS protection for Brazilian network operators. It has no public abuse complaints and isn’t linked to any DDoS-for-hire services. Yet the archive suggests its infrastructure was used to orchestrate massive attacks against its own potential clients. **Who is affected and how** The attacks have been hitting Brazilian ISPs exclusively for several years. The botnet, built from compromised devices, floods targets with traffic, causing service disruptions and financial losses. Any ISP in Brazil that competes with Huge Networks or refuses its services could be at risk. The real victims are everyday internet users in Brazil who experience slow connections or outages. Small and medium ISPs without robust defenses are especially vulnerable. **The real-world impact and consequences** DDoS attacks are not just annoyances. They can cripple businesses, disrupt critical services, and erode trust in the internet. If a company paid to protect you is actually attacking you, the damage is both operational and reputational. The CEO’s claim of a “security breach” is convenient but unproven. If true, it reveals a catastrophic failure in basic security hygiene. If false, it’s a brazen act of sabotage against competitors, turning the cybersecurity industry on its head. **Technical breakdown** The archive contained Python scripts designed to control botnets and launch DDoS attacks. The inclusion of the CEO’s private SSH keys means the attacker (or the CEO) had full administrative access to Huge Networks servers. SSH keys are used for secure remote access. If they were stolen, the attacker could have used them to deploy malware, exfiltrate data, or launch attacks from Huge Networks own infrastructure. The CEO claims a competitor did this to frame his company, but the evidence points to insider knowledge or negligence. **Mitigation and recommendations** For ISPs: Immediately review your DDoS protection provider’s security posture. Demand proof of incident response plans and regular security audits. Consider diversifying your mitigation providers to avoid single points of failure. For Huge Networks: Conduct a full forensic investigation, revoke all compromised keys, and publicly disclose the findings. The CEO’s vague blame game does not inspire confidence. For the industry: This incident underscores the need for transparency and independent verification in cybersecurity services. Trust must be earned, not assumed. **Why this matters in the bigger cybersecurity landscape** This story is a cautionary tale about the fragility of trust in the security industry. If a company built to stop attacks can be weaponized against its own customers, no one is safe. It also highlights the growing sophistication of DDoS-for-hire operations and the blurry line between defender and attacker. The CEO’s mention of a “surprise” for a competitor at an upcoming industry event adds a layer of drama. But for the Brazilian ISPs under siege, the only surprise is that they were paying the enemy all along.

A 24-year-old British hacker who once topped the leaderboard of the English-speaking cybercrime underworld just pleaded guilty to stealing tens of millions of dollars in cryptocurrency. Tyler Robert Buchanan, known online as "Tylerb," admitted to orchestrating a massive SMS phishing campaign in 2022 that breached at least a dozen major tech companies. This isn't just another arrest—it's a major blow to the notorious "Scattered Spider" group, which has been terrorizing corporate America with sophisticated social engineering attacks. If you've ever used LastPass, Twilio, DoorDash, or Mailchimp, your data may have been caught in their net. The real question now: how many more "Tylerbs" are still out there?

**What exactly happened** Tyler Robert Buchanan, a senior member of the cybercrime group Scattered Spider, pleaded guilty to wire fraud conspiracy and aggravated identity theft in a U.S. federal court. The 24-year-old from Dundee, Scotland, admitted his role in a coordinated phishing blitz during the summer of 2022 that targeted major technology companies. The attacks weren't random. Buchanan and his crew launched tens of thousands of SMS-based phishing messages, tricking employees into handing over credentials. Once inside, they moved laterally through corporate networks, stealing sensitive data and customer information. **Who is affected and how** The list of victims reads like a who's-who of tech: Twilio, LastPass, DoorDash, and Mailchimp all fell prey to these intrusions. But the damage didn't stop at corporate networks. Scattered Spider used the stolen data to execute SIM-swapping attacks against individual cryptocurrency investors. By taking over victims' phone numbers, they bypassed two-factor authentication and drained digital wallets. Tens of millions of dollars vanished into their accounts. **The real-world impact and consequences** Buchanan's hacker handle "Tylerb" once sat at the top of a leaderboard tracking the most accomplished cyber thieves in the English-speaking criminal underground. Now he's sitting in U.S. custody, facing up to 22 years in federal prison. His sentencing hearing is set for August 21, 2026. But the judge will weigh several mitigating factors: his young age, lack of prior criminal history, time already served, and how much he cooperated with federal investigators. The final sentence could be significantly lighter. **Technical breakdown: how they did it** The attack chain was elegant and devastating. First, Scattered Spider sent massive waves of SMS phishing messages impersonating IT support or HR departments. Employees who clicked were directed to fake login pages that captured their credentials. Once inside, the group used those credentials to trick help desks into granting even deeper access—a technique called "vishing" (voice phishing). They'd call support lines pretending to be legitimate employees who'd "forgotten their passwords," using stolen personal details to sound convincing. With elevated access, they stole customer databases and session tokens. Those tokens then enabled SIM-swapping: transferring victims' phone numbers to devices controlled by the hackers. With phone numbers in hand, they reset passwords and drained crypto wallets. **What should be done—mitigation and recommendations** For companies: train help desk staff to verify identities through multiple channels. Never rely solely on caller ID or personal information that could have been stolen. Implement hardware security keys for critical access points. For individuals: avoid SMS-based two-factor authentication. Use authenticator apps or hardware tokens instead. Be skeptical of any text message asking you to click a link, even if it appears to come from your employer. **Why this matters in the bigger cybersecurity landscape** Scattered Spider represents a new breed of cybercriminals: English-speaking, socially adept, and terrifyingly effective. They don't need sophisticated malware when a well-crafted phone call works just as well. Buchanan's guilty plea is a win for law enforcement, but it's also a warning. Groups like Scattered Spider are becoming more organized and brazen. The human element remains the weakest link in any security chain—and until that changes, we'll keep seeing headlines like this one.

Russia's military intelligence hackers just pulled off a heist so quiet it didn't even need malware. They hijacked old, forgotten routers to steal Microsoft Office authentication tokens from thousands of networks worldwide. This isn't just another breach. It's a supply chain attack on trust itself—allowing Russian spies to walk into Microsoft accounts as if they owned them. Over 200 organizations and 5,000 consumer devices are confirmed compromised. If you use Microsoft Office on a network with outdated routers, your credentials could be next.

**What exactly happened** Russian state hackers from Forest Blizzard—also known as APT28 or Fancy Bear—exploited known flaws in aging Internet routers to intercept and steal Microsoft Office authentication tokens. These tokens act like digital keys, granting access without needing a password. Microsoft confirmed the campaign in a blog post today. The hackers didn't deploy any malicious software. They simply weaponized the router's own vulnerabilities against its users. **Who is affected and how** The attack targeted over 200 organizations and 5,000 consumer devices. Victims include ministries of foreign affairs, law enforcement agencies, and third-party email providers. At its peak in December 2025, Forest Blizzard's surveillance network ensnared more than 18,000 Internet routers. Most were unsupported, end-of-life models, or severely outdated on security patches. **The real-world impact and consequences** This isn't theoretical espionage. It's active infiltration with a proven track record. Forest Blizzard is the same group that hacked the Hillary Clinton campaign and the Democratic National Committee in 2016. Now they're after authentication tokens—the master keys to Microsoft Office accounts. Once stolen, these tokens let attackers impersonate legitimate users, read emails, access files, and pivot deeper into networks. The potential for data theft, surveillance, and future attacks is enormous. **Technical breakdown** The attack exploits weaknesses in router firmware that were never patched. By compromising the router itself, hackers can intercept traffic flowing through it—including authentication requests to Microsoft's servers. When a user logs into Microsoft Office, the router captures the token sent back. The hacker then replays that token to gain access, all without triggering any alarms. No malware, no suspicious files, no antivirus alerts. It's a ghost in the machine. **What should be done — mitigation and recommendations** First, audit your network for outdated routers. Any device that's end-of-life or missing critical firmware updates is a prime target. Second, enforce multi-factor authentication (MFA) on all Microsoft accounts. Tokens alone won't bypass MFA if it's properly configured. Third, consider using conditional access policies that require trusted devices or locations. This limits what stolen tokens can do. Finally, replace unsupported routers with modern, actively supported models. The FCC's new policy may restrict some consumer-grade routers, but enterprise-grade hardware remains available. **Why this matters in the bigger cybersecurity landscape** This attack highlights a dangerous shift: hackers are moving from software exploits to hardware-level compromises. By targeting routers, they bypass endpoint security entirely. It also underscores the risk of aging infrastructure. Millions of routers worldwide are past their support lifecycle, sitting in homes, offices, and government buildings. Each one is a potential backdoor. The FCC's recent policy limiting consumer router imports may reduce future risks, but it doesn't fix the millions already in use. For now, the responsibility falls on organizations to clean up their networks—before someone else does it for them.

Grammar fuzzing sounds like a magic bullet for finding deep bugs—until it isn't. A seasoned researcher reveals why even the smartest mutational grammar fuzzers can get stuck in a rut, chasing coverage that doesn't lead anywhere. If you're fuzzing anything from browser engines to XML parsers, this matters. The flaw isn't in the grammar itself, but in how the fuzzer gets "addicted" to old samples, wasting compute on dead ends. The fix? A surprisingly simple tweak that could save your fuzzing campaigns from plateauing.

**What Exactly Happened** A veteran fuzzing researcher took a hard look at mutational grammar fuzzing—a technique where a fuzzer mutates inputs while keeping them valid according to a predefined grammar. It’s powerful stuff, used to find bugs in XSLT implementations and JIT engines. But the researcher noticed a subtle, systemic flaw: the fuzzer’s obsession with coverage. The core issue? More coverage doesn’t always mean better bug hunting. The fuzzer saves any sample that triggers new code paths, but those paths might be shallow or irrelevant. Over time, the corpus gets bloated with "coverage noise," slowing down mutations and diluting focus. **Who Is Affected and How** Anyone running coverage-guided grammar fuzzers—whether on web browsers, parsers, or compilers—is at risk. The problem is universal, not tied to any single tool like Jackalope (the researcher’s fuzzer). Even structure-aware fuzzing techniques beyond grammar-based ones suffer from this coverage trap. The real-world impact? Wasted CPU cycles and missed bugs. A fuzzer might spend hours exploring trivial code paths while deep, critical vulnerabilities remain untouched. For teams relying on fuzzing in CI/CD pipelines, this means false confidence in test coverage. **Technical Breakdown: The "How" Simply Explained** Imagine a fuzzer that mutates XML inputs. It adds a new tag, and boom—coverage increases because the parser hit a new branch. The fuzzer saves that sample. But that branch might just be a simple error handler. The fuzzer then mutates that sample endlessly, generating variations of the same shallow path. The researcher calls this "coverage addiction." The fuzzer prioritizes samples that increase coverage, even if those samples are structurally similar or lead to dead ends. Over time, the corpus becomes a graveyard of low-value inputs, crowding out novel mutations that might trigger real bugs. **Mitigation and Recommendations** The fix is elegantly simple: periodically replace old samples with newer ones, even if coverage doesn’t change. This "novelty bias" forces the fuzzer to explore fresh ground rather than rehashing old territory. The researcher tested this in libxslt and found it discovered bugs faster than default settings. The takeaway? Don’t blindly trust out-of-the-box fuzzing configurations. Experiment with strategies that prioritize novelty over raw coverage numbers. **Why This Matters in the Bigger Picture** This isn’t just a niche fuzzing tweak—it’s a lesson in how metrics can mislead. In cybersecurity, we often chase quantifiable goals (coverage, speed, throughput) without questioning if they align with real-world outcomes. The coverage addiction in fuzzing mirrors broader issues in vulnerability research: we measure what’s easy, not what’s effective. The researcher’s work reminds us that sometimes the best tool is a fresh perspective—and a willingness to break the rules. For defenders, it’s a call to audit your own testing pipelines. Are you optimizing for the right things? Or just feeding the coverage machine?