Daily Digest

Hackers are now sliding into your company's DMs on Microsoft Teams—and they can own your network in under five minutes. The notorious initial access broker KongTuke has swapped phishing emails for Teams chats, posing as IT support to trick employees into pasting a single malicious PowerShell command. This isn't just a new trick; it's a dangerous evolution in social engineering. If your team uses Teams for internal communication, everyone—from the CEO to the newest intern—is a potential entry point for ransomware gangs. The attack is fast, convincing, and bypasses traditional email security.

**What exactly happened** KongTuke, a well-known initial access broker (IAB), has added Microsoft Teams to its social engineering toolkit. Instead of relying solely on web-based lures like "FileFix" or "CrashFix," the group now cold-contacts employees via Teams chat, pretending to be internal IT or help-desk staff. The goal is simple: trick the target into pasting a malicious PowerShell command. Once executed, this command deploys ModeloRAT—a Python-based remote access trojan—giving the attackers a persistent foothold in the corporate network. **Who is affected and how** Any organization using Microsoft Teams with external federation enabled is at risk. The attackers rotate through five Microsoft 365 tenants to evade blocking, and they use Unicode whitespace tricks to make their display names appear legitimate—like "Help Desk" or "IT Support." Victims are typically employees who trust internal chat platforms. The social engineering is so effective that ReliaQuest researchers observed a full compromise—from cold outreach to persistent access—in under five minutes. **The real-world impact and consequences** This is not a prank. KongTuke is an IAB, meaning they sell network access to ransomware operators. A successful breach can lead to data theft, file encryption, and multimillion-dollar ransom demands. Because the attack happens inside a trusted collaboration tool, it bypasses email security gateways and spam filters. The speed of compromise also leaves security teams with almost no time to react. **Technical breakdown (the "how")** The attack chain is elegant and layered. First, the attacker initiates a Teams chat and convinces the user to paste a PowerShell command. That command downloads a ZIP archive from Dropbox containing a portable WinPython environment. This environment launches ModeloRAT (Pmanager.py), which collects system info, captures screenshots, and exfiltrates files. The latest version of ModeloRAT is more resilient than ever, featuring: - A five-server C2 pool with automatic failover and randomized URL paths - Three independent access paths: primary RAT, reverse shell, and TCP backdoor - Multiple persistence mechanisms, including a SYSTEM-level scheduled task that survives the implant's self-destruct routine **What should be done — mitigation and recommendations** First, restrict external Teams federation using allowlists. Only trusted domains should be able to initiate chats with your users. This single step blocks the attack vector at its source. Second, hunt for the indicators of compromise provided in ReliaQuest's report—including the specific PowerShell commands, Dropbox URLs, and persistence artifacts like the scheduled task. Finally, educate employees. Remind them that IT will never ask them to paste random commands into PowerShell, even on Teams. When in doubt, verify through a separate channel. **Why this matters in the bigger cybersecurity landscape** This attack is a wake-up call. Collaboration platforms like Teams, Slack, and Zoom are now prime real estate for social engineering. As email security improves, attackers will naturally pivot to where trust is highest and defenses are weakest. KongTuke's shift to Teams signals a broader trend: IABs are becoming more creative and more efficient. The five-minute compromise time is terrifying, but the real lesson is that your employees' trust in internal tools is now a liability. Defending that trust requires both technical controls and human awareness.

A major pharmaceutical supplier just got hit—and the attackers walked away with data while locking up systems. West Pharmaceutical Services, the company behind much of the world’s injectable drug packaging, disclosed a cyberattack that triggered a global shutdown. If you take any medication delivered via syringe or vial, this matters to you. The breach hit on May 4th, and by May 7th, the company confirmed data theft and system encryption. Hospitals, drug manufacturers, and patients now face potential supply chain disruptions.

**What exactly happened** West Pharmaceutical Services detected an intrusion on May 4, 2026. Within three days, the company confirmed the worst: attackers had stolen data from its network and encrypted critical systems. The incident forced a proactive global shutdown of systems to contain the damage. The company filed a material cybersecurity attack notice with the SEC, as required for publicly traded firms. This isn’t a minor breach—it’s a full-scale incident involving data exfiltration and ransomware-style encryption, though no group has claimed responsibility yet. **Who is affected and how** West Pharmaceutical is an S&P 500 giant with over $3 billion in annual revenue and 10,800 employees worldwide. They don’t make drugs—they make the packaging and delivery systems for injectable medications. Think syringes, vials, and drug containment systems. Hospitals, pharmacies, and drug manufacturers rely on them. Any disruption here ripples across the entire pharmaceutical supply chain. Patients waiting for critical injections could face delays. **The real-world impact and consequences** The attack forced West to take systems offline globally. Manufacturing partially restarted after core systems for shipping and production were restored, but full recovery remains incomplete. No timeline has been given. The company hasn’t estimated the financial hit yet. But with global operations disrupted and data stolen, costs will mount—from ransom demands to regulatory fines and potential lawsuits. The SEC filing signals this is serious enough to affect shareholder value. **Technical breakdown** The attackers gained unauthorized access, stole data, and encrypted systems. West’s response included proactive shutdown and isolation of affected on-premise infrastructure, restricting access to enterprise systems, and notifying law enforcement. They brought in Palo Alto Networks’ Unit 42 for incident response, containment, and recovery. This suggests a sophisticated attack requiring top-tier forensic expertise. The encryption indicates ransomware-like behavior, but no group has claimed credit. **What should be done — mitigation and recommendations** West has taken steps to mitigate data dissemination risks but hasn’t specified what those steps are. For other organizations, this incident underscores the need for robust offline backups, network segmentation, and rapid containment protocols. Companies should also have crisis communication plans ready—West notified law enforcement and the SEC quickly. Regular security audits and employee training remain critical, especially for supply chain partners who handle sensitive healthcare data. **Why this matters in the bigger cybersecurity landscape** This attack hits at the intersection of healthcare and critical infrastructure. Pharmaceutical supply chains are a prime target—disruptions can delay life-saving treatments. The lack of a ransom demand or credit claim is unusual, suggesting either a state-sponsored actor or a group waiting to maximize leverage. The SEC filing requirement for material cyber incidents is relatively new. West’s disclosure shows regulators are watching, and companies can no longer hide breaches. Expect more transparency—and more pressure on firms to secure their digital backbone.

A massive data extortion attack just took down Canvas, the education platform used by nearly 9,000 schools and universities across the U.S. Classes were disrupted, coursework frozen, and login pages defaced with ransom demands threatening to leak data on 275 million students and faculty. If you're a student, teacher, or parent, this one hits close to home.

**What exactly happened** Cybercrime group ShinyHunters defaced Canvas's login page with a ransom demand, forcing parent company Instructure to take the platform offline. The attack disrupted classes and coursework nationwide, affecting school districts and universities alike. The group claimed responsibility for a data breach and threatened to leak information on tens of millions of students and faculty unless paid. The initial deadline was May 6, later pushed back to May 12. **Who is affected and how** Canvas is used by thousands of educational institutions to manage coursework, assignments, and student communication. That means nearly every student and faculty member at affected schools could have their personal information exposed. The breach includes names, email addresses, and student ID numbers, plus messages exchanged between users. While Instructure says no passwords, birth dates, or financial data were taken, the stolen info is still a goldmine for identity thieves and social engineers. **The real-world impact and consequences** Beyond the immediate disruption to learning, this breach creates a long-term risk for students and staff. Stolen names and email addresses can fuel phishing campaigns, while student ID numbers may be used to impersonate victims. For schools, the reputational damage is severe. Parents and students will question whether their data is safe, and institutions may face legal or regulatory scrutiny over how they protect sensitive information. **Technical breakdown (explain the "how" simply)** ShinyHunters likely exploited a vulnerability in Canvas's infrastructure or used stolen credentials to gain access. Once inside, they exfiltrated user data and then defaced the login page to display their ransom note. The attack targeted the platform's core database, which stores user profiles and messages. Instructure's investigation found no evidence of deeper system compromise, but the data that was taken is still highly valuable to criminals. **What should be done — mitigation and recommendations** Instructure has since paid the extortionists and received confirmation that the stolen data was destroyed. They also stated no customers will be extorted as a result of this incident. For affected users, the first step is to change passwords on Canvas and any other accounts using the same credentials. Enable multi-factor authentication where available, and be extra cautious of phishing emails that may reference the breach. Schools should review their data-sharing agreements with Instructure and consider implementing additional monitoring for suspicious activity involving student and staff accounts. **Why this matters in the bigger cybersecurity landscape** This attack is a stark reminder that education platforms are prime targets for cybercriminals. They hold vast amounts of personal data on millions of users, often with weaker security than financial or healthcare systems. The fact that Instructure paid the ransom also raises questions about the long-term effectiveness of such strategies. While it may have stopped this specific leak, it signals to other groups that extorting education tech providers can pay off. As schools increasingly rely on digital platforms, the need for robust security and incident response plans has never been more critical. This breach is a wake-up call for the entire education sector.

Dell just confirmed what many users have been screaming about all week: its own pre-installed SupportAssist software is causing Windows systems to crash with blue-screen-of-death errors. If you own a Dell or Alienware PC, your computer might be randomly rebooting thanks to a buggy service update that kills critical system processes. The fix is surprisingly simple—but it comes with a hidden catch that could cost you your system recovery options. Here’s what you need to know right now before your next BSOD hits.

**What exactly happened** Dell officially acknowledged that its SupportAssist Remediation service, version 5.5.16.0, is triggering 0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS errors on Windows 10 and Windows 11 systems. The crashes started Friday, with users flooding forums about random reboots that made their machines unusable. This isn’t a subtle glitch. The bug literally kills a critical Windows process, forcing the system into a blue-screen shutdown. It’s the kind of crash that makes you think your hardware is dying—when the culprit is actually Dell’s own software. **Who is affected and how** Anyone running Dell SupportAssist or Alienware SupportAssist with the Remediation service version 5.5.16.0 is at risk. That means millions of Dell and Alienware PCs shipped with Windows 10 or 11 could be vulnerable to these crashes. The worst part? The software comes pre-installed on most new Dell computers. So even if you never opened SupportAssist, it’s running in the background, waiting to trigger your next BSOD. **The real-world impact and consequences** Beyond the obvious frustration of random crashes, there’s a deeper problem. Dell warns that uninstalling the buggy service may remove system repair points created by Dell OS SupportAssist Recovery. That means if something goes wrong later, you might lose your safety net. For businesses relying on Dell laptops, this is a productivity nightmare. Imagine a sales demo crashing mid-presentation, or a remote worker losing unsaved work during a critical deadline. The ripple effects go far beyond individual annoyance. **Technical breakdown (explain the "how" simply)** The SupportAssist Remediation service is designed to automatically fix system issues. But version 5.5.16.0 contains a bug that causes it to terminate a critical Windows process instead of repairing it. When that process dies, Windows has no choice but to blue-screen and restart. Think of it like a home security system that accidentally locks you out of your own house. The tool meant to protect you becomes the source of the problem. **What should be done — mitigation and recommendations** Dell’s official workaround is simple: uninstall the Dell SupportAssist Remediation service or remove the entire SupportAssist app. To do this, go to Windows Settings > Apps > Installed apps, find “Alienware SupportAssist Remediation” (or the Dell version), and click Uninstall. If you still get crashes after uninstalling, contact Dell support. For now, there’s no permanent fix—Dell says engineering is working on it. In the meantime, consider disabling the service entirely if you need your machine stable. **Why this matters in the bigger cybersecurity landscape** This isn’t a one-off mistake. Dell has a troubling history with SupportAssist causing major issues—from BIOS updates bricking laptops in 2021 to BSODs from earlier versions in April 2025. Security researchers have even found remote code execution vulnerabilities in SupportAssist’s BIOSConnect feature. The pattern is clear: pre-installed software from major PC vendors remains a weak link. It’s software you didn’t ask for, running with high privileges, and capable of crashing your entire system. For cybersecurity professionals, this is yet another reminder that your biggest threat might already be sitting on your hard drive, pre-installed by the manufacturer.

The alleged mastermind behind Dream Market—once the internet’s biggest black market bazaar—has finally been unmasked and charged. German authorities arrested 49-year-old Owe Martin Andresen, who is now facing a U.S. indictment for laundering millions in drug proceeds. This isn’t just another dark web bust. It’s a signal that no amount of crypto cloaking or time passed can hide the trail of dirty money. If you ever wondered whether law enforcement can crack the toughest dark web cases, this is your answer.

**What exactly happened** The U.S. Department of Justice unsealed charges against Owe Martin Andresen, a 49-year-old Norwegian citizen arrested in Germany. He’s accused of being “Speedstepper,” the top administrator of Dream Market—a dark web marketplace that, at its peak, hosted nearly 100,000 listings for illegal goods. Andresen faces 12 counts of money laundering, each carrying up to 20 years in prison. German authorities also charged him separately, with additional penalties of up to five years per count. **Who is affected and how** Dream Market operated from 2013 until its shutdown in 2019, facilitating the sale of massive quantities of drugs—including 450 kilograms of cocaine, 90 kilograms of heroin, and 36 kilograms of fentanyl. That’s enough to devastate countless communities. The real victims here are the people who bought and sold on the platform, thinking they were anonymous. But the ripple effects extend to anyone harmed by the opioid crisis or the violence tied to illegal drug markets. **The real-world impact and consequences** Andresen allegedly moved over $2 million in Dream Market proceeds between August 2023 and April 2025. When German police searched his home, they found $1.7 million in gold bars, $23,000 in cash, and cryptocurrency wallets holding another $1.2 million. This case shows that dark web profits don’t stay digital forever. They get converted into gold, cash, and assets—and that’s exactly where law enforcement catches up. **Technical breakdown (the “how” explained simply)** Dream Market ran on the Tor network, providing anonymous access to buyers and sellers. After the marketplace shut down in 2019, its cryptocurrency wallets went dormant—until November 2022. That’s when someone reactivated those wallets and moved millions in commission payments. Prosecutors say only the person holding the original private keys could have done this. Andresen allegedly used those funds to buy gold bars through a U.S.-based crypto service in Atlanta, shipping them directly to his home in Germany. The mistake? Converting crypto to physical gold creates a paper trail. And that trail led straight to his doorstep. **What should be done — mitigation and recommendations** For anyone operating on the dark web, this case is a stark warning: crypto isn’t anonymous if you ever convert it to real-world assets. Law enforcement is getting better at following the money, even years after a marketplace shuts down. For businesses and crypto services, this highlights the need for robust KYC and AML checks. The Atlanta-based service that processed Andresen’s gold purchases may now face scrutiny over its compliance practices. **Why this matters in the bigger cybersecurity landscape** Dream Market’s fall is part of a broader crackdown on dark web marketplaces. Earlier this year, the owner of Incognito Market got 30 years, and a co-creator of Empire Market pleaded guilty to drug conspiracy charges. The message is clear: the dark web isn’t a safe haven. Law enforcement is building cases that span years, using financial forensics and international cooperation. For cybersecurity professionals, this case underscores the importance of tracking cryptocurrency flows—and the risks of assuming that time heals all digital sins.

Imagine a door slamming shut on one exploit chain, only to find a window wide open on the next model. That’s exactly what happened with the Pixel 10. Security researchers just dropped a bombshell: a full zero-click-to-root exploit chain for Google’s latest flagship. The kicker? It uses a patched Dolby vulnerability from the Pixel 9, combined with a brand-new driver on the Pixel 10. If you’re on an unpatched device (SPL December 2025 or earlier), you’re the target. No user interaction needed. No warning. Just silent compromise.

**What exactly happened** Researchers who previously demonstrated a two-exploit chain for the Google Pixel 9 have now ported that attack to the Pixel 10. The chain begins with a zero-click vulnerability in Dolby’s audio decoder (CVE-2025-54957), which was patched in January 2026. From there, the attacker escalates privileges to root using a new driver called VPU, which replaced the BigWave driver on the Pixel 10. The result? A fully remote, zero-click exploit that gives an attacker complete control of the device. No taps, no swipes, no suspicious links. Just silent takeover. **Who is affected and how** Any Pixel 10 user still running a security patch level (SPL) of December 2025 or earlier is vulnerable. That’s a significant window, considering the patch was released in January 2026. The attack vector is particularly dangerous because it requires no user interaction. An attacker could deliver the exploit through a malicious audio file, a compromised app, or even a crafted notification. Once the Dolby decoder processes the payload, the attacker gains code execution in a privileged context. **The real-world impact and consequences** This isn’t just a theoretical exercise. A zero-click root exploit means an attacker can install persistent malware, steal all data, monitor communications, and even turn the device into a surveillance tool. For journalists, activists, and corporate executives, this is a nightmare scenario. Their devices could be compromised without any visible sign. Even for everyday users, the implications are severe: banking credentials, private messages, and personal photos all become accessible. The fact that the exploit chain spans two different phone models shows how persistent attackers can be. When one door closes (BigWave driver removed), they simply find another (VPU driver added). **Technical breakdown** The exploit chain works in two stages. First, the Dolby vulnerability (CVE-2025-54957) triggers a buffer overflow in the audio decoder. On the Pixel 9, researchers used `__stack_chk_fail` as their overwrite target. But the Pixel 10 uses RET PAC (pointer authentication) instead of stack canaries, so that target disappeared. They adapted by overwriting `dap_cpdp_init`, initialization code that runs once when the decoder starts and is never called again. This gives them code execution without crashing the system. Second, they needed a local privilege escalation. The Pixel 10 dropped the BigWave driver, but a new VPU driver appeared in the media codec SELinux policy. This driver, while different, offered similar exploitation primitives. The researchers adapted their LPE exploit to target VPU instead, completing the chain. **What should be done — mitigation and recommendations** First and foremost: update your Pixel 10 to the January 2026 security patch or later. This is non-negotiable. For enterprise and high-risk users, consider additional layers of defense. Network monitoring can detect unusual traffic patterns. Endpoint detection tools can flag suspicious process behavior. And strict app permission controls can limit the attack surface. Google should also take note: shipping a new driver without thorough security review is a recipe for disaster. The VPU driver should undergo rigorous fuzzing and static analysis before future releases. **Why this matters in the bigger cybersecurity landscape** This exploit chain highlights a fundamental truth in mobile security: closing one vulnerability often opens another. The Pixel 10 fixed the BigWave driver, but introduced VPU without equivalent hardening. It also demonstrates the power of adaptive attackers. When one technique fails (no `__stack_chk_fail`), they find another (overwriting `dap_cpdp_init`). Security teams must think like attackers, anticipating how exploits will evolve across device generations. Finally, this serves as a wake-up call for the entire Android ecosystem. Zero-click vulnerabilities are the holy grail for attackers. As devices become more locked down, the pressure on drivers and media codecs will only increase. Proactive security, not reactive patching, is the only sustainable path forward.

A long-forgotten Windows API just became the star of a dangerous UAC bypass story, and your system might be the next target. The `GetProcessHandleFromHwnd` function, designed as a simple convenience tool for developers, has been quietly handing out process handles to anyone with UI Access privileges—no questions asked. This isn't just a theoretical flaw. Researchers discovered it powers a real-world exploit in Quick Assist, a built-in Windows tool. If you're running Windows 10 or 11 (pre-24H2), your machine is at risk. The worst part? Microsoft's own documentation got the security details wrong, leaving a gaping hole that attackers can walk through.

**What exactly happened** A security researcher stumbled upon a hidden gem in Windows: the `GetProcessHandleFromHwnd` API. This function was meant to simplify getting a process handle from a window handle—a common developer need. But digging deeper revealed it was doing something far more dangerous than advertised. The API's documentation claimed it used Windows hooks to get handles, requiring UI Access and same-user conditions. Reality told a different story. In Windows 11, the function directly opens processes from kernel mode, bypassing those supposed safeguards. It even works across different integrity levels, which is a major no-no in Windows security. **Who is affected and how** Anyone running Windows 10 or 11 before the 24H2 update is potentially vulnerable. The exploit chain is straightforward: an attacker with UI Access privileges (like those granted to accessibility tools) can call this API to get a handle to any process owned by the same user. From there, they can inject code, read memory, or escalate privileges. The Quick Assist UAC bypass was the first public demonstration, but the API's reach extends far beyond that single application. Think of it as a master key that shouldn't exist. **The real-world impact and consequences** The consequences are severe. An attacker who gets a foothold on your system can use this API to bypass User Account Control (UAC) entirely. They can then run code as administrator, install malware, steal data, or take full control. The scariest part? This isn't a complex exploit requiring zero-days or kernel vulnerabilities. It's a feature that's been working incorrectly for years, documented with wrong security assumptions. Microsoft's own code contradicted its documentation, and nobody caught it until now. **Technical breakdown** Here's how it works in simple terms: The API is implemented as a Win32k kernel function. When called, it directly opens the target process handle in kernel mode, without any of the checks you'd expect. The critical flaw? It forgot to check for protected processes. Protected processes are Windows' way of saying "hands off" to untrusted code. But this API didn't get the memo. It would happily return a handle with full access rights, even to processes that should be off-limits. The fix in Windows 11 24H2 finally adds proper checks, including a UIPI (User Interface Privilege Isolation) enforcement that makes the API much safer. But for years, this was a silent backdoor. **What should be done — mitigation and recommendations** If you're on Windows 11 24H2, you're already protected. For everyone else, the clock is ticking. Microsoft hasn't backported the fix to older versions, so your best defense is to update to the latest Windows 11 release as soon as possible. In the meantime, restrict UI Access privileges to only trusted applications. Monitor for unusual calls to `GetProcessHandleFromHwnd` in your security logs. And if you're a developer, never trust API documentation at face value—test the actual behavior. **Why this matters in the bigger cybersecurity landscape** This discovery highlights a growing problem: the gap between what APIs are documented to do and what they actually do. As Windows becomes more complex, these discrepancies become attack surfaces. The `GetProcessHandleFromHwnd` case is a wake-up call. It shows that even Microsoft can get security fundamentals wrong, and that "convenience" features can become dangerous weapons. For defenders, it's a reminder to question everything, especially the APIs you think you understand. For attackers, it's a playbook. Expect more researchers to hunt for similar bugs in other "harmless" Windows functions. The era of trusting documentation is over.

Microsoft just patched nine critical bypasses in its new Administrator Protection feature—before most people even knew it existed. The root cause? A decades-old Windows design flaw called UI Access that has quietly undermined security for years. If you're a Windows user with admin privileges, your system was vulnerable to attacks that could let malware silently elevate its power. The fixes are out now, but the story behind them reveals a much bigger problem lurking in Windows' DNA.

**What exactly happened** Security researcher James Forshaw discovered nine ways to bypass Microsoft's brand-new Administrator Protection feature. Five of these share a common root cause: the UI Access mechanism, a component that has been a weak spot in Windows security since Vista. Administrator Protection was supposed to finally create a real security boundary for User Account Control (UAC). Instead, Forshaw found attackers could abuse UI Access to slip right through. **Who is affected and how** Any Windows user with Administrator Protection enabled was potentially at risk. The attack chain works like this: a limited user process exploits UI Access to interact with higher-privilege windows, then uses that access to execute code as an administrator. The scary part? This doesn't require any special privileges to start. A piece of malware running as a standard user could trigger the bypass. **The real-world impact and consequences** These bypasses effectively neuter Administrator Protection's main promise. Microsoft designed the feature to prevent exactly this kind of privilege escalation, yet the UI Access mechanism created a backdoor. For organizations, this means their carefully configured security boundaries weren't as solid as advertised. For individual users, it means that "protected" admin sessions could still be hijacked. **Technical breakdown** The problem dates back to Windows Vista's introduction of User Interface Privilege Isolation (UIPI). This system uses Mandatory Integrity Control to block lower-integrity processes from sending messages to higher-integrity windows. But UI Access was designed as an exception—a way for legitimate accessibility tools to interact with privileged windows. The flaw? UI Access processes run at medium integrity but can bypass UIPI restrictions. Forshaw found multiple ways to trick the system into granting UI Access to malicious processes. **What should be done** Microsoft has patched all nine bypasses in recent updates. If you have Windows Update enabled, you're already protected. But here's the catch: Forshaw notes that more rigorous testing during development could have caught these issues before release. For administrators, the recommendation is clear: deploy the latest Windows patches immediately. For developers building on Windows security features, this is a reminder to audit every "legacy compatibility" mechanism. **Why this matters in the bigger landscape** This research reveals a pattern that keeps repeating in Windows security: old design decisions come back to haunt new features. UI Access was created over 15 years ago for a different threat model, yet it wasn't properly reconsidered when designing Administrator Protection. The takeaway for the industry? Security features need holistic testing, not just against known attacks but against every historical mechanism that could be abused. Microsoft is taking Administrator Protection seriously, but the lesson here applies to every security boundary we build.