ZeroDaily

Issue 2026-06-04

Thu, 04 Jun 2026 00:00:00 +0000

U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors
The U.S. Treasury just dropped the hammer on Iran’s biggest crypto exchange, Nobitex, slapping it with sanctions for fueling ransomware attacks and propping up the Iranian regime. This isn’t just another compliance move. It’s a direct strike at the financial pipeline connecting ransomware gangs to the Islamic Revolutionary Guard Corps (IRGC). If you’re in crypto, finance, or cybersecurity, this changes the risk landscape overnight.
Chinese hackers use new Atlas RAT malware in European cyberattacks
A Chinese-speaking cybercrime group has turned its sights on Europe, deploying a never-before-seen malware called Atlas RAT. This isn’t just another phishing wave—it’s a highly organized, financially motivated campaign targeting Germany, Italy, the UK, and South Africa. If you’re in finance, HR, or government compliance, you’re in the crosshairs. The group uses fake payroll notices and tax audits to trick victims into opening the door.
Police dismantles fake ID marketplace used by migrant smugglers
French and Spanish police just pulled the plug on an online marketplace that was the go-to shop for fake IDs used by migrant smugglers across Europe. One suspect was arrested in Alicante, Spain, and authorities seized around 800 counterfeit European identity documents along with the equipment to make them. This isn't just about fake passports. It's about dismantling the engine that helps criminal networks move people illegally across borders, evade border controls, and fraudulently obtain residency rights. If you're concerned about organized crime's grip on migration routes, this takedown hits at the heart of their logistics.
CISA warns of cyberattacks targeting fuel tank monitoring systems
Hackers are breaking into fuel tank monitoring systems across the US—and they’re not just looking. They’re changing settings, disabling alerts, and messing with pump controls in real time. CISA, the FBI, and the NSA just issued a joint warning: automatic tank gauge (ATG) systems, used to monitor fuel levels at gas stations and industrial sites, are being actively targeted. If you run critical infrastructure in energy, chemicals, or transportation, your tanks might be the next target. This isn’t a drill—it’s a live threat with real consequences for safety and supply.
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
Imagine waking up to find your Instagram account plastered with pro-Iranian propaganda—and you’re the former Obama White House. That’s exactly what happened over the weekend, when hackers hijacked high-profile accounts using nothing more than Meta’s own AI support bot. The trick was shockingly simple: ask the bot to add a new email to an account during a password reset. No brute force, no stolen credentials—just clever social engineering aimed at an AI. If you run a business or manage a popular account on Instagram, this exploit puts your digital identity at risk, especially if you haven’t enabled multi-factor authentication.
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Google’s Pixel 10 has a brand new attack surface—and researchers just proved it’s exploitable from zero-click to root. The same Dolby audio bug that hit Pixel 9 now works on the newer device, but with a twist: the old kernel exploit driver is gone, replaced by a new, untested one. If you’re on a Pixel 10 with a security patch level before December 2025, your device is vulnerable to a full chain attack that requires no user interaction.
On the Effectiveness of Mutational Grammar Fuzzing
Grammar fuzzing sounds like a silver bullet—mutate inputs while keeping them valid, and let coverage guide you to bugs. But here’s the catch: more coverage doesn’t always mean smarter fuzzing. In fact, it can quietly lead you into a trap. This post pulls back the curtain on a hidden flaw in mutational grammar fuzzing that even seasoned users miss. If you rely on coverage-guided tools like Jackalope, you might be wasting CPU cycles on dead ends. The fix? A deceptively simple technique that swaps out stale samples for fresh ones—even when coverage stays flat.
A Deep Dive into the GetProcessHandleFromHwnd API
Microsoft’s GetProcessHandleFromHwnd API isn’t what it claims to be. The documentation says one thing, but the code does another—and that gap has quietly opened the door to privilege escalation attacks. This isn’t just a theoretical flaw. It’s already been weaponized in a real UAC bypass using Quick Assist, a built-in Windows tool. If you’re running Windows 10 or 11 (pre-24H2), your system could be at risk from local attackers or malware already on your machine.
Bypassing Administrator Protection by Abusing UI Access
Windows just got a shiny new security feature called Administrator Protection—but it turns out the fortress had secret doors all along. A security researcher found nine ways to bypass this feature before it even hit the streets. Five of those bypasses share a common root cause: a decades-old UAC weakness called UI Access that Microsoft is finally being forced to confront. If you're an IT admin or security pro managing Windows endpoints, this matters. The bypasses could let attackers silently elevate privileges on machines you thought were locked down.

Issue 2026-06-05

Fri, 05 Jun 2026 00:00:00 +0000

Cisco warns of unpatched SD-WAN zero-day exploited in attacks
Cisco just dropped a bombshell: a high-severity zero-day in its Catalyst SD-WAN Manager is already being weaponized in active attacks. Tracked as CVE-2026-20245, this unpatched flaw lets attackers with low-level privileges escalate to full root access on the network management system. If you’re running any flavor of Cisco SD-WAN—on-prem, cloud, or even FedRAMP government deployments—you’re on the radar. The real kicker? Attackers are using it to push malicious configuration changes straight to edge devices. No patch exists yet, and the clock is ticking.
DentaQuest data breach exposed info of 2.6 million accounts
A massive data breach at DentaQuest, one of the largest U.S. dental benefits administrators, has exposed the sensitive information of 2.6 million accounts. The notorious extortion group ShinyHunters claimed responsibility, leaking over 234 GB of data after negotiations fell through. This isn’t just another breach—it’s a goldmine for cybercriminals. With email addresses, full names, phone numbers, government IDs, health insurance details, and dates of birth now public, millions of Americans face a heightened risk of identity theft, phishing, and social engineering attacks. If you’ve ever used DentaQuest, you need to pay attention.
Hola Browser for Windows compromised to deliver cryptominer
Your browser might be secretly mining cryptocurrency without your knowledge. That’s exactly what happened with Hola Browser for Windows, which was compromised in a supply chain attack that slipped a Monero miner onto users’ machines. This isn’t just another bug—it’s a silent hijack of your computer’s processing power, turning your hardware into a cash cow for attackers. If you’re a Hola Browser user on Windows, you’re at risk. The miner runs when your PC is idle, draining energy and slowing performance without a single pop-up warning.
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Dutch authorities just dropped a hammer on cybercrime infrastructure. On May 18, the Dutch financial crime agency FIOD arrested two men—a 57-year-old from Amsterdam and a 39-year-old from The Hague—for running hosting companies that powered Russian cyberattacks. Their servers were the backbone for DDoS attacks, influence operations, and disinformation campaigns targeting the European Union. If you rely on the internet for business, government, or daily life, this matters. These arrests signal a major shift: hosting providers can no longer hide behind shell companies to fuel state-backed aggression.
Brave Software releases Origin for a paid, bloat-free browsing experience
Brave just launched a paid version of its browser that strips out all the extra stuff you never asked for. No crypto. No AI. No rewards. No ads for VPNs. The catch? You have to pay $59.99 to get the browser many users say Brave should have been all along. And critics are calling it a "monetization layer" on top of a browser that was supposed to protect you from monetization layers. Ouch.
Credit card theft campaign abuses Stripe to host stolen payment info
A cunning new Magecart campaign is hiding stolen credit card data right inside Stripe's own infrastructure. Attackers are using the payment giant's trusted API as both a weapon and a vault, making this attack nearly invisible to standard security filters. Every online store using Magento or Adobe Commerce is at risk. The malware loads through Google Tag Manager, then quietly siphons payment details into fake customer records inside Stripe. It's a brilliant abuse of trust that bypasses Content Security Policy rules and network monitors.
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
A CISA contractor just did the cybersecurity equivalent of leaving the office keys under the doormat—on a public GitHub account. The contractor created a profile called "Private-CISA" and uploaded plaintext credentials to dozens of internal systems, including AWS GovCloud keys. Lawmakers from both parties are now demanding answers as CISA scrambles to contain the leak. If you work in government, critical infrastructure, or rely on federal cybersecurity protections, this story matters. It exposes a dangerous blind spot: trusted insiders with privileged access can become the biggest threat—even without malicious intent.
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Canadian police just arrested a 23-year-old Ottawa man accused of running one of the most aggressive IoT botnets in recent memory. His name is Jacob Butler, known online as "Dort," and he's charged with building and operating Kimwolf—a botnet that enslaved millions of smart devices to launch record-breaking DDoS attacks. The suspect is now facing charges in both Canada and the United States, with the U.S. seeking extradition. If you own a digital photo frame, webcam, or any IoT device that hasn't been updated recently, your gadget might have been part of this army. And the attacks weren't just random—they targeted the Department of Defense and security researchers who dared to investigate.
CISA Admin Leaked AWS GovCloud Keys on Github
The U.S. government's top cybersecurity agency just suffered one of the most embarrassing data leaks in recent memory. A CISA contractor left highly privileged AWS GovCloud keys and internal system credentials sitting in a public GitHub repository for anyone to find. This isn't just a minor slip-up. The exposed files detailed exactly how CISA builds, tests, and deploys its software internally. If you're worried about nation-state actors or cybercriminals getting a backdoor into critical government systems, this leak just handed them a master key.

Issue 2026-06-06

Sat, 06 Jun 2026 00:00:00 +0000

Chinese APT deploys new malware to keep access to hacked networks
A Chinese state-backed hacking group has been quietly living inside Microsoft 365 environments for over a year—using a backdoor so stealthy it evaded detection until March 2025. Dubbed UNC5221 (also known as VerdantBamboo), this crew deployed a new malware family called Brickstorm, alongside previously unseen tools named Plenet and AgentPSD. The real kicker? They didn’t just hack the target directly—they compromised the victim’s managed services provider (MSP) first, turning a single breach into a supply chain nightmare. If your organization uses Microsoft 365 or relies on an MSP for security, this story is a wake-up call about how long threats can fester undetected.
Suspicious Polyfill login prompts pop up on Toshiba, Muji websites
A suspicious login screen is popping up on major brand websites—and it could be stealing your credentials. Toshiba and Muji have both warned visitors that fake authentication prompts, generated by an external service called polyfill[.io], are appearing on their pages. If you’ve entered your username and password into one of these screens, your account may be compromised. The culprit? A dormant script from a 2024 supply chain attack that just woke up.
Dark web Nemesis Market vendor gets 26 years for selling drugs
A California man just got handed a 26-year federal prison sentence for selling fentanyl and meth on the dark web. His name is Darren Hughes, and he was running a shop on Nemesis Market—one of the largest illegal online bazaars before authorities shut it down in 2024. Here’s the kicker: Hughes was so confident in his anonymity that he sent free meth samples to potential buyers. One of those samples landed in the hands of an undercover agent. That single move unraveled everything. If you’re a dark web vendor thinking you’re invisible, this case is a brutal reality check.
Over 900 US gas station tank gauge systems exposed to attacks
Over 900 gas station tank gauge systems across the US are sitting ducks for hackers right now. These are the same devices that monitor fuel levels and detect dangerous leaks at your local pump. Federal agencies just issued a rare joint warning: attackers are actively exploiting these systems, and the consequences could be far worse than a simple price display hack. If you own, operate, or fuel up at a gas station, this one hits close to home.
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
Over the weekend, hackers hijacked Instagram accounts linked to the Obama White House and the U.S. Space Force, plastering them with pro-Iranian propaganda. The culprit wasn’t a sophisticated breach—it was a clever trick played on Meta’s AI support bot, which willingly handed over password resets. This exploit, shared on Telegram, shows how easy it is to weaponize AI assistants against their own users. If you’re on Instagram without multi-factor authentication (MFA), your account is at risk. The attackers targeted high-value, short usernames worth over half a million dollars, but the same method could hit anyone.
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Google’s Pixel 10 hasn’t even hit shelves yet, and security researchers already have a zero-click exploit chain ready for it. The same team that broke into the Pixel 9 using a Dolby audio bug has now adapted their attack for the new hardware—proving that closing one door just opens a window for attackers. This isn’t just about Pixel phones. The Dolby vulnerability affects every Android device that uses the popular audio library, meaning millions of users could be at risk if they haven’t patched. The real kicker? The researchers found a completely new attack path through a driver that didn’t exist on the Pixel 9, showing that “new and improved” doesn’t always mean “more secure.”
On the Effectiveness of Mutational Grammar Fuzzing
Fuzzing isn't just about throwing random data at software anymore. A powerful technique called mutational grammar fuzzing uses predefined rules to generate structurally valid inputs, making it a favorite for uncovering deep, complex bugs in parsers and interpreters. But here's the catch: this approach has hidden flaws that can quietly sabotage your fuzzing campaigns. Even if you're hitting new code coverage, you might be missing critical vulnerabilities—and the fix is surprisingly simple. If you rely on fuzzing for security testing, you need to know what's going wrong and how to fix it.
A Deep Dive into the GetProcessHandleFromHwnd API
A long-forgotten Windows API called `GetProcessHandleFromHwnd` has been quietly opening a backdoor for privilege escalation—and it’s been doing so for years. Originally designed as a convenience tool for UI Access applications, this API was supposed to be safe. But researchers found it could be weaponized to bypass User Account Control (UAC) and grab process handles from protected apps. If you’re running Windows 11 (pre-24H2) or any older version, your system may be exposed. The fix? It’s complicated—and Microsoft only just patched it in the latest update.
Bypassing Administrator Protection by Abusing UI Access
Microsoft’s shiny new Administrator Protection feature for Windows was supposed to lock down UAC once and for all. But security researchers found nine ways to bypass it before it even shipped. The root cause? A long-standing weakness called UI Access that’s been quietly undermining Windows security for years. If you’re an IT admin or security pro relying on this feature to protect privileged accounts, you need to know what went wrong — and how Microsoft is finally fixing it.

Issue 2026-06-07

Sun, 07 Jun 2026 00:00:00 +0000

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Dutch authorities just dropped the hammer on two hosting company owners, seizing 800 servers and making arrests in a case that reads like a spy thriller with a data center twist. The co-owners are accused of knowingly providing IT infrastructure to Russian intelligence agencies for cyberattacks, influence operations, and disinformation campaigns targeting the European Union. This isn't just another takedown—it's a direct hit on the supply chain of Russian cyber aggression. If you're running a business in Europe, using cloud services, or even just browsing the web, the infrastructure these men allegedly operated has likely touched your digital life. The message is clear: hosting malicious actors comes with real consequences, and the Dutch aren't playing games.
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
A CISA contractor just did the unthinkable: they posted the agency’s deepest secrets on a public GitHub account named “Private-CISA.” We’re talking plaintext credentials to dozens of internal systems, AWS GovCloud keys, and sensitive data—all sitting in the open for anyone to find. Lawmakers are now demanding answers, and CISA is scrambling to contain the fallout. If you work in government, defense, or critical infrastructure, this leak puts your data at risk. The question isn’t if bad actors saw it, but how much they already took.
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
A 23-year-old Ottawa man named Jacob Butler—known online as “Dort”—was arrested Wednesday for allegedly building and operating the Kimwolf botnet, an IoT malware strain that enslaved millions of devices worldwide. This isn’t just another cyber arrest: Kimwolf powered some of the largest DDoS attacks in recent history, hitting targets from the Department of Defense to journalists and security researchers. If you own a digital photo frame, webcam, or any poorly secured smart device, you might have been part of this army without knowing it. The arrest sends a clear signal: law enforcement is finally catching up to the botnet-as-a-service underground. But the real question is—how many more “Dorts” are still out there?
CISA Admin Leaked AWS GovCloud Keys on Github
Imagine a cybersecurity agency—the very one tasked with protecting America’s digital infrastructure—accidentally leaving its own master keys out in the open. That’s exactly what happened when a CISA contractor posted highly privileged AWS GovCloud credentials and internal system details on a public GitHub repository. This isn’t just a slip-up; experts are calling it one of the most egregious government data leaks in recent memory. If you care about national security, cloud security, or how even the pros can stumble, this story is a wake-up call. The risk? Any threat actor who stumbled upon this repo could have accessed classified government systems.

Issue 2026-06-08

Mon, 08 Jun 2026 00:00:00 +0000

Silent Ransom Group targets law firms with fake IT support calls
A ransomware group is now calling law firms directly—pretending to be IT support. The Silent Ransom Group (tracked as UNC3753) has been targeting U.S. legal and professional services firms since early 2026, using fake help desk calls to trick employees into handing over credentials. Once inside, they steal sensitive client data within hours. For law firms holding merger plans, trade secrets, and corporate reports, this isn't just a breach—it's a reputational and regulatory nightmare. If you work in legal or professional services, your inbox (and phone) just became a battlefield.
Oxford University discloses data breach after careers platform hack
Oxford University just dropped a bombshell—a data breach on its CareerConnect platform, and it’s not just their problem. Hackers swiped names, emails, and encrypted passwords from a third-party provider, Group GTI, on May 28, putting students, alumni, and staff at risk of phishing attacks. Why should you care? This isn’t a one-off glitch—it’s the second breach Oxford has faced this year, and the ripple effect hits other UK schools like King’s College London and the University of Manchester. If you’ve used a university career hub, your credentials might be in the crosshairs.
Over 20,000 Instagram accounts stolen in Meta AI support hack
Over 20,000 Instagram accounts were hijacked in a clever hack that weaponized Meta’s own AI-powered support system. Attackers exploited a flaw in the High Touch Support (HTS) tool, which is designed to help locked-out users regain access, to reset passwords without proper verification. This isn’t just a bug—it’s a wake-up call for anyone relying on Instagram’s security. If you have an account without two-factor authentication (2FA) enabled, you’re the prime target. The attackers didn’t need your password; they just needed a way to trick the AI into sending a reset link to their email.
Hands on with Intelligent Terminal, an AI-powered Windows Terminal
Microsoft just dropped a new weapon for developers: Intelligent Terminal, an AI-powered fork of Windows Terminal that brings artificial intelligence directly into your command line. No more switching tabs, no more copy-pasting errors into ChatGPT. This open-source tool acts as a built-in assistant that watches your terminal, catches failed commands, and suggests fixes in real-time. It’s a game-changer for anyone who lives in the shell—developers, sysadmins, and power users alike. But here’s the catch: it’s a separate app, not a Windows default, so you’ll need to opt in.
C0XMO botnet spreads via DD-WRT router flaw, kills rival malware
A new breed of botnet is crawling through your home router right now. Meet C0XMO, a nasty variant of the infamous Gafgyt malware that’s actively exploiting a known flaw in DD-WRT router firmware. It doesn’t stop there. Once inside, it spreads like wildfire across other devices, kills rival malware on the same system, and turns everything into a weapon for massive DDoS attacks. If you own a router, DVR, or any IoT device, you’re in the crosshairs.
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
A stunningly simple trick just let hackers hijack high-profile Instagram accounts using nothing more than Meta’s own AI support bot. The Obama White House and the U.S. Space Force’s top enlisted leader were among the victims, their profiles defaced with pro-Iranian propaganda over the weekend. The exploit is so straightforward it’s almost embarrassing: attackers just asked Meta’s AI assistant to add a new email to an account, and it happily obliged. This isn’t a sophisticated breach—it’s a social engineering attack against a chatbot. And if you don’t have multi-factor authentication enabled, you’re at risk too.
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens
Google’s Pixel 10 was supposed to be safer—but researchers just proved that when one door closes, another one swings wide open. A fresh exploit chain shows attackers can go from zero-click to full device takeover on the Pixel 10, using a patched Dolby vulnerability combined with a brand-new driver exploit. If you’re on an unpatched Pixel 10, your device could be compromised without you ever touching a malicious link.
On the Effectiveness of Mutational Grammar Fuzzing
Think fuzzing is just about throwing random data at software until something breaks? Think again. Mutational grammar fuzzing is a powerful technique that keeps generated test cases structurally valid while hunting for bugs. But here's the catch: it has hidden flaws that can quietly sabotage your entire fuzzing campaign, even when you're using top-tier tools. If you're a security researcher, developer, or anyone relying on automated bug hunting, this breakdown reveals why your fuzzer might be wasting cycles—and how a simple tweak can dramatically improve your results.
A Deep Dive into the GetProcessHandleFromHwnd API
A forgotten Windows API just became a hacker’s best friend—and Microsoft is only now patching it. The `GetProcessHandleFromHwnd` function, meant to simplify window-to-process lookups, was quietly handing attackers a golden ticket to escalate privileges. If you’re on Windows 11 before 24H2, your system could be a sitting duck for UAC bypasses and process injection attacks. This isn’t just a theoretical flaw. It’s already been weaponized in the wild via Quick Assist, a built-in Microsoft tool. The risk? Anyone running a standard user account could be one click away from full admin control. Time to check your Windows version.
Bypassing Administrator Protection by Abusing UI Access
Microsoft's shiny new Administrator Protection feature in Windows? It had nine critical bypasses before it even hit the streets. A security researcher found them all—and five share a single, nasty root cause: a legacy UAC component called UI Access that's been quietly undermining Windows security for over a decade. If you're a Windows user, IT admin, or security pro, this matters. These bypasses could let malware or a limited user silently hijack privileged processes. The good news? All nine have been patched. The bad news? This reveals a much deeper, older problem that Microsoft is only now starting to fix.