# Top Stories

WhatsApp warns that Italy's SIO spyware manufacturer created a fake iPhone app to distribute surveillance malware, with most targeted users located in Italy. The attack demonstrates how nation-state surveillance vendors are leveraging trusted messaging platforms to deliver spyware to mobile devices.

CrystalRAT malware-as-a-service is being promoted on Telegram, offering remote access trojans, data theft capabilities, keylogging, and clipboard hijacking features. The service represents the continued commoditization of advanced malware capabilities through messaging platforms accessible to lower-skilled threat actors.

Apple expanded iOS 18 security updates to protect more iPhones against the actively exploited DarkSword exploit kit. The move addresses ongoing zero-day attacks targeting iOS devices and demonstrates Apple's response to persistent threat actor exploitation of mobile vulnerabilities.

Hackers exploited a zero-day vulnerability in TrueConf conference servers to execute arbitrary files on all connected endpoints through malicious software updates. The attack highlights supply chain risks in enterprise video conferencing infrastructure where server compromise can lead to widespread endpoint infection.

Cryptocurrency platform Drift suspended operations after a cyberattack that security experts believe resulted in hundreds of millions of dollars in stolen digital assets. The incident represents one of the largest DeFi platform breaches, highlighting persistent security vulnerabilities in decentralized finance infrastructure.

EvilTokens, a new malicious kit, integrates device code phishing to hijack Microsoft accounts and enables advanced business email compromise attacks. The service automates OAuth device code abuse, allowing attackers to bypass traditional authentication controls and gain persistent access to corporate Microsoft environments.

Mercor confirmed a security incident linked to the LiteLLM supply chain attack, with Lapsus$ claiming to have obtained hundreds of gigabytes of company data. The breach demonstrates how supply chain compromises in AI/ML tooling can cascade to affect downstream enterprise customers and their sensitive data.

A water treatment plant in Minot, North Dakota was hit with ransomware in March 2026, though city officials report the facility continues operating normally. The attack on critical infrastructure highlights ongoing threats to municipal water systems and the potential for operational disruption in essential services.

NoVoice Android malware infected 2.3 million devices through 50+ malicious apps distributed on Google Play Store. The campaign demonstrates the continued effectiveness of trojanized applications in bypassing Google's security controls and achieving massive device compromise at scale.

The 2026 US Cyber Strategy document includes language about "unleashing the private sector by creating incentives to identify and disrupt adversary networks," potentially signaling official support for private sector hackback operations. This represents a significant policy shift that could authorize companies to conduct offensive cyber operations against threat actors.