# Top Stories

CISA revealed that a federal civilian agency's Cisco Firepower device running ASA software was compromised in September 2025 with FIRESTARTER backdoor malware. The backdoor provides remote access and maintains persistence even after security patches are applied, demonstrating advanced evasion capabilities against enterprise security infrastructure.

SentinelOne researchers discovered 'fast16,' a Lua-based malware framework from 2005 that predates Stuxnet and targeted high-precision calculation software to tamper with results. The malware included self-propagation mechanisms and represents early cyber sabotage efforts potentially linked to US-Iran tensions, providing historical context for nation-state attacks on critical infrastructure.

CISA added four actively exploited vulnerabilities to its KEV catalog with a May 2026 federal deadline: CVE-2024-57726 (CVSS 9.9) affecting SimpleHelp, plus flaws in Samsung MagicINFO 9 Server and D-Link DIR-823X routers. The SimpleHelp vulnerability involves missing authorization controls that could enable complete system compromise.

China-linked APT group GopherWhisper uses multiple Go-based backdoors alongside custom loaders and injectors to target government entities while abusing legitimate services for command and control. The group's reliance on Go-based tooling and legitimate service abuse demonstrates sophisticated operational security practices for persistent government network access.

Threat group UNC6692 deploys custom 'Snow' malware suite via Microsoft Teams social engineering, including a browser extension, tunneler, and backdoor components. The attack demonstrates how legitimate collaboration platforms like Teams can be weaponized for initial access and malware deployment in corporate environments.

BlackFile extortion group has conducted data theft and extortion attacks against retail and hospitality organizations since February 2026, linked to surge in vishing (voice phishing) attacks. The group's targeting of customer-facing industries and use of voice-based social engineering represents an evolution in ransomware group tactics.

Toronto police arrested three men in Canada's first mobile SMS blaster case involving devices that impersonate cellular towers to send mass phishing messages and disrupt mobile networks. The arrests highlight law enforcement action against cellular network exploitation tools that can bypass traditional SMS security controls.

North Korea's Lazarus group targets macOS users via ClickFix techniques, focusing on Mac-centric organizations and high-value leaders for initial access and data theft. The campaign shows Lazarus expanding beyond Windows environments to target Apple's ecosystem with social engineering lures.

US authorities charged 29 people including a Cambodian senator in a Myanmar-based financial fraud ring targeting US citizens, seizing over 500 web domains tied to fake investment sites. The international operation demonstrates the global scope of cryptocurrency and investment fraud schemes operating from Southeast Asia.

Home security company ADT disclosed that cybercriminals breached company systems on Monday and stole a 'limited set' of customer and prospective customer information. The breach affects a major home security provider with access to sensitive customer data including security system details and personal information.