< ciso
brief />

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

Seven vulnerabilities disclosed in ubiquitous FatFs library

🔒 Security firm runZero disclosed seven vulnerabilities in the FatFs filesystem library used to read FAT/exFAT on many embedded devices. The bugs—rated Medium to High—can lead to memory corruption, crashes, data leaks, or code execution when a device mounts malformed media or firmware images. Only the GPT hang issue is fixed upstream; most fixes must come from downstream vendors who bundle FatFs. runZero published PoCs and urges vendors and integrators to audit wrappers and treat physical ports and update channels as attack surfaces.
read more →

Bad Epoll kernel flaw lets local users become root

🛡️ A newly disclosed Linux kernel vulnerability, Bad Epoll (CVE-2026-46242), allows an ordinary local user to escalate privileges to root and affects Linux desktops, servers, and Android. The flaw is a use-after-free race in the epoll subsystem; the timing window is tiny but an exploit by researcher Jaeyoung Chung widens it and succeeds reliably. A fix is available upstream (commit a6dc643c6931) and distributions should backport it; kernels built on 6.4+ are affected unless patched.
read more →

Avalon modular malware framework and CrownX ransomware

🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more →

Massive Microsoft 365 password spray attack exposed

🔒 Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.
read more →

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

Adobe adds second monthly Patch Tuesday cycle

🛡️ Adobe will publish security updates twice each month to address faster vulnerability discovery and exploitation. The company will keep its existing second-Tuesday schedule and add a fourth-Tuesday release starting July, applying to advisories with CVEs needing customer action. Adobe cited increased threats and investment in vulnerability discovery as drivers for the new cadence. The change mirrors industry trends toward more frequent patching.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

Qilin Emerges as Dominant Ransomware Operation

🛡️ Check Point and Sophos research shows Qilin has consolidated a large share of the ransomware market after disruption of rival groups. Active since 2022, Qilin lists the most victims and attracts affiliates with high payouts, mature infrastructure and AI-enabled tools. Rival groups like The Gentlemen have resurged, while increased prominence raises the likelihood of law enforcement action.
read more →

SMB Cyber Readiness: Prioritize the Fundamentals

🔒 AI is reshaping attacker toolkits, but familiar failures—phishing, unpatched vulnerabilities, poor monitoring and weak passwords—remain the primary causes of incidents for SMBs. ESET telemetry and research show AI mainly amplifies these risks rather than replacing them with pervasive, real-time AI malware. Practical mitigations like patch management, identity protection, MFA, password managers and MDR services remain the most effective ways to improve readiness and resilience.
read more →

Citrix NetScaler memory overread patched, exploits spotted

🔒 Citrix patched a new NetScaler memory overread, CVE-2026-8451, similar to prior CitrixBleed issues; researchers from watchTowr disclosed that malformed unauthenticated requests can leak protected process memory. While this flaw leaks smaller data fragments than earlier CitrixBleed faults, it still poses risk for chaining with memory-write exploits. Citrix also fixed additional high-severity memory overflows and an HTTP/2 DoS; customers are urged to upgrade and apply configuration mitigations.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

Flock’s Vehicle Fingerprinting Enables Plateless Surveillance

🚨 A 2024 company presentation reveals that Flock uses a so-called “Vehicle Fingerprint” combining decals, bumper stickers, racks and temporary tags to identify cars when license plates are incomplete or absent. The system enables officers to search that dataset, perform multi-geo queries and locate vehicles believed to be traveling together. Bruce Schneier notes this capability echoes older surveillance practices and warns that similar outcomes are possible with broad access to cell phone location data.
read more →

FBI and Google Disrupt Major NetNut Proxy Network

🛡️ In a coordinated international action, the FBI and Google's Threat Intelligence Group disrupted NetNut, a large commercial residential proxy network built on the Popa botnet. The operation targeted infrastructure, seized domains and worked with partners like Lumen and the IRS to degrade the service. Google disabled accounts, updated Play Protect and removed compromised apps to reduce the pool of infected devices by millions. The takedown exposed ties between the botnet and reseller programs and prompted debate after some NetNut domains remained temporarily active.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Anthropic: Claude Fable 5 will return to subscriptions

📰 Anthropic says access to Claude Fable 5 is being moved off standard subscriptions after July 7 and shifted to usage-based billing due to unpredictable high demand. The model remains available globally via the Claude API and consumption-based Enterprise plans, while subscription access is being rolled out conservatively. Anthropic expects to restore Fable 5 to subscriptions once sufficient capacity is available, clarifying the change is not intended to be permanent.
read more →

Claude Fable relaunch disappoints users

🤖 Anthropic's Claude Fable has been restored for all users, including Max subscribers, but comes with strict usage caps and degraded behavior. Users report frequent fallbacks to Opus 4.8 and tighter guardrails that block or reduce performance on security‑adjacent and systems‑level prompts. The model will shift to a pay‑to‑play usage credits system after July 7, further limiting access.
read more →

WebAuthn Redirection Added to Browser RDP Clients

🔒 Prisma Browser added WebAuthn redirection to its in-browser RDP client, becoming the first non-Windows client to support Microsoft’s MS-RDPEWA protocol. The team found gaps in the spec, reverse-engineered undocumented Windows server behavior, and created a custom Chromium extension API to accept precomputed clientDataHash values. This approach reuses Chromium’s FIDO2 stack to support USB keys, Touch ID, Windows Hello and phone-as-authenticator transports.
read more →