Hello, stay ahead with CISO Brief 🚀

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

🛡️ The NCSC has warned UK organisations to prepare for a coming "patch wave" as vendors adopt powerful AI tools to discover and fix software vulnerabilities. CTO Ollie Whitehouse urged teams to prioritise external attack surfaces, enable automatic updates and hot patching where safe, and follow the NCSC's Vulnerability Management guidance. He cautioned that patching alone isn't enough for unsupported legacy systems and recommended replacing or restoring out-of-support technologies. The alert also notes potential US moves by CISA to shorten patch deadlines and industry concerns about operational readiness.

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.

🔒 A persistent cybersecurity skills shortage is forcing CISOs to change hiring, training, and architecture decisions as AI amplifies attack scale and complexity. ISC2’s 2025 workforce study found 95% of organizations report at least one skills gap and nearly 60% call those gaps critical or significant. Leaders are turning to internal upskilling, automation, and role transitions, while balancing trade-offs between best-of-breed tooling, integrated platforms, and multicloud complexity.

🛡️Organizations commonly implement strong identity, authentication and access policies under a zero-trust strategy, yet enforcement at the network traffic layer is frequently inconsistent. Gaps appear across ingress paths, load balancers, CDNs, TLS termination and east–west service communication, allowing traffic to bypass identity controls. Successful programs treat the traffic plane as the primary enforcement point: standardizing ingress, enforcing strict TLS baselines and mTLS, normalizing requests and maintaining end-to-end telemetry. The core message: mindset and policy alone are insufficient without consistent traffic-layer enforcement.

🔒 Trellix disclosed on May 4 that threat actors gained unauthorized access to a portion of its source code repository and that it has notified law enforcement while working with leading forensic experts. The company, formed from the merger of McAfee Enterprise and FireEye, said it has found no evidence that its source code release or distribution process was affected or exploited. Trellix sells threat intelligence and AI-powered detection services including NDR and EDR and will share further details once the investigation concludes.

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.

🔒 Microsoft disclosed a large-scale credential-theft phishing campaign that ran April 14–16, 2026, targeting over 35,000 users at more than 13,000 organizations across 26 countries. Attackers used polished, code-of-conduct-themed HTML lures, legitimate email delivery services and PDF attachments to funnel victims through CAPTCHA-gated pages into AiTM sign-in flows that harvested credentials and tokens, bypassing MFA. Most targets were in the U.S., with heavy impacts on healthcare, finance, professional services, and technology. Microsoft linked many endpoints to Tycoon 2FA, with additional activity tied to Kratos and EvilTokens.

🛡️ The White House is privately discussing whether advanced AI models that could enable cyberattacks should undergo government-led or formal pre-release reviews before public deployment. The talks were prompted by Anthropic’s Mythos, which the company says has identified thousands of high-severity vulnerabilities, and by comparable capabilities from other labs. Officials are weighing options including formal vetting and targeted testing for higher-risk systems. No policy has been finalized and no timeline has been set.

🏷 CloudWatch Logs Insights now supports querying log groups by tags, allowing searches across all log groups that share key-value tags without listing them explicitly. Tags such as Environment:Production, Application:PaymentService, or Owner:TeamName let teams scope queries by environment, application, or ownership. As log group tags are added or removed, queries automatically reflect the matching log groups, reducing operational overhead as environments scale. This capability is available today in all commercial AWS Regions.

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.

🔁 Amazon WorkSpaces Applications now supports host-to-client URL redirection, automatically launching approved links from streaming sessions in the user's local browser. Administrators can configure allow and deny URL patterns via the AWS Management Console to keep sensitive applications inside the streaming environment while offloading bandwidth-heavy content such as video. The feature works for browser navigation and embedded links in applications like Microsoft Word, with host-side support for Chrome and Edge; URLs on the configured allow list open automatically in the user's default local browser.

📧 Kaspersky reports a surge in phishing campaigns that abuse AWS Simple Email Service (SES) to bypass authentication and reputation-based defenses. Attackers are exploiting exposed AWS Identity and Access Management keys discovered in public repositories, configuration files, container images, backups, and open S3 buckets. They automate secret scanning, permission validation, and mass email distribution to send highly credible lures—custom HTML templates and fake document-signing notifications—that redirect victims to AWS-hosted phishing pages.

🔒 This AWS Security Blog post explains how to identify and secure open proxies in your AWS environment to prevent abuse, protect IP reputation, and control costs. It describes common proxy types—HTTP, SOCKS, transparent, and reverse—and the risks they introduce when misconfigured on EC2 instances, containers, and serverless functions. The guidance recommends strict access controls and authentication, deploying proxies in private subnets or via AWS PrivateLink, and restricting security groups and load balancers. It also emphasizes monitoring with VPC Flow Logs, CloudTrail, and GuardDuty, automated remediation, regular assessments with Amazon Inspector, and keeping incident response runbooks current.

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.