Hello, stay ahead with CISO Brief 🚀

⚠ The official JDownloader website was compromised between May 6 and May 7, 2026, and attackers replaced alternative Windows and Linux installers with malicious payloads. The Windows binaries deploy a heavily obfuscated Python-based remote access trojan, while the Linux shell installer installs SUID-root components and persistence. Developers say the CMS was abused to alter download links without host-level access and have taken the site offline to investigate. Users who ran affected installers should treat systems as compromised, verify installers' digital signatures (AppWork GmbH) and consider reinstalling and rotating credentials.

⚠️A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter and briefly reached #1, reportedly accumulating 244,000 downloads before removal. HiddenLayer found the repo used a typosquatted name and a loader.py that disabled SSL checks, decoded a base64 URL, and executed a PowerShell chain to deploy a Rust-based infostealer. The malware harvests browser credentials, tokens, wallets, SSH/FTP/VPN files and more, exfiltrating data to a C2 server. Users are urged to reimage affected machines, rotate credentials, and replace wallets and seed phrases.

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.

🔒 AWS Client VPN now provides a Linux desktop client compatible with Ubuntu 26.04 LTS, expanding support beyond 22.04 and 24.04. The AWS-supplied client is free and available in all regions where the service is generally available. As a managed VPN service, AWS Client VPN securely connects remote employees to AWS and on-premises networks. Desktop support also includes MacOS (Sonoma 14.0, Sequoia 15.0, Tahoe 26.0) and Windows 11, with ARM64 builds available.

🔐 Ivanti disclosed five vulnerabilities in its on‑premises Endpoint Manager Mobile (EPMM) suite, and one—CVE-2026-6973—has been added to CISA’s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy on‑premises MDM fits a Zero Trust model.

📣 Amazon Connect now supports Default Guides for After Contact Work (ACW), automatically launching a Step-by-Step Guide when an agent enters ACW. This eliminates manual navigation to wrap-up tools and helps standardize post-contact workflows. The feature reduces handle time, lowers errors, and improves agent consistency and productivity. Step-by-Step Guides are available in multiple AWS regions.

🚀 The Gemini CLI CI/CD extension lets developers deploy functional apps directly from a terminal, closing the gap between local prototyping and production pipelines. It performs a pre-deployment secret scan, analyzes project files, and can containerize using buildpacks before deploying to Cloud Run or Cloud Storage. For production workflows it can design CI/CD pipelines, provision resources, and generate Cloud Build YAML and triggers.

🛡️Elastic Security Labs has detailed a previously undocumented Brazilian banking trojan named TCLBANKER, tracked as REF3076, which targets 59 banks, fintechs and cryptocurrency platforms. The campaign appears to be a major evolution of the Maverick family and bundles a robust loader, a full-featured trojan, and a worm that propagates via WhatsApp Web and Outlook. The loader abuses a signed Logitech installer and uses DLL side-loading, anti-analysis checks, and environment-gated payload decryption to evade detection.

⚠️Analysis by the Anti-Corruption Data Collective found significant insider activity on Polymarket. Long-shot wagers—bets of $2,500 or more at implied odds of 35% or less—had an average win rate of about 52% in markets on military and defense actions. By contrast, those long-shot bets won roughly 25% in politics-focused markets and only 14% platform-wide. Author Bruce Schneier warns that permitting such activity risks warping political and military outcomes far more severely than insider sports betting.

🌐 Amazon Web Services now lets customers add or remove AWS Regions for Route 53 Global Resolver, enabling flexible control over where anycast DNS queries are resolved. This update lets organizations expand Global Resolver coverage or adjust regional deployments to meet compliance and latency objectives without recreating configurations. The feature supports anycast resolution for public domains and private Route 53 hosted zones, includes DNS query filtering and centralized logging, and is available at no additional cost in supported Regions.

⚠ Microsoft Defender researchers describe Dirty Frag, a Linux local privilege escalation that abuses kernel networking and memory-fragment handling in esp4, esp6, and rxrpc. Public proof-of-concept activity and active targeting suggest the exploit yields more reliable escalation from unprivileged user to root across multiple distributions. Microsoft recommends immediate mitigations—disable unused modules, harden containers, increase monitoring, clear caches cautiously, and prioritize vendor kernel patches—while Defender expands detections.

📢 AWS Service Catalog is now available in Asia Pacific (New Zealand) and Canada West (Calgary). The service enables administrators to define and manage approved Infrastructure as Code products using AWS CloudFormation or third‑party tools like Terraform, and to share portfolios across accounts via AWS Organizations. Organizations can apply launch and template constraints, manage product versions, and control access with AWS Identity and Access Management (IAM) to provide governed self‑service provisioning at scale for engineers, DBAs, and other end users.

🔒 NVIDIA confirmed that GeForce NOW user information was exposed in a breach limited to Armenia after a regional partner's infrastructure was compromised. The company said its own network and NVIDIA-operated services were not affected and it is assisting the partner. Regional operator GFN.am said the incident occurred March 20–26 and that impacted users will be notified. Exposed fields reportedly include names, emails, phone numbers, dates of birth and usernames; no passwords were exposed.

🚀 Google Cloud has reworked GKE node provisioning to deliver up to 4× faster node startup for qualifying nodes, reducing cold-start latency out of the box. This architectural upgrade combines intelligent compute buffers, fast-starting virtual machines, and a redesigned control plane so clusters scale more quickly without any customer configuration. The improvement is live for GKE Autopilot on select NVIDIA and general-purpose instance types, lowering the need to over-provision and speeding AI inference.

🔍 Traditional SIEM logic — fixed rules that match event A followed by event B — is increasingly insufficient against modern, sophisticated threats that use legitimate tools and supply-chain vectors. Kaspersky describes a shift to continuously updated correlation content informed by its MDR service and threat research. In 2025 the team delivered dozens of updates and hundreds of new or refined rules, and now maintains over 850 rules mapped to MITRE ATT&CK. Integration with Kaspersky EDR and expanded telemetry helps detect multi-stage attack chains and reduce false positives.

🔍 Cybersecurity researchers uncovered 28 fraudulent Android apps on the official Google Play Store that claimed to show call, SMS and WhatsApp histories for any number but instead pushed paid subscriptions that delivered fabricated, hard‑coded data. The apps, labeled CallPhantom by ESET, amassed over 7.3 million downloads—one exceeded 3 million—primarily targeting users in India and the Asia‑Pacific region before removal. Payments were processed via Google Play billing, UPI apps (including Google Pay, PhonePe and Paytm), or in‑app card forms, limiting refund options for non‑Play transactions. The apps requested few permissions, used simple UIs and even displayed deceptive notifications to coerce payments.

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.

🛡️ The operating model under most SOCs—not headcount—is driving persistent alert overload and slow containment times, despite rising security spend and dramatically faster attacker breakout windows. Prophet AI and similar platforms shift routine triage and pivot queries from humans to automation, freeing senior analysts to focus on detection engineering and complex hunts. The author presents a four-question SOC diagnostic, deployment outcomes that returned analyst-years of capacity, funding paths, and vendor-risk checks buyers must evaluate.