TECHZONE™

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over

One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches https://thehackernews.com/2026/05/one-click-total-shutdown-patient-zero.html The hardest part of cybersecurity isn't the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one "Patient Zero" infection. In 2026, hackers are using AI to make these "first clicks" nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. "QLNX targets developers and DevOps credentials across the software supply chain,"

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk https://thehackernews.com/2026/05/one-missed-threat-per-week-what-25m.html The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments.  The dataset behind these findings includes 10 million monitored

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination.

Fake call logs, real payments: How CallPhantom tricks Android users https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/ ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down

Fixing the password problem is as easy as 123456 https://www.welivesecurity.com/en/cybersecurity/fixing-password-problem-as-easy-as-123456/ How come it’s still possible to ‘secure’ an online account with a six-digit string?

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems. vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted

MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident

The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open https://thehackernews.com/2026/05/the-hacker-news-launches-cybersecurity.html For nearly 20 years, we at The Hacker News have mostly told scary stories about cyberspace — big hacks, broken systems, and new threats. But behind every headline, there’s a quieter, better story. It’s the story of leaders making tough calls under pressure, teams building smarter defenses, and security products that keep hunting threats 24/7 — even when it’s hard. Most of the time, this work is

Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing? https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them. In their inaugural Market Guide for Guardian Agents, Gartner states that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls.” Enterprise leaders can request access to the Gartner Market Guide for

Google's Android Apps Get Public Verification to Stop Supply Chain Attacks https://thehackernews.com/2026/05/android-apps-get-public-verification.html Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. "This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute," Google's product and security teams said. The initiative builds upon the foundation of Pixel Binary Transparency, which Google introduced in October 2021

Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs https://thehackernews.com/2026/05/windows-phone-link-exploited-by-cloudz.html Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs),"

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/ ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games