This week in cybersecurity shows a consistent pattern where small gaps in permissions, authentication logic, and system trust boundaries are being used to gain large scale access across enterprise and consumer environments. Across browsers, kernels, AI systems, mobile platforms, and cloud services, attackers continue to rely on weak validation, stolen credentials, and trusted execution paths rather than breaking encryption or core cryptography. The result is a wide mix of incidents ranging from ransomware delivery through phishing emails and supply chain compromise to advanced persistent threat operations targeting corporate email systems and government infrastructure.
One of the most visible trends is the continued evolution of ransomware and credential driven attacks. Anubis ransomware affiliates were observed exploiting Citrix Bleed 2 CVE 2025 5777 alongside valid VPN credentials to gain initial access, followed by heavy use of Remote Management and Monitoring tools like ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment to maintain persistence while blending into normal IT activity. In parallel, supply chain and phishing activity included fake INTERPOL themed investigation emails delivering ransomware through Proton Drive links, as well as UNC1151 campaigns impersonating Gmail security alerts. Microsoft also reported a malicious Chromium extension disguised as Perplexity AI that intercepted search queries for profiling and data collection. Meanwhile, Telegram based Millennium RAT infections surpassed 60,000 devices, offering full remote access capabilities including keylogging, file theft, webcam capture, and credential extraction.
A second major cluster of activity centers on advanced exploitation techniques and system level vulnerabilities across Linux, macOS, and sandboxed environments. A Linux kernel flaw named Bad Epoll CVE 2026 46242 enables unprivileged users to gain root access through a use after free race condition, with exploit reliability reaching nearly 99 percent in controlled testing and even applicability from Chrome renderer sandbox contexts as well as Android devices. On macOS, PamStealer impersonates clipboard manager Maccy through fake domains and uses AppleScript combined with Rust based payloads to steal login credentials and browser data after validating passwords through PAM modules. Apple also faces an unpatched Hide My Email vulnerability that can expose real email addresses. In enterprise sandbox environments, researchers demonstrated root execution in Claude Cowork via unvalidated parameters, while AI systems themselves are increasingly involved in offensive workflows, including stolen compute being used to power automated vulnerability exploitation pipelines.
The third area of concern is the expansion of stealthy malware infrastructure, API abuse, and platform manipulation techniques used by both state aligned and financially motivated groups. ToddyCat deployed Umbrij malware to exploit OAuth flows and gain access to Gmail data via Google API by hijacking active browser sessions in headless mode, while Armored Likho targeted government and power sector entities using BusySnake Stealer with capabilities for clipboard theft, file exfiltration, screenshot capture, and reverse SSH tunneling via Go2Tunnel and RustDesk. BeepRAT, linked to China nexus espionage activity, uses DNS over HTTPS for command resolution and supports extensive remote control functions. At the same time, prompt injection research highlighted CoT Forgery attacks reaching 60 percent success rates, while Anthropic announced removal of covert tracking code used to detect unauthorized model usage. Microsoft introduced Paste Protect in Opera style defense mechanisms to counter clipboard based ClickFix attacks, and Teams added bot protection to reduce risks from external AI agents joining meetings.
The broader ecosystem also reflects growing convergence between cybercrime and infrastructure abuse. The U.S. offered a 10 million dollar reward for UNC5792 linked to FSB associated activity targeting messaging apps, while FTC fined Amazon 2.25 million dollars over identity theft response failures. CISA confirmed BlueHammer CVE 2026 33825 was exploited in ransomware incidents, and researchers highlighted ongoing LLM hijacking where stolen AI compute powers automated attack frameworks capable of scanning targets, generating exploits, and executing intrusion chains. Across all cases, attackers continue to exploit legitimate tools, trusted services, and configuration weaknesses, reinforcing a recurring theme where access control failures and overlooked system trust assumptions remain the primary entry points for compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





