Coverage: Last 24 hours

Today’s Highlights

Today’s brief highlights threat actor cases involving insider risk, major crypto thefts, and abuse of popular enterprise collaboration tools, as well as multiple exploits and critical vulnerabilities defenders must address. Key themes are insider risk in ransomware cases, state-linked financial attacks, app store and supply chain threats, rising collaboration platform abuse, and several critical vulnerabilities actively targeted in the wild.

Table of Contents

1. Former ransomware negotiator pleads guilty to BlackCat attacks
2. NGate Android malware uses HandyPay NFC app to steal card data
3. KelpDAO suffers $290 million heist tied to Lazarus hackers
4. China’s Apple App Store infiltrated by crypto-stealing wallet apps
5. The Gentlemen ransomware now uses SystemBC for bot-powered attacks
6. Microsoft: Teams increasingly abused in helpdesk impersonation attacks
7. The backup myth that is putting businesses at risk
8. British Scattered Spider hacker pleads guilty to crypto theft charges
9. Microsoft tests Windows Explorer speed, performance improvements
10. CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
11. SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
12. Seiko USA website defaced as hacker claims customer data theft

Top Stories

Former ransomware negotiator pleads guilty to BlackCat attacks

Source: BleepingComputer | Risk: High | Impacted: Incident response providers, Enterprises engaged in ransomware negotiations, Critical infrastructure with in-house response teams

41-year-old Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

Why it matters: Insider access by trusted responders can accelerate ransomware dwell time and erode organizational confidence in incident response processes.

Practitioner Perspective

Any organization with incident response staff or negotiators should recognize insiders as a high-value target and risk, especially when they hold operational knowledge of ransomware workflows, payment strategies, or client network layouts. The case illustrates that threat actors sometimes operate within the defender ecosystem, leveraging trust to enhance attacks and evade detection. Security and risk teams must reassess access controls and ongoing monitoring of staff, including background reevaluation where legal. Insider-driven incidents can deeply damage both business continuity and the reputation of incident responders. If you have not reviewed privileged access and post-employment monitoring for staff with ransomware response experience, you are likely exposed.

Recommended Actions

• Run access reviews for DigitalMint or other response toolsets focusing on ex-staff and privileged accounts
• Apply logging and continuous monitoring for negotiator account pivots or privileged escalation attempts

NGate Android malware uses HandyPay NFC app to steal card data

Source: BleepingComputer | Risk: High | Impacted: Retailers with mobile POS, Financial institutions offering NFC payments, Android enterprise fleets

A new variant of the NGate malware that steals NFC payment data is targeting Android users by hiding in a trojanized version of HandyPay, a legitimate mobile payments processing tool.

Why it matters: Mobile financial malware can directly compromise payment data, resulting in rapid, large-scale monetary loss or regulatory impact for organizations enabling BYOD or mobile payment processing.

Practitioner Perspective

Any enterprise permitting use of payment processing apps like HandyPay on Android devices now faces elevated risk from NGate variants that masquerade as legitimate tools. This is especially concerning for financial and retail operations that lean on contactless payments, as attackers shift focus to mobile endpoints and supply chain subversion. Defenders must recognize that app-based fraud bypasses many established transaction controls, and threat actors know mobile users expect trusted payment brands. Given rapid trojan propagation via third-party app sources, unchecked devices can become blind spots for fraud and data theft. Organizations should immediately validate mobile application inventories and assure only vetted sources are allowed on managed Android endpoints.

Recommended Actions

• Hunt for trojanized HandyPay APK installations and NGate IOCs on managed Android devices
• Enforce Google Play or enterprise app store restrictions for all payment applications

KelpDAO suffers $290 million heist tied to Lazarus hackers

Source: BleepingComputer | Risk: Critical | Impacted: DeFi project operators, Crypto custodians, Asset managers in Web3

State-sponsored North Korean hackers are likely behind the $290 million crypto-heist that impacted the KelpDAO DeFi project on Saturday.

Why it matters: Large-scale crypto heists attributed to state-linked actors expose organizations to instantaneous asset loss, regulatory scrutiny, and severe market reputation damage.

Practitioner Perspective

DeFi and crypto organizations must now consider North Korean threat actor tradecraft as a baseline risk rather than an outlier, given the Lazarus Group’s persistent success at draining wallets and manipulating governance protocols. Attackers are skilled at exploiting code bugs and weak multi-sig implementations, often moving faster than defenders can respond. The incident spotlights how much DeFi projects rely on code transparency, peer review, and rapid patching, which remain inconsistent. Programmatic asset controls and constant chain analytics monitoring are not optional for any project with a material TVL (total value locked). If your incident response playbooks still assume hours instead of seconds for fraud detection, you are behind the curve.

Recommended Actions

• Audit KelpDAO and similar protocol treasury access controls for potential single or weak key points of failure
• Integrate threat intelligence on Lazarus-linked tactics into SIEM and analytics pipelines

China’s Apple App Store infiltrated by crypto-stealing wallet apps

Source: BleepingComputer | Risk: High | Impacted: Enterprise Apple device fleets, Mobile crypto wallet users, Fintech/B2C financial service providers

A set of 26 malicious apps on Apple App Store impersonate popular wallets, such as Metamask, Coinbase, Trust Wallet, and OneKey, to steal recovery or seed phrases and drain them of cryptocurrency assets.

Why it matters: Malicious wallet apps introduce risk of direct crypto theft from both consumer and enterprise mobile devices, reducing trust in platform security and app vetting processes.

Practitioner Perspective

Apple’s app store infiltration by crypto wallet clones is a wake-up call: supply chain trust for mobile wallets is now a primary attack vector. Even Apple’s vetting cannot fully prevent fake Metamask or Coinbase apps from harvesting seed phrases, making device and user hygiene critical. Enterprises that permit mobile crypto wallets for payments or finance must educate users and enforce app provenance checks, especially in regions where alternative app stores or government-mandated apps proliferate. Supply chain abuse at scale means security controls must extend to user training, device checks, and app reputation reviews. Relying on app store logos as a sole line of defense will fail.

Recommended Actions

• Identify devices running unauthorized crypto wallet apps impersonating Metamask, Coinbase, Trust Wallet, or OneKey
• Deploy app reputation monitoring for wallet apps sourced from Apple App Store in China region

The Gentlemen ransomware now uses SystemBC for bot-powered attacks

Source: BleepingComputer | Risk: High | Impacted: Corporate Windows fleets, Organizations with exposed RDP or SMB, Enterprises targeted by ransomware affiliates

A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate.

Why it matters: Integration of SystemBC proxy malware with ransomware operations enables threat actors to maintain persistence and conduct stealthier lateral movement across compromised networks.

Practitioner Perspective

SystemBC’s adoption by the Gentlemen ransomware affiliate demonstrates the normalization of proxy malware as a core element of criminal post-exploitation toolkits. Over 1,500 likely-compromised endpoints highlight how bot infrastructure now supports hands-off persistence and remote C2, making post-infection network containment harder. Standard EDR or AV may not alert on encrypted SystemBC traffic, letting ransomware actors prepare for exfiltration without detection. If not actively hunting for SystemBC artifacts and performing early lateral movement analysis, defenders risk missing dwell time and pivot operations. Focus threat hunts not just on ransomware payloads but on persistent proxy malware.

Recommended Actions

• Threat hunt for SystemBC proxy malware on endpoints compromised by Gentlemen ransomware
• Monitor network egress for encrypted traffic to SystemBC C2 infrastructure

Microsoft: Teams increasingly abused in helpdesk impersonation attacks

Source: BleepingComputer | Risk: High | Impacted: M365 tenants with Teams enabled, Organizations federating Teams externally, Service desk and IT support teams

Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks.

Why it matters: Compromised or spoofed Microsoft Teams conversations can be leveraged to bypass user skepticism, enabling credential phishing and lateral movement within trusted collaboration environments.

Practitioner Perspective

Microsoft reports an uptick in Teams-based social engineering, with threat actors abusing both external federation and built-in integrations. Attackers are aware that Teams users often trust helpdesk or admin prompts, creating new avenues for phishing and session hijacks. Security teams must now treat collaboration tools as core risk zones, not just productivity layers, since compromise can facilitate weaponized support impersonation and spread of endpoint compromise. Federated tenant controls and rigorous IT admin approval workflows are essential to limit attack surface. Proactive monitoring for anomalous Teams interactions is no longer ‘nice to have’ but critical for identity and session security.

Recommended Actions

• Review and restrict Teams external federation settings
• Enable Teams advanced audit logs to pinpoint anomalous admin or support conversations

The backup myth that is putting businesses at risk

Source: BleepingComputer | Risk: Medium | Impacted: SMBs with limited BCDR resources, Organizations using on-prem backup appliances, Enterprises relying on cloud-native backup

Backups protect data, but don’t keep your business running during downtime. Datto shows why BCDR is essential to keep operations running during ransomware and outages.

Why it matters: Sole reliance on data backups creates a false sense of resilience, risking critical business downtime during ransomware or infrastructure outages when recovery processes are untested or incomplete.

Practitioner Perspective

Too many organizations equate the presence of backups with actual operational resilience, ignoring the gaps exposed when ransomware disables not just files but workflows and application stacks. Datto’s insights reinforce that business continuity and disaster recovery (BCDR) includes far more than mounting last night’s backup; dependency mapping, offline failover, and restore runbooks matter more when production is down. Security leaders should revisit BCDR assumptions—especially if backup infrastructure shares network paths, access controls, or cloud accounts with primary assets. Testing full-scale restore and validating service continuity is not optional in the current threat landscape.

Recommended Actions

• Test Datto or equivalent BCDR runbooks for real-world recovery of full application stacks, not just file restores
• Audit backup infrastructure for ransomware blast radius overlap with production systems

British Scattered Spider hacker pleads guilty to crypto theft charges

Source: BleepingComputer | Risk: Medium | Impacted: Crypto exchanges and custodians, Financial services handling identity verification, Enterprises targeted for wire fraud

A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft.

Why it matters: Adversarial access via identity theft continues to fuel financially motivated attacks, often outpacing defenses for both traditional finance and crypto-focused organizations.

Practitioner Perspective

The Scattered Spider actor’s conviction signals continued operational risk to organizations with inadequate controls around identity verification and payment workflows, especially where social engineering is used to dupe service desks. The incident highlights that attackers will leverage personal and financial data to perpetrate fraud at scale. Defenders must operate on the assumption that identity compromise pressures all customer- and employee-facing processes, demanding layered authentication and continuous anomaly detection. If you still rely on ‘static’ controls for high-value funds movement, you are lagging the threat.

Recommended Actions

• Review identity verification requirements for customer support escalations involving funds transfer
• Alert on anomalous activity patterns linked to known Scattered Spider TTPs in SOC workflows

Microsoft tests Windows Explorer speed, performance improvements

Source: BleepingComputer | Risk: Low | Impacted: Windows 11 Insider Program users, Windows 11 system administrators

Microsoft is rolling out multiple File Explorer changes to Windows 11 users in the Insider program, including improvements to launch speed and performance.

Why it matters: File management improvements may enhance productivity and encourage timely system updates.

Practitioner Perspective

Performance enhancements in file browsing are useful, but system administrators must continue to prioritize security when enabling or pushing new features from insider testing channels. Consider update timing and monitoring for unintended impacts on endpoint protection or user workflows.

Recommended Actions

• Review Windows Insider Program feature rollout settings before enabling new File Explorer performance features
• Monitor user feedback channels for security or usability regressions after update deployment

Emerging Signals

No qualifying stories today.

Exploits & CVEs

CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines

Source: The Hacker News | Risk: Critical | Impacted: Organizations operating Cisco Catalyst SD-WAN, PaperCut server administrators, Regulated federal agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows – CVE-2023-27351 (CVSS score: 8.2) – An improper authentication vulnerability in PaperCut.

Why it matters: Active exploitation of critical vulnerabilities listed in CISA’s KEV means organizations face increased risk of remote intrusion and regulatory noncompliance if patches are delayed.

Practitioner Perspective

CISA’s KEV list update is an operational call to action, not a compliance checkbox: at least three newly listed Cisco Catalyst SD-WAN exploits and PaperCut’s CVE-2023-27351 have credible evidence of active use in intrusions. Federal agencies and regulated entities now have public deadlines for patching, but every enterprise running these technologies should treat them as urgent. Defenders can expect automated attack campaigns targeting exposed and unpatched systems. Audit coverage and remediation SLAs should be tested—just stating ‘patch soon’ will not cut it for these actively exploited flaws.

Recommended Actions

• Patch Cisco Catalyst SD-WAN Manager immediately to remediate all KEV-listed CVEs
• Deploy updates addressing CVE-2023-27351 on all PaperCut installations

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

Source: The Hacker News | Risk: Critical | Impacted: AI model operations teams, Enterprises using SGLang for model serving, Environments ingesting GGUF files from public repos

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760 (CVSS 9.8), has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving framework.

Why it matters: Remote code execution vulnerabilities in open-source model-serving frameworks like SGLang create risk of full environment compromise, especially when model file provenance is unverified.

Practitioner Perspective

CVE-2026-5760 in SGLang allows attackers to execute arbitrary commands via malicious GGUF model files. With a CVSS score of 9.8, this is relevant for any environment deploying open-source AI models without rigorous file source validation. Cloud and on-prem AI operations pipelines are attractive targets, as model file supply chains are often under-monitored. Security teams should take immediate steps to patch and review any instance where GGUF models have been ingested from untrusted sources. The real question: do you trust every model file your environment loads?

Recommended Actions

• Deploy updates for SGLang to remediate CVE-2026-5760 across all production and test instances
• Block execution or ingestion of GGUF model files from unverified sources until patch rollout complete

Defensive Actions

• Run access reviews for DigitalMint or other response toolsets focusing on ex-staff and privileged accounts
• Apply logging and continuous monitoring for negotiator account pivots or privileged escalation attempts
• Hunt for trojanized HandyPay APK installations and NGate IOCs on managed Android devices
• Enforce Google Play or enterprise app store restrictions for all payment applications
• Audit KelpDAO and similar protocol treasury access controls for potential single or weak key points of failure
• Integrate threat intelligence on Lazarus-linked tactics into SIEM and analytics pipelines
• Identify devices running unauthorized crypto wallet apps impersonating Metamask, Coinbase, Trust Wallet, or OneKey
• Threat hunt for SystemBC proxy malware on endpoints compromised by Gentlemen ransomware
• Review and restrict Teams external federation settings
• Patch Cisco Catalyst SD-WAN Manager immediately to remediate all KEV-listed CVEs

What We’re Watching

Seiko USA website defaced as hacker claims customer data theft

Source: BleepingComputer | Risk: High | Impacted: Consumer-facing e-commerce brands, Organizations using Shopify, Web teams responsible for customer data protection

The Seiko USA website was defaced over the weekend, displaying a message from attackers claiming they stole its Shopify customer database and threatening to leak it unless a ransom is paid.

Why it matters: Web defacement coupled with claims of customer data theft creates urgent operational and trust challenges, exposing businesses to potential data leaks, ransom demands, and reputational fallout.

Practitioner Perspective

If your web presence depends on frameworks like Shopify, the risk is not just downtime or vandalism but loss of customer confidence from public data breach claims. Attackers increasingly pair defacements with ransom threats to increase pressure, and the effectiveness often hinges on response speed and public messaging. Security teams must verify breach claims quickly but should not dismiss the operational impact of even unverified leaks. This incident shows that attackers combine technical and psychological levers—negotiation and crisis communications play a critical role. Do not leave breach response drills to hypothetical tabletop exercises.

Recommended Actions

• Investigate Seiko USA’s Shopify customer database access logs for signs of intrusion as claimed
• Review and harden CMS or Shopify app integrations and admin account access policies

Categories: Cybersecurity Blog, Cybersecurity News

Tags: cybersecurity, Incident Response, Ransomware, Threat Intelligence, Vulnerabilities