
Coverage: Last 24 hours
Today’s Highlights
Botnet operator arrests, a max-severity Cisco Secure Workload flaw, and active exploitation of Langflow and Trend Micro highlight ongoing adversary focus on internet-facing infrastructure and supply chain weak points. Defenders must prioritize targeted threat hunting and immediate patching, especially where critical business systems expose sensitive data or grant administrative access.
Table of Contents
- US and Canada arrest and charge suspected Kimwolf botnet admin
- Apple blocked over $11 billion in App Store fraud in 6 years
- Chinese hackers target telcos with new Linux, Windows malware
- Max severity Cisco Secure Workload flaw gives Site Admin privileges
- Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
- ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested
- Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks
- Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
- Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
- CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
Top Stories
US and Canada arrest and charge suspected Kimwolf botnet admin
Source: BleepingComputer | Risk: High | Impacted: IoT vendors, Service providers, Critical infrastructure operators, Organizations with exposed consumer devices
Summary: U.S. and Canadian authorities arrested 23‑year‑old Jacob Butler (“Dort”) in Ottawa and charged him with operating the KimWolf DDoS botnet, which enslaved nearly two million IoT devices and launched over 25,000 attacks, including record‑setting nearly‑30 Tbps DDoS assaults. Butler faces up to 10 years in prison and awaits extradition to the U.S.
Why it matters: Arresting major botnet operators disrupts DDoS campaigns currently in progress, but the population of compromised IoT devices is still at risk for re-infection or takeover by other adversaries.
Practitioner Perspective
Security teams managing public-facing infrastructure must not assume the Kimwolf threat has fully abated, since millions of IoT devices remain vulnerable and could be subsumed by new botnets. Continued vigilance and layered DDoS defense are required, even with law enforcement disruptions.
Recommended Actions
- Inventory and segment all IoT devices exposed to the internet to limit attack surface
- Harden device firmware and enforce strict network ACLs on consumer-grade devices
Apple blocked over $11 billion in App Store fraud in 6 years
Source: BleepingComputer | Risk: Medium | Impacted: Organizations with BYOD policies, Mobile device management teams, Enterprises relying on public app marketplaces
Summary: Apple disclosed that between 2020 and 2025 it blocked over $11 billion in fraudulent App Store transactions, including more than $2.2 billion in 2025 alone. Last year, it rejected over 2 million problematic app submissions, blocked 1.1 billion fraudulent account creations, terminated 193,000 developer accounts, deactivated 40.4 million customer accounts, and stopped over 5.4 million uses of stolen credit cards.
Why it matters: Widespread fraudulent activity highlights ongoing risks to organizational data and assets, particularly when employees source mobile apps outside of managed controls.
Practitioner Perspective
App Store fraud at this scale shows that even robust marketplace protections cannot guarantee safety. Manage risk through device-level controls and do not rely solely on app store assurance.
Recommended Actions
- Review and enforce MDM/EMM policies to restrict App Store installations
- Enable device attestation and automatic removal of unapproved or high-risk apps on managed iOS endpoints
Chinese hackers target telcos with new Linux, Windows malware
Source: BleepingComputer | Risk: High | Impacted: Telecom providers, Critical infrastructure operators in Asia-Pacific and Middle East, Enterprises with mixed Linux/Windows environments
Summary: Chinese cyber‑espionage group Calypso (aka Red Lamassu) has been deploying new Linux and Windows malware, Showboat on Linux and JFMBackdoor on Windows, to target telecommunications providers across the Asia‑Pacific and Middle East since mid‑2022, enabling long‑term persistence, data collection, remote control, and lateral network movement.
Why it matters: Using bespoke malware for network operations allows sophisticated adversaries to maintain persistence and facilitate ongoing compromise across mixed IT environments.
Practitioner Perspective
Telecoms in high-threat regions must monitor for advanced tooling targeting both Linux and Windows, with focus on behavioral anomalies, rare binaries, and lateral movement not caught by default AV/EDR.
Recommended Actions
- Hunt for Showboat and JFMBackdoor artifacts on endpoints
- Monitor and log all lateral movement in telecom segments using NGFW and NAC
Max severity Cisco Secure Workload flaw gives Site Admin privileges
Source: BleepingComputer | Risk: Critical | Impacted: Organizations using Cisco Secure Workload, Cloud and hybrid infrastructure teams, Enterprises with zero trust segmentation
Summary: Cisco has issued urgent patches for a maximum-severity flaw in Secure Workload (formerly Tetration), tracked as CVE‑2026‑20223, in which unauthenticated attackers could exploit internal REST APIs to obtain Site Admin privileges, allowing them to view sensitive data and alter configurations; no workarounds exist and fixes are available for on‑premises and SaaS deployments.
Why it matters: A remotely exploitable flaw in Secure Workload threatens full administrative compromise for enterprises relying on Cisco segmentation controls, with severe business impact if not resolved quickly.
Practitioner Perspective
Organizations with Secure Workload deployed face urgent risk. There is no workaround and immediate patching both on-prem and SaaS is essential. Unpatched environments could be targeted for full admin compromise.
Recommended Actions
- Deploy Cisco’s CVE-2026-20223 patches to all Secure Workload instances immediately
- Audit all privileged user and service account activity for suspicious changes since flaw disclosure
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Source: Krebs on Security | Risk: High | Impacted: Public sector networks, Organizations deploying consumer IoT at scale, ISPs and DDoS mitigation vendors
Summary: A 23‑year‑old Ottawa man, Jacob Butler (aka “Dort”), has been arrested in Canada and charged in both Canada and the U.S. with operating the Kimwolf IoT botnet, which enslaved millions of devices to carry out massive DDoS attacks over the past six months.
Why it matters: Even following this key arrest, organizations with public IoT deployments are still exposed unless proactive defensive measures are maintained.
Practitioner Perspective
While the Kimwolf takedown slows one actor, millions of potential botnet devices remain at risk. Security leaders must focus on device inventory and keeping firmware current instead of relying on enforcement alone.
Recommended Actions
- Correlate traffic with Kimwolf IOCs in NIDS/IDS
- Disallow unmanaged IoT hardware on critical network segments
‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested
Source: SecurityWeek | Risk: Medium | Impacted: Organizations tracking cybercriminal C2 infrastructure, SOC and IR teams, Adversary attribution analysts
Summary: Law enforcement in North America and Europe dismantled the cybercriminal VPN service “First VPN,” seizing 33 servers and shutting down its domains used for ransomware and other attacks. The service, active since 2014, was promoted on Russian-language cybercrime forums, and its administrator was arrested in Ukraine. Authorities gained access to user data, identifying 506 users.
Why it matters: The takedown disrupts adversary C2 and anonymity services and may expose additional attacker infrastructure for follow-up investigations.
Practitioner Perspective
First VPN’s removal creates a window for defensive teams to correlate new intelligence with local telemetry. Quickly incorporate seized indicators into threat hunting and expect adversaries to migrate infrastructure promptly.
Recommended Actions
- Cross-reference known First VPN exit nodes with firewall and proxy logs
- Update threat feeds with indicators from the First VPN takedown
Emerging Signals
Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks
Source: The Hacker News | Risk: High | Impacted: Organizations with unmanaged IoT, DDoS mitigation providers, Consumer device manufacturers
Summary: The U.S. Department of Justice announced the arrest in Canada of Jacob Butler (aka Dort) of Ottawa for allegedly operating the Kimwolf DDoS botnet, a variant of AISURU that enslaved devices like digital photo frames and webcams to launch attacks, including on U.S. Department of Defense networks. He faces up to 10 years in prison. There’s no paywall.
Why it matters: Removing a single botnet operator does little to address the underlying problem of large-scale, poorly secured IoT ecosystems susceptible to botnet control.
Practitioner Perspective
Arrests may blunt current campaigns, but as long as IoT device hardening is neglected, new botnets will emerge. Providers must continue to push for secure defaults and active traffic management.
Recommended Actions
- Initiate forced password resets and firmware updates on consumer IoT devices
- Map all inbound port exposure for IoT segments and restrict to business-essential traffic
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Source: The Hacker News | Risk: Critical | Impacted: Cisco Secure Workload customers, Cloud and hybrid infrastructure teams, SOC monitoring segmentation
Summary: Cisco has issued patches to fix a critical vulnerability (CVE‑2026‑20223, CVSS 10.0) in its Secure Workload platform. The flaw, stemming from insufficient validation and authentication of internal REST API endpoints, could allow an unauthenticated remote attacker to access sensitive data and make configuration changes with Site Admin privileges. There are no known workarounds.
Why it matters: If left unaddressed, this REST API flaw lets attackers escalate privileges and undermine network segmentation, affecting critical application visibility and control.
Practitioner Perspective
The severity and ease of exploitation for CVE-2026-20223 (CVSS 10.0) make immediate patching paramount. Security teams must verify direct remediation and review logs for potential exploitation.
Recommended Actions
- Immediately install Cisco’s CVE-2026-20223 security update for all Secure Workload deployments
- Review REST API endpoint access logs for signs of unauthorized activity
Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
Source: The Hacker News | Risk: High | Impacted: Telecom operators in the Middle East, Linux server environments, Critical infrastructure with high Linux footprint
Summary: Security researchers report that a novel Linux malware named Showboat, active since mid‑2022, has been used to compromise a Middle East telecommunications provider. Developed as a modular post‑exploitation framework, it can spawn remote shells, transfer files, hide processes and act as a SOCKS5 proxy to enable lateral movement across internal networks. It is linked to China‑affiliated threat groups.
Why it matters: New adaptable malware used against telcos enables long-term stealthy persistence and proxy access for follow-on attacks targeting sensitive infrastructure.
Practitioner Perspective
Showboat highlights the threats presented by modular Linux malware. Organizations must expand anomaly detection and behavioral monitoring on Linux beyond traditional AV/EDR.
Recommended Actions
- Deploy YARA and EDR signatures targeting Showboat command patterns
- Monitor for unauthorized SOCKS5 proxy creation on Linux endpoints
Exploits & CVEs
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
Source: The Hacker News | Risk: High | Impacted: Federal agencies, Organizations running on-premise Langflow, Trend Micro Apex One customers
Summary: The U.S. Cybersecurity and Infrastructure Security Agency added two actively exploited vulnerabilities, CVE‑2025‑34291 in Langflow and CVE‑2026‑34926 in on‑premise Trend Micro Apex One, to its Known Exploited Vulnerabilities catalog, mandating federal remediation by June 4, 2026.
Why it matters: Persistent exploits against endpoint and automation software can result in data theft and lateral movement unless organizations patch rapidly.
Practitioner Perspective
The addition of CVE-2025-34291 (Langflow) and CVE-2026-34926 (Trend Micro Apex One) to CISA’s catalog requires immediate remediation and retrospective investigation for potential compromise.
Recommended Actions
- Deploy updates for CVE-2025-34291 (Langflow) and CVE-2026-34926 (Trend Micro Apex One) to all affected environments
- Review endpoint and application logs for indications of exploit activity
Defensive Actions
- Patch Cisco Secure Workload (CVE-2026-20223) as top priority on all cloud and on-premises instances
- Deploy vendor advisories to remediate CVE-2025-34291 (Langflow) and CVE-2026-34926 (Trend Micro Apex One)
- Inventory, segment, and harden all internet-exposed IoT devices to minimize DDoS risk
- Initiate threat hunting for Showboat and JFMBackdoor malware artifacts in mixed OS telecom environments
- Review access logs and firewall policies for activity tied to known criminal VPN and C2 infrastructure (including First VPN)
- Enforce MDM policies to restrict app installations and trigger removal of unapproved apps on managed mobile devices
- Mandate audit logging and MFA for crypto wallet access and transaction signing on corporate assets
- Proactively monitor browser processes and restrict unpatched Chromium Service Worker execution where feasible
- Update threat intelligence feeds and take action on new IOCs from recent law enforcement operations
- Collaborate with upstream vendors and ISPs to block botnet-related command domains and prevent device reinfection
What We’re Watching
- Reaction from the security community to the Kimwolf operator arrest and next steps for large-scale IoT botnet cleanup
- Ongoing exploitation activity targeting Cisco Secure Workload and endpoint security tools pending successful patch rollouts
- New malware techniques and proxy usage supporting deep persistence in critical telecom infrastructure
- Whether law enforcement’s disruption of criminal infrastructure yields actionable intelligence for wider investigations and takedowns
- Updates or mitigations for currently unfixed, accidentally disclosed Chromium browser vulnerabilities
Categories: Cybersecurity Blog, Cybersecurity News
Leave a comment