Coverage: Last 24 hours

Today’s Highlights

Today’s landscape exposes defenders to rapidly evolving attacker tooling, critical zero-day vulnerabilities, and new attack surfaces across both legacy infrastructure and emergent AI integrations. Teams must quickly validate exposure and operationalize response against threat actors leveraging novel malware, supply chain abuse, and automation gaps. Key themes include nation-state malware campaigns expanding in Europe, rapid exploitation of zero-day and RCE vulnerabilities in widely deployed platforms, the abuse of trusted supply chains such as advertising networks, and the mounting risks of untested security controls.

Table of Contents

1. Chinese hackers use new Atlas RAT malware in European cyberattacks
2. U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors
3. CISA warns of cyberattacks targeting fuel tank monitoring systems
4. New ‘HTTP/2 Bomb’ DoS attack crashes web servers in under a minute
5. What 345 Days of Untested Exposure Looks Like at a Bank
6. Police dismantles 9 crime groups in illegal streaming crackdown
7. DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets
8. CISA warns of active attacks exploiting Android, Linux bugs
9. Acer working to patch max severity zero-days in Wave 7 routers
10. CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

Top Stories

Chinese hackers use new Atlas RAT malware in European cyberattacks

Source: BleepingComputer | Risk: High | Impacted: European enterprises, Critical infrastructure in Europe, Organizations with Chinese APT exposure

Summary: A Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor.

Why it matters: The use of previously undocumented remote access tools by hostile actors increases the likelihood of undetected compromise and lateral movement, threatening sensitive operational data and business continuity.

Practitioner Perspective

European organizations, especially those with prior Chinese APT interest, should anticipate attackers leveraging custom implants like Atlas RAT for initial access and persistent control. This move signals a willingness by adversaries to deploy bespoke tooling for espionage or data theft, making traditional signature-based defenses insufficient. The combination of new malware and geographic targeting heightens the risk of operational disruption and exfiltration activity. Assume visibility gaps where ratified threat intel or detection signatures are lacking. Prioritize threat hunting and behavioral monitoring for unrecognized RAT traffic or persistence methods.

Recommended Actions – Deploy network detection rules focused on Atlas RAT communication patterns and C2 behaviors across egress points – Expand threat hunting playbooks to include TTPs associated with new Chinese malware families

U.S. sanctions Nobitex crypto exchange used by Iranian ransomware actors

Source: BleepingComputer | Risk: Medium | Impacted: Ransomware incident response teams, Financial compliance departments, Organizations processing cryptocurrency

Summary: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran’s largest cryptocurrency exchange, for facilitating payments related to terrorist activities.

Why it matters: Sanctions on exchanges reduce viable cashout options for ransomware operations, but may trigger actor shifts to alternate laundering methods, increasing complexity for financial forensics and recovery.

Practitioner Perspective

Any organization with exposure to ransomware risk should track sanctioned entities like Nobitex in their transaction alerting and due diligence processes. The Treasury action constricts one channel but usually leads to rapid adversary adaptation, pushing criminal proceeds elsewhere or creating new mule layers. Security teams responsible for crypto investigations or IR must update threat models to incorporate these sanctioned venues and anticipate payment chain obfuscation. Keep communication open with legal and anti-fraud teams to ensure compliance.

Recommended Actions – Block or alert on wallet addresses associated with Nobitex identified in OFAC sanctions – Update incident response runbooks to ban interaction with known sanctioned exchanges for ransomware negotiation

CISA warns of cyberattacks targeting fuel tank monitoring systems

Source: BleepingComputer | Risk: High | Impacted: Industrial control environments, Fuel distribution operators, Critical infrastructure providers

Summary: CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors.

Why it matters: Compromise of automated tank gauges can lead directly to supply chain disruptions, environmental damage, and safety incidents within critical infrastructure networks.

Practitioner Perspective

Operators of fuel and liquid storage facilities must recognize that internet-exposed ATGs are now a prime target, as attackers increasingly probe OT devices with weak or default security. These systems often bridge IT and OT networks, creating direct risk from remote exploitation or manipulation. Typical patch, monitoring, and segmentation controls are inconsistently applied in these environments, resulting in substantial safety and business continuity exposure. Assume that any device accessible from the public internet has already attracted opportunistic or targeted reconnaissance. Defensive priority should be on network isolation and active monitoring.

Recommended Actions – Inventory and identify all ATG units accessible from the internet, prioritize removal of public exposure – Audit all ATG system accounts and enforce unique credentials, eliminate defaults

New ‘HTTP/2 Bomb’ DoS attack crashes web servers in under a minute

Source: BleepingComputer | Risk: High | Impacted: Public-facing web services, SaaS providers using HTTP/2, E-commerce and financial platforms

Summary: A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.

Why it matters: HTTP/2 Bomb attacks can render critical web applications unavailable in seconds, potentially causing immediate revenue loss and business disruption, especially for organizations with high-availability requirements.

Practitioner Perspective

Any web service operated at scale and supporting HTTP/2 must urgently assess susceptibility to this new one-machine denial-of-service vector. Unlike volumetric attacks, this method can bypass rate-limiting and WAF layers by exploiting protocol features, potentially bringing down services with minimal resource investment. Security teams need to go beyond capacity planning and look for patched vendor updates or mitigation guidance specific to their web server stack. Web infrastructure owners must avoid complacency, active validation of HTTP/2 configuration and incident simulation are essential now.

Recommended Actions – Apply vendor patches or mitigations addressing HTTP/2 Bomb vulnerability for specific web server software – Temporarily disable HTTP/2 support where patching is not possible and evaluate business impact

What 345 Days of Untested Exposure Looks Like at a Bank

Source: BleepingComputer | Risk: Medium | Impacted: Banks and financial institutions, Organizations relying on annual or biannual pentests, Asset owners in regulated industries

Summary: A two-week penetration test can leave roughly 345 days of real-world exposure unvalidated. Sprocket Security explores why continuous testing is becoming critical as attack surfaces constantly change.

Why it matters: Extended periods of untested controls leave organizations blind to breach risk, enabling attackers to exploit drift or misconfigurations that accumulate between scheduled assessments.

Practitioner Perspective

Traditional point-in-time penetration testing cannot keep pace with the dynamic nature of modern environments, particularly in financial services where new assets and integrations materialize constantly. Security leaders should recognize that gaps between tests create a rolling window of exposure, often invisible until exploited. Adversaries are increasingly adept at identifying stale controls or shadow infrastructure that escapes periodic review. Consider moving toward continuous security validation or automated purple teaming to proactively reveal breakpoints. Your ability to detect and fix control failures in real time is now a core resilience metric.

Recommended Actions – Pilot continuous automated security validation solutions to test controls between formal pentests – Baseline asset inventory and configuration drift, monitor for unapproved changes weekly

Police dismantles 9 crime groups in illegal streaming crackdown

Source: BleepingComputer | Risk: Medium | Impacted: Media organizations, Streaming service providers, CDN and hosting companies

Summary: European and international law enforcement agencies have dismantled nine organized crime groups and arrested 29 suspects in a major crackdown on illegal streaming operations.

Why it matters: Disruption of organized crime streaming groups reduces the infrastructure available for malware delivery and illicit content distribution, but may prompt splintering into smaller, less detectable operations.

Practitioner Perspective

Security teams in media, telco, or network service provider environments should note the potential for sudden shifts in illegal streaming threat profiles following this law enforcement action. While visibility into large criminal networks increases when takedowns occur, displaced actors frequently seek new hosting, CDN, or credential sources, resulting in short-term detection challenges. Expect a proliferation of smaller-scale sites using more evasive techniques. Maintain vigilance around credential stuffing and illicit platform traffic as threat actors adapt to new constraints.

Recommended Actions – Hunt for traffic and domains newly associated with illegal streaming following law enforcement disruption – Monitor for illicit CDN use and abnormal peering connections linked to past streaming groups

Emerging Signals

DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets

Source: The Hacker News | Risk: Medium | Impacted: Crypto companies supporting US users, Financial anti-fraud teams, Help desks handling identity theft

Summary: The U.S. Department of Justice (DoJ) on Wednesday announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans. The “Disruption Week” operation began May 18, 2026, leading to the takedown of millions of social media, email, and internet access accounts used by transnational actors.

Why it matters: The takedown of social media accounts and infrastructure used in Southeast Asia crypto fraud will temporarily disrupt threat actor activity, but victims may still face ongoing account takeover or targeted scam attempts elsewhere.

Practitioner Perspective

Enterprises should expect a brief reduction in crypto-themed phishing and account-based fraud following this operation, but recycled tactics and migration to alternate platforms are likely. Organizations supporting users vulnerable to fraud must anticipate quick channel shifts and updated attacker social engineering. Continuous user training and fraud detection tuned for cross-platform scam migration are now a baseline necessity. Watch for lures using new domains and contact vectors. Response agility is key until attacker infrastructure is fully rebuilt or displaced.

Recommended Actions – Update account monitoring for attempts originating from previously abused Southeast Asia IP ranges – Alert users to expect renewed phishing waves leveraging new domain registrations and contact methods

Exploits & CVEs

CISA warns of active attacks exploiting Android, Linux bugs

Source: BleepingComputer | Risk: High | Impacted: Linux production environments, Android fleet deployments, BYOD and mobile users

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system.

Why it matters: Active exploitation of Linux and Android kernel vulnerabilities exposes both enterprise and BYOD environments to immediate compromise, allowing attackers to escalate privileges or deploy persistent malware.

Practitioner Perspective

If you have Android devices or Linux infrastructure in your environment, these new actively exploited bugs must be addressed with urgency. Attackers are leveraging public exploits to target unpatched systems, which often go unmonitored or fall outside standard patch cycles, especially in distributed or containerized environments. Assume threat actors can pivot rapidly from compromised endpoints to broader network access. Prioritize rapid patch rollout and heightened monitoring for unusual kernel activity. Integration with mobile device management is key to reducing attack surface.

Recommended Actions – Patch all Android and Linux systems for the CVEs referenced in the latest CISA alert – Monitor for exploit attempts and elevation-of-privilege activity tied to recent Linux and Android CVEs

Acer working to patch max severity zero-days in Wave 7 routers

Source: BleepingComputer | Risk: Critical | Impacted: Organizations using Acer Wave 7 mesh routers, SMB and branch office networks, Remote and home office IT setups

Summary: Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

Why it matters: Unpatched zero-days in popular mesh routers enable external attackers to bypass perimeter defenses, establish covert access, and compromise downstream assets.

Practitioner Perspective

If your IT or home environments use Acer Wave 7 routers, these active zero-day vulnerabilities present an urgent risk. Attackers are likely to target public-facing routers to achieve beachhead access or man-in-the-middle positioning, especially where network segmentation is weak. The window for exploitation may be short, given the nature of router deployment and slow update cycles in small sites and branch offices. Threat actors often chain router vulnerabilities with credential attacks to deepen persistence. Immediate risk reduction requires limiting router exposure and validating patch status.

Recommended Actions – Apply Acer-provided firmware updates for Wave 7 routers as soon as available – Restrict administration interfaces of Wave 7 routers to internal networks only

CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

Source: The Hacker News | Risk: Critical | Impacted: Magento administrators, E-commerce platforms using Mirasvit Cache Warmer, Online retailers

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS 9.8), is a case of deserialization of untrusted input, impacting core e-commerce operations.

Why it matters: Proof of active exploitation against Magento via CVE-2026-45247 puts e-commerce sites at immediate risk of data theft, supply chain attacks, and business impact through compromise of core payment infrastructure.

Practitioner Perspective

If you run Magento with the Mirasvit Cache Warmer extension, this RCE flaw (CVE-2026-45247) should be treated as a live, emergency exposure. Attackers will prioritize this vector to gain privileged access, likely targeting payment systems or customer records for resale or fraud. The presence of this extension dramatically amplifies lateral risk due to cache poisoning and indirect system manipulation. Standard WAF coverage is often ineffective against deserialization flaws. Focus on rapid patching, and consider reviewing recent access patterns for signs of compromise predating fix deployment.

Recommended Actions – Immediately apply the vendor patch for CVE-2026-45247 to all affected Magento sites – Search web and application logs for unexplained admin actions or unauthorized uploads since the exploitation window began

Defensive Actions

• Deploy network detection rules focused on Atlas RAT communication patterns and C2 behaviors across egress points.
• Apply vendor patches or mitigations addressing HTTP/2 Bomb vulnerability for specific web server software.
• Patch all Android and Linux systems for the CVEs referenced in the latest CISA alert.
• Audit all ATG system accounts and enforce unique credentials, eliminate defaults.
• Temporarily disable HTTP/2 support where patching is not possible and evaluate business impact.
• Review and restrict access to the Mirasvit Cache Warmer extension until remediation is complete.
• Block or alert on wallet addresses associated with Nobitex identified in OFAC sanctions.
• Restrict administration interfaces of Wave 7 routers to internal networks only.
• Pilot continuous automated security validation solutions to test controls between formal pentests.

What We’re Watching

• Nation-state use of custom malware and strategic targeting of European sectors
• Ongoing exploitation of web protocol (HTTP/2) and router zero-days, impacting service availability and network security
• Rapid adaptation and migration of ransomware payments and crypto fraud tactics following recent law enforcement actions
• Renewed scrutiny on neglected exposures and the urgency of continuous security validation in place of legacy testing routines
• Movement toward granular examination of cloud and advertising traffic once deemed trustworthy
• The persistent challenges in defending operational technology and infrastructure as attack surfaces broaden

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Critical Infrastructure, cybersecurity, defense, Incident Response, Malware, Vulnerabilities