Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are.
Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same mess, cleaner packaging.
Coffee is cold. The vuln list is ugly. Let’s get into it.
⚡ Threat of the Week
New fast16 Malware Was Developed Years Before Stuxnet—A new Lua-based malware called fast16, created years before the notorious Stuxnet worm, is designed to primarily target high-precision calculation software to tamper with results. The framework dates back to 2005. Analysis suggests that fast16 was active at least five years before the emergence of Stuxnet. Widely regarded as a joint U.S.-Israeli project, Stuxnet marked a turning point in cyber warfare as the first disruptive digital weapon and eventually served as the blueprint for the Duqu information-stealing rootkit. Fast16, however, establishes a much earlier timeline for such sophisticated operations. The development places its origin well before Stuxnet came into being. Although it's currently not known if it was ever deployed in the wild, the investigation found three potential types of physical simulation software that the malware might have been designed to tamper with. "It focuses on making slight alterations to these calculations so that they lead to failures – very subtle ones, perhaps not immediately apparent," security researcher Vitaly Kamluk told WIRED. "Systems might wear out faster, collapse, or crash, and scientific research could yield incorrect conclusions, potentially causing serious harm."
Automated Session Termination & Activity Summaries: Goodbye Manual Log Reviews
Threats move fast. KeeperAI moves faster.
With real-time, agentic AI threat detection and response, high-risk sessions are instantly terminated, and every action is categorized into risk levels and summarized.
Automate insider threat detection and eliminate manual log reviews forever.
Start a Free Trial ➝
🔔 Top News
UNC6692 Resorts to Teams Help Desk Impersonation—A new threat group tracked as UNC6692 uses social engineering to deploy a new, custom malware suite named Snow, which consists of a browser extension, a tunneler, and a backdoor. The end goal is to steal sensitive data after network compromise through credential theft and domain takeover. "This component is where active reconnaissance and mission completion occur," Google Mandiant noted. "Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel, intercepted by the SnowBelt extension, and then proxied to the SnowBasin local server via HTTP POST requests. SnowBasin executes these commands and relays the results back through the same pipeline to the attacker."
U.S. Federal Agency Targeted by FIRESTARTER Backdoor—The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER is assessed to be a backdoor designed for remote access and control. It's believed to be deployed as part of a "widespread" campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as CVE-2025-20333 and CVE-2025-20362. Given the backdoor's ability to survive patches and system reboots, Cisco is recommending users reimage and update to the latest fixed versions.
Lotus Wiper Malware Targets Venezuelan Energy Systems—A ly undocumented data wiper codenamed Lotus Wiper has been used in attacks targeting the energy and utilities sector in Venezuela at the end of last year and the start of 2026. "Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload," Kaspersky said. "These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a ly unknown wiper." Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state.
The Gentlemen Deploys SystemBC Malware—Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. The ransomware group has quickly made a name for itself in a matter of months, claiming more than 320 victims on its data leak site since its emergence in July 2025. According to Comparitech, the group claimed 202 attacks last quarter, second only to Qilin's 353 claims. NCC Group found The Gentlemen was responsible for 34 attacks in January and 67 in February 2026, making it a prominent player alongside other established groups like Qilin, Akira, and Cl0p. "The emergence of The Gentlemen group among the top three most active threat actors is notable as it demonstrates how a relatively new group can scale operations rapidly," NCC Group said. The development comes as another nascent ransomware group called Kyber has attracted attention for becoming the first RaaS crew to adopt the Kyber1024 (aka ML-KEM) post-quantum encryption algorithm for its Windows variant of the locker. In related news, the threat actors linked to the Trigona ransomware, dubbed Rhantus, have been observed using a custom data exfiltration tool that's designed to provide attackers with more control over what files to choose (or ignore) and facilitate rapid data transfer by opening five parallel connections per file. The attacks were detected in March 2026. It's not known why the threat actors shifted from readily available tools like Rclone. The use of custom tooling in the ransomware landscape is something of a rarity, even as it's a double-edged sword for attackers. "While it requires development resources and time, these tools can provide a level of stealth that generic tools cannot match, at least until they're discovered," the Symantec and Carbon Black Threat Hunter Team said.
Bitwarden CLI Compromised in Supply Chain Campaign—Bitwarden CLI, the command-line interface for the password manager Bitwarden, was compromised as part of a new supply chain attack that targeted Checkmarx's Docker images, Visual Studio Code extensions, and GitHub Actions workflow. The affected package, @bitwarden/cli@2026.4.0, contained malicious code to steal sensitive data from developer systems. The malware also features self-propagation capabilities, using stolen npm credentials to identify packages the victim can modify and inject them with malicious code to expand its reach. Bitwarden has since addressed the issue. The attack appears to be the work of a threat actor known as TeamPCP, although references to the string "Shai-Hulud: The Third Coming" have complicated attribution.
🔥 Trending CVEs
Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.
Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-40372 (Microsoft ASP.NET Core), CVE-2026-33626 (LMDeploy), CVE-2026-5760 (SGLang), CVE-2026-5752 (Cohere AI Terrarium), CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048 (Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF), CVE-2026-21876 (Progress MOVEit WAF), CVE-2026-32173 (Microsoft Azure SRE Agent), CVE-2026-25262 (Qualcomm), CVE-2025-24371 (CometBFT), CVE-2026-5754 (Radware Alteon), CVE-2026-40872 (Mailcow