Threat Alerts — Other
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- FBI and Google Seize Botnet Built From 2 Million Home DevicesHigh · Other · 2026-07-03The FBI and Google dismantled NetNut, a residential proxy network built from at least 2 million home devices including smart TVs and streaming boxes. Criminals rented the network to hide password-spray and account-takeover traffic behind ordinary residential IP addresses, the kind many business security tools are built to trust.
- China-Linked Group Hits Power and Water Utilities in AsiaHigh · Other · 2026-07-03A China-linked group tracked as CL-STA-1062 has compromised at least 10 electricity, water, and government organizations across Southeast Asia over the past year using a new stealth backdoor called TinyRCT. Palo Alto Networks says the group may be selling its footholds to other attackers rather than acting alone.
- Password Spray Attack Bypasses MFA on 78 Azure AccountsHigh · Other · 2026-07-01An automated password spray campaign made more than 81 million login attempts against Azure in two weeks and compromised 78 accounts across 64 organizations, several of which had multi-factor authentication switched on. The attackers got in by using a legacy login method that skips MFA prompts entirely.
- Microsoft Pulls 119 Edge Extensions That Hid Malware in ImagesHigh · Other · 2026-06-30Microsoft removed 119 Edge extensions that smuggled malware inside image and font files, then waited days to wake up and steal logins. The add-ons looked like ordinary ad blockers and VPNs and reached up to 2.6 million installs over two years. Check your browser against Microsoft's list before you trust it again.
- Poland Arrests Four in SIM-Swap Gang That Stole Millions in CryptoWatch · Other · 2026-06-26Polish police and the FBI arrested four people on 25 June after a joint investigation into a SIM-swapping network that drained cryptocurrency exchange accounts by compromising telecom partner systems. Prosecutors put the laundered total at over five million US dollars.
- Police Dismantle Amadey and StealC Malware in Operation EndgameHigh · Other · 2026-06-25An international police operation knocked out the servers behind Amadey and StealC, two malware families that infect computers and steal passwords for a living. Investigators recovered 27 million stolen credentials and froze more than 41 million euros in criminal cryptocurrency. If your saved browser passwords were taken, changing them now is the practical response.
- Popular Chrome Ad Blocker Hides a Dormant Code Injection PathWatch · Other · 2026-06-25A Chrome extension called Adblock for YouTube, installed more than 10 million times, contains a hidden way to run any code the developer chooses on every site you visit. Researchers at Island found it is switched off for now, but it could be turned on from the developer's server with no update and no review. The safe move is to remove it.
- macOS Fake CAPTCHA Scam Delivers Atomic Stealer via Mounted Disk ImagesHigh · Other · 2026-06-24Attackers are delivering the Atomic macOS Stealer through a fake CAPTCHA page that tells visitors to paste a Terminal command. The command silently downloads and mounts a disk image without it appearing in Finder, then launches a malicious app that drains credentials from eight browser families, cryptocurrency wallets, and the Apple Keychain. For Ledger Live and Trezor Suite users, the malware also replaces the legitimate app with a trojanised copy designed to steal seed phrases on the next launch.
- Compromised WhatsApp Accounts Deliver RMM Software to 11 CountriesHigh · Other · 2026-06-23Kaspersky researchers documented an active campaign in which attackers use compromised WhatsApp accounts to send VBScript files disguised as business documents. Opening one on Windows leads to silent installation of ManageEngine Endpoint Central, giving attackers persistent remote control of the machine. The campaign has reached the UK, Australia, and nine other countries.
- AryStinger Malware Turns 4,300 Neglected Routers Into a Spy NetworkHigh · Other · 2026-06-22Security researchers at QiAnXin XLab have uncovered a malware family called AryStinger that has quietly enrolled more than 4,300 home and small-office routers into a botnet used for reconnaissance and proxy operations. The infected devices serve as cover for attack traffic targeting cloud services and business accounts. Any organisation running a router that has not received a firmware update in the last two years should consider itself at risk.
- Canada's Spy Agency Disinfected Botnet Victims Using a Legal FirstWatch · Other · 2026-06-22The Canadian Security Intelligence Service used a threat reduction warrant to push disinfection commands to routers and servers inside Canada enrolled in two foreign-linked botnets. A Federal Court ruling made public on 15 June authorized the operation, the first time CSIS has used this legal power on privately-owned networked devices. For businesses in Canada and those watching how governments respond to botnet infrastructure globally, this sets a precedent worth understanding.
- FortiBleed Campaign Harvests Admin Logins From 30,000 Fortinet FirewallsCritical · Other · 2026-06-18Researchers found an attacker database holding working administrator logins for more than 30,000 internet-facing Fortinet firewalls, pulled by cracking credentials inside exposed configuration files. The victims span banks, hospitals, universities, and large companies across 194 countries. Any business running a FortiGate with old firmware or a reused admin password could be on the list.
- Chinese Spies Used Google Workspace Mail Rules To Steal EmailHigh · Other · 2026-06-18A China-linked group hid in North American medical and defense research networks for more than a year, then stole email using a built-in Google Workspace feature rather than malware. They turned the admin mail-compliance rules against the victims, silently copying any message matching their keywords to a Gmail account they controlled. The same technique works in Microsoft 365, and it leaves almost no trace.
- Rokarolla Android Trojan Steals Banking PINs and Crypto From PhonesHigh · Other · 2026-06-16A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and can take near-total control of an infected phone, stealing lock-screen PINs, SMS codes, and crypto payments. It spreads through fake TikTok and Chrome sites and disguises itself as Google Play Protect. Owners who bank from a phone should install apps only from Google Play and guard the Accessibility permission.
- WordPress Plugin Files Hijacked to Backdoor Business SitesHigh · Other · 2026-06-15Attackers tampered with JavaScript served to sites running OptinMonster, TrustPulse, and PushEngage, three plugins from Awesome Motive that reach over 1.2 million sites. The poisoned code quietly created admin accounts and installed a hidden backdoor when a logged-in administrator visited. Affected sites need a server-side scan, not just a plugin update.
- Iran-Linked Handala Steals 5GB from California Water Utility, Exposes Customer DataCritical · Other · 2026-06-13The Iran-linked Handala group published 5GB of data stolen from California Water Service, covering roughly 2 million customers. The dump includes consumer PII, payment histories, and administrative credentials to the utility's GPS reference station network, raising concerns beyond consumer privacy.
- Over 400 Arch Linux AUR Packages Hijacked to Drop Rootkit and Credential StealerHigh · Other · 2026-06-13Attackers compromised more than 400 Arch User Repository packages this week by backdooring build scripts, deploying an infostealer and an eBPF rootkit that hides in the Linux kernel. Developer credentials are the primary target: GitHub tokens, SSH keys, HashiCorp Vault secrets, and messaging-app session data.
- China-Linked JDY Botnet Grows to 1,500 Routers and IoT DevicesHigh · Other · 2026-06-12A China-linked botnet called JDY has grown to more than 1,500 hijacked small-office routers, firewalls, and IoT devices, scanning the internet to map vulnerable systems for state-backed hackers. Most infected devices sit in the US and Brazil. Aging routers in small businesses are the raw material.
- ServiceNow Discloses Breach via Unauthenticated API EndpointWatch · Other · 2026-06-10ServiceNow disclosed a security incident in which attackers used an unauthenticated REST API endpoint to query customer instance data. The affected endpoint required no login. IT support tickets were among the data accessible, and those frequently contain credentials, API keys, and internal system details.
- French Government Messaging Platform Tchap Breached via Social EngineeringWatch · Other · 2026-06-09France's government-mandated messaging platform Tchap was breached through a socially engineered employee account, exposing 650,000 messages and data on 73,000 civil servant accounts. The attacker also claims all files shared on the platform were downloadable without valid authentication tokens. DINUM confirmed the breach; France's CNIL data protection authority was notified.