OpenClaw input flaws let hidden contacts and phishing emails trigger code execution and data leaks, exposing agent trust risks.
Category: cybercrime/malcode
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
“The group actively tracks and evaluates modern vulnerabilities, including CVE-2024–55591, CVE-2025–32433, and CVE-2025–33073, and combines them with technique-driven paths like backup and management-controller abuse and NTLM relay workflows, giving them a flexible exploitation pipeline,” Check Point said.
That’s not all. In March 2026, Hunt.io said it discovered an open directory hosted at “176.120.22[.]127:80” on the Russian bulletproof hosting provider Proton66 that exposed 126 files containing a complete ransomware operator toolkit attributed to a The Gentlemen RaaS affiliate.
This included tools for reconnaissance, privilege escalation, defense evasion, credential theft, lateral movement, persistence, and pre-encryption preparation, essentially spanning all phases of the intrusion lifecycle.
Maine breach portal abused to publish fake data breach disclosures
In an unusual misinformation campaign, fraudulent data breach disclosures were submitted to Maine’s official breach portal and publicly posted before their legitimacy could be verified, prompting companies to deny the claims.
A notice allegedly filed by multiplayer social virtual reality platform VRChat is the most recent entry in the state Attorney General’s breach disclosure database.
However, a company representative told BleepingComputer that the breach notification is fake and has been filed using the name of a fictitious employee.
Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.
PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.
Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances. These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang.
WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). It involves the exploitation of CVE-2025–8088, a path traversal flaw that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). It was patched by WinRAR in July 2025.
The findings show “how unmanaged software keeps an exploited entry point open long after the fix ships,” Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday.
GitHub disables Microsoft repos pushing password-stealing malware
Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub, disrupting continuous integration pipelines.
The incident occurred on June 5, and it was contained within just 105 seconds. The company told BleepingComputer that the repositories were removed due to concerns that they distributed “potential malicious content.”
Multiple researchers confirmed that the repos were pulled after a compromise during a Miasma/Shai-Hulud supply-chain campaign.
Claude Fable 5 and Claude Mythos 5
While Mythos 5 remains largely unconstrained for restricted government and trusted enterprise partners, Fable 5 is wrapped in a sophisticated safety perimeter. If Fable 5 detects a prompt drifting toward high-risk vectors—like cyberwarfare exploits, advanced biology, or chemical synthesis—it doesn’t just give a generic “I can’t answer that” error. Instead, the query seamlessly falls back to Claude Opus 4.8 (Anthropic’s next-most capable model) to handle the response safely.
Today we’re launching Claude Fable 5: a Mythos-class1 model that we’ve made safe for general use.
Fable 5’s capabilities exceed those of any model we’ve ever made generally available. It is state-of-the-art on nearly all tested benchmarks of AI capability, showing exceptional performance in software engineering, knowledge work, vision, scientific research, and many other areas. The longer and more complex the task, the larger Fable 5’s lead over our other models.
Releasing a model this capable comes with risks. Without safeguards, Fable 5’s capabilities in areas like cybersecurity could be misused to cause serious damage. We’ve therefore launched the model with safeguards that mean queries on some topics will instead receive a response from our next-most-capable model, Claude Opus 4.8. To release the model both safely and quickly, we’ve tuned these safeguards conservatively—they’ll sometimes catch harmless requests, though they trigger, on average, in less than 5% of sessions. With more capable models arriving in the coming months, we’re working to improve our safeguards and reduce false positives as quickly as we can.
NFCShare Android malware spreads via fake banking app updates on GitHub
New variants of the NFCShare Android malware are being distributed as fake updates for legitimate banking apps hosted on GitHub.
The malware has evolved and is now targeting customers of multiple banks and financial institutions across Europe in a phishing campaign aimed at stealing payment card data.
After tricking victims with a fake verification screen to place the cards near the mobile device’s near-field communication (NFC) chip, NFCShare reads the information using Android’s IsoDep interface and EMV commands.