This week’s cybersecurity landscape is marked by a series of critical threats and vulnerabilities. Progress has urged ShareFile customers to shut down Windows servers running Storage Zone Controllers due to a credible external security threat, temporarily disabling access to affected accounts. A critical stored XSS flaw in Zimbra’s Classic Web Client could allow arbitrary code execution via specially crafted emails. The Jscrambler npm package was compromised to deliver a Rust-based information stealer, linked to the IronWorm activity. Microsoft detailed a new backdoor called GigaWiper, capable of wiping disks and running fake ransomware, attributed to an Iran-nexus threat actor. The SHELLSTORM operation exploited 27 WordPress plugin CVEs to deploy web shells across over 1.4 million domains, linked to a Chinese-speaking threat actor. New research introduced HalluSquatting, a technique that tricks AI coding assistants into executing malicious code by registering AI-hallucinated resource names. Threat actors are actively exploiting CVE-2026-1207 in Django for SQL injection and remote code execution. Citrix Bleed 2 (CVE-2025-5777) is being exploited to deploy DragonForce ransomware. A fake Chinese VPN installer drops GoodPersonRAT, and a malicious NuGet package impersonates Braintree to steal payment data. The RedHook Android trojan has resurfaced with new capabilities, abusing wireless ADB for shell access. A new data extortion group called Helix, emerging from the BlackFile and ShinyHunters ecosystem, uses vishing and MFA abuse to target SharePoint environments. Microsoft warns of an increase in Windows security updates due to AI-driven vulnerability discovery. New open-source tools include Caeruleus for Bluetooth Low Energy testing and PhantomFS for Windows honeypot deployment.
CVEs: CVE-2026-1207, CVE-2025-5777, CVE-2026-50746, CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-55115, CVE-2026-54402, CVE-2026-55116, CVE-2026-40138, CVE-2026-40139, CVE-2026-40140
Attack groups: IronWorm, SHELLSTORM, Helix, BlackFile, ShinyHunters, Rare Werewolf, Librarian Ghouls
Malware: GigaWiper, BLUERABBIT, SNOWLIGHT, VShell, DragonForce, GoodPersonRAT, RedHook
Companies: Progress, Zimbra, Jscrambler, Microsoft, JFrog, Darktrace, CrowdSec, LevelBlue, Huntress, Threatdown, Socket, Group-IB
Products: ShareFile, Storage Zone Controllers, Zimbra Classic Web Client, Jscrambler npm package, Citrix NetScaler, ScreenConnect, Zoho Assist, AnyDesk, LiteLLM Proxy, Amazon Bedrock, Microsoft Edge, Google Chrome
Service providers: Darktrace, CrowdSec, LevelBlue, Huntress, Threatdown, Socket, Group-IB, Seqrite Labs, ReliaQuest, Praetorian, Okta, Chainguard
Original source: thehackernews.com