ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

Russia’s Federal Security Service (FSB) has disclosed details of what it described as a “large-scale action” undertaken by foreign intelligence services to stealthily implant spyware on the mobile devices of high-ranking officials in the country. “This software was utilized to exfiltrate existing data, intercept ongoing conversations, and conduct covert audio and video surveillance of the immediate surroundings of the electronic devices, with the ultimate objective of obtaining sensitive information,” the FSB said. Russia did not reveal who was behind the attacks, but noted the “representatives of foreign intelligence services” leveraged the technical capabilities of major international IT corporations to exfiltrate sensitive data from the devices. This specifically included the exploitation of mobile communication channels, the agency added. An investigation into the activity is ongoing, with the FSB also initiating a criminal case to investigate the matter.

Threat actors have been relying on social engineering over the past few months to push VIP Keylogger via loaders written in JavaScript, batch scripts, and Visual Basic Script (VBS). “Attackers are masquerading as legitimate business communications such as bank payment notifications, procurement orders, and logistics updates to lure users into opening malicious files,” Splunk said.

The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran’s largest cryptocurrency exchange, for facilitating payments related to terrorist activities. “Nobitex has provided significant support to the regime, processing more than 50 percent of all Iranian digital asset inflows in 2025 and facilitating payments tied to Iran’s terrorist activities, sanctions evasion efforts, and Islamic Revolutionary Guard Corps (IRGC)-linked transactions, including activity associated with IRGC-affiliated ransomware actors,” the Treasury said. The sanctions also extend to Nobitex’s chairman, co-founder, and former CEO, Amir Hossein Rad, as well as other Nobitex leaders and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex. According to Chainalysis, Nobitex processed over 50% of all Iranian digital asset inflows last year. The four exchanges accounted for roughly $7.7 billion, 78% of Iran’s USD 9.9 billion in attributed 2025 crypto volume, per TRM Labs.

The July 2025 law enforcement takedown of XSS, a prominent Russian-speaking cybercrime forum, didn’t dismantle the ecosystem. Rather, it fractured it into competing, harder-to-track factions, Flashpoint said. The collapse has triggered an exodus into new, unvetted, and often adversarial communities. Some of the new forums that have rushed to fill up the void left by XSS include DamageLib (launched by legacy moderators of XSS), Rehub (launched by another former XSS moderator), XSS.pro (a resurrection using old backups and suspected to be a law-enforcement honeypot), and XSSF (started by a pro-Russian Telegram hacking group).

A lesser-known remote desktop tool called Tiflux is being used in a growing number of attacks to establish persistence, transmit screenshots, and run commands to collect system profiling information. “Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system,” Huntress said. “Threat actors continue to test and weaponize the use of commercial remote access management tools.”

A threat cluster tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates (aka SocGholish) social engineering techniques on compromised sites. Thousands of websites are estimated to have been compromised, directing users to malicious infrastructure. DriveSurge primarily acts as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are steered through a traffic distribution system (TDS) known as zTDS, which profiles the system and decides whether the visitor should be served a ClickFix or a FakeUpdates lure. zTDS, in use since at least 2015, is publicly available at ztds[.]info. “Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push said. The campaign has been active since September 2025.

The Spanish National Police has arrested an unidentified individual for leaking sensitive information related to members of various critical state organizations, including the National Cybersecurity Institute (INCIBE), the State Attorney General’s Office, the National Police, the Civil Guard, and the National Security Council.

Intrinsec haș disclosed that multiple malspam campaigns have been used to distribute a JavaScript-coded backdoor. “The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region,” the company said. “We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC).” The activity was observed in March 2026.

Cybersecurity researchers have flagged an intrusion in which threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. “The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that confirmed each victim compromise in real time,” Trend Micro said.

Nation-state hacking groups like APT29, APT33, and UTA0355 are exploiting ROADtools, a Python-based open-source framework for red-teaming and research, to blend in with normal traffic and evade detection. “ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic,” Palo Alto Networks Unit 42 said. “Further defense evasion can be achieved by configuring request attributes such as user-agent strings. These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence, and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools’ token management capabilities.”

Pure data-exfiltration campaigns without deploying ransomware to pressurize victims are on the rise. In 2025, such attacks have primarily targeted professional services, healthcare, and consumer services firms. “Interestingly, while manufacturing remains the single most disrupted sector overall, construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot,” Unit 42 said. “These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls.”

An unknown threat actor has been observed using artificial intelligence (AI) technologies to automate Active Directory discovery and refine endpoint detection and response (EDR) evasion tactics in a red team post-exploitation framework. “Analysis revealed that AI for malware development was more limited and was mainly used to coordinate workflows and support experimentation,” Sophos said. “The actual EDR-bypass path was a structured engineering test cycle that included human review and iteration.” To develop tools for bypassing EDR agents, the attacker is said to have used Cursor and Anthropic Claude Opus. At the core of the framework is a Python tool that generates Go and Rust payloads for testing with an aim to resist sandboxing, antivirus, and EDR detection. This approach was used to build nearly 80 modules covering more than 70 techniques. Also attributed to the threat actor are Python-based malware development scripts for injecting shellcode into legitimate Windows executables and a Telegram bot API-based external command and control (C2) mechanism. “The use of AI agents to accelerate tool development and test evasion techniques lowers the barrier to entry for sophisticated red team-style attacks,” Sophos said. “However, this shift does not change how defenders should protect themselves.” The framework is said to be built for stealthy post-exploitation activity in target environments, linking it to “known ransomware deployment and data theft operations.”

A newly identified malware is using Steam Community profile comments to host malicious payloads for WordPress, hiding malicious infrastructure behind Valve’s legitimate platform. “The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods,” GoDaddy said. “A cookie-authenticated backdoor enables remote code execution, allowing attackers to modify plugin and theme files by sending base64-encoded PHP code via POST requests.” The malware performs two primary functions, including client-side JavaScript injection, which fetches encoded URLs from Steam profile comments, decodes them, and injects external JavaScript into WordPress pages, and a server-side backdoor that provides cookie-authenticated remote access for modifying PHP files across plugins and themes. The campaign was first detected in July 2025. The malware has been detected on approximately 1,980 WordPress sites. It is unclear how the websites are breached, but it’s assessed that the initial infection vector could be stolen admin logins, compromised FTP/SFTP credentials, the exploitation of a vulnerable WordPress theme or plugin, or a supply chain compromise.

Flare.io has disclosed details of FalkonC2, a commercial hacking tool that appears designed to hide inside enterprise environments by abusing trusted remote access software. “FalkonC2 has an enterprise version called Rotemelli2 that runs in memory, rotates its command-and-control domains every 72 hours, and uses tools such as ScreenConnect, Datto, and SimpleHelp to quietly launch attacks,” the company said in a statement. An analysis of dashboard telemetry suggests active enterprise infections across the U.S., Australia, the Netherlands, and Poland. The framework also checks infected machines for QuickBooks and Sage50 data, suggesting attackers are looking for accounting systems they can quickly exfiltrate.

Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries for access to its Claude Mythos Preview. “The bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities that Mythos-class models can surface,” the company said. The growing number of flaws identified with the help of AI models has shifted the scales from discovery to patching. A recent report from the Cloud Security Alliance (CSA), the SANS Institute, and the Open Worldwide Application Security Project (OWASP) concluded that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” the report said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel flaw (CVE-2022-0492, CVSS score: 7.8) to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026. “Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature,” CISA said. The development comes after Kaspersky said it observed the flaw, along with CVE-2019-5736 and CVE-2024-21626, being exploited in attacks aimed at container environments.

A new ClickFix-style lure is being dressed up as free image-editing tools to deliver CastleLoader, which then drops both NetSupport RAT and a custom .NET stealer called CastleStealer. “The sites look like every other ‘remove your photo background’ service with uploads, progress bars, and download buttons, but the entire UI is fake,” Huntress said. The activity has been codenamed BackgroundFix. CastleLoader is attributed to a threat cluster known as GrayBravo.

Google has revealed that Device Bound Session Credentials (DBSC) in the Chrome browser is now generally available and enabled by default for Google Workspace users. “DBSC strengthens account security after users are logged in and helps bind a session cookie – small files used by websites to remember user information – to the device a user authenticated from,” Google said. “Even if malware was present on the user’s device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies.” The feature was formally released in April 2026.

Cybercriminals are weaponizing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. Opening an HTML attachment in the email message serves a login form urging the recipient to enter their credentials. The captured information is delivered to the domain “lnkd.tt.omtrdc[.]net/rest/v1/delivery,” after which they are redirected to the LinkedIn site. “This domain belongs to Adobe and is associated with the Adobe Target A/B testing platform,” Malwarebytes said. “But the campaign isn’t using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect/abuse point in the phishing flow.”

RubyGems has included a cooldown, a time-based filter, in Bundler version 4.0.13 that refuses to resolve to a version until it has been public for at least “N” days. “Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window,” Hiroshi Shibata, RubyGems maintainer, said. “It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.” Users can declare a “small cooldown” on the source in the Gemfile. The efforts go along with other initiatives like AI-assisted vulnerability scanning against the most critical gems in the registry.

ESET said it recorded an unusual spike in Iran-aligned activity against Israeli targets between October 2025 and March 2026 that could not be linked to previously known groups. “Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential – including deployment of a bootkit-style wiper and retaining destructive tooling for later use – whereas a third, MOØN Badr, appears to have been limited to targeted espionage,” the Slovakian company said. MoKhargosh, first observed in January 2026, used Go-compiled binaries in attacks targeting Israel. This includes a backdoor called GoKhargosh, along with wipers, filecoders that overwrite files with junk data, and a wiper that targets the master boot record to render the system unbootable. MOØN Badr, on the other hand, singled out three unidentified victims in Israel in early January 2026 to deliver the MOØN AGENT backdoor via phishing emails to facilitate command execution and file uploads and downloads.

The U.S. government has issued an advisory urging organizations to take steps to defend against attacks targeting U.S.-based automatic tank gauge (ATG) systems by securing them with strong passwords and by removing them from the internet to reduce public exposure. The activity, which remains unattributed, involves the attackers compromising internet-exposed ATG systems via hard-coded credentials, command execution, and SQL injection vectors, followed by escalating privileges to obtain full administrator rights and modifying the system functions. “Should a cyber threat actor exploit these vulnerabilities and compromise an ATG system, they could disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console,” government agencies said.

Google has announced a fake call detection feature, built on Rich Communication Services (RCS), to Android devices running versions Android 12 and later that verifies whether a call is coming from the caller’s actual Android smartphone. Enabled by default, the alert is designed to avoid falling victim to deepfake impersonation and call spoofing in real time. “When a contact calls you and you’re both using Phone by Google, their device sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact’s device,” Google said. “If a scammer tries to impersonate your contact, that initial confirmation signal will be missing. Your device will instantly notice this and ping your contact’s actual device to double-check. If their real device says, ‘I’m not making a call right now,’ you’ll get a warning on your screen advising you to hang up immediately.” Because the digital handshake uses end-to-end encrypted RCS technology, Google said the process is completely private. That said, the feature requires users to have three Google apps installed: Phone by Google, Contacts, and Google Messages. It will roll out globally this month, starting with Pixel devices.

An analysis of 7,200 publicly reported AI-security and operational incidents has identified “344 verified enterprise-relevant agent-inflicted damage cases between September 2023 and May 2026, including 188 incidents where autonomous AI systems caused direct organizational harm without any external attacker involvement,” Cyera researchers Ehud Halamish, Assaf Morag, and Vladimir Tokarev said. “The majority of confirmed incidents involved real production impact rather than theoretical AI risk scenarios. Observed outcomes included deleted databases, destructive cloud actions, unauthorized financial operations, runaway API spending, service outages, exposed secrets, and silent integrity corruption inside enterprise environments. As agents gain broader permissions and deeper integration into SaaS, cloud, development, and business environments, the AI interaction layer itself increasingly becomes part of the enterprise attack surface and critical data perimeter.”