DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine & More

Cybersecurity Weekly Roundup: Emerging Threats, Tech Policy Shifts, and New Attack Techniques

Another week in cybersecurity has delivered a flurry of developments that underscore the rapid evolution of digital threats and the countermeasures being deployed across the globe. From sophisticated malware campaigns targeting government institutions to policy changes by major tech firms, here’s a detailed look at the most significant stories making waves this week.

1. Phishing Campaign Deploys Multiple Malware Strains
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a hacking campaign targeting Ukrainian government institutions. The attackers are using phishing emails containing ZIP archives or links to cross-site scripting (XSS)-vulnerable websites to distribute SHADOWSNIFF and SALATSTEALER information-stealing malware, along with a Go backdoor called DEAFTICKK. The campaign has been attributed to a threat actor tracked as UAC-0252. This activity coincides with reports of a suspected Russian espionage campaign deploying previously undocumented malware strains, BadPaw and MeowMeow, likely linked to APT28. While the targets and success of these attacks remain unclear, the sophistication and coordination of these campaigns highlight the persistent threat to national security.

2. Fake RMM Service Spreads RAT via Phishing
A new malware-as-a-service (MaaS) dubbed TrustConnect has emerged, masquerading as a legitimate remote monitoring and management (RMM) tool. Priced at $300 per month, TrustConnect is being distributed via phishing emails that claim to be event invites or bid proposals. These emails trick recipients into clicking links that download bogus executables, installing the TrustConnect RAT. This remote access trojan gives attackers full control over victims’ machines, allowing them to record and stream screens. Some campaigns have also delivered legitimate RMM software like ScreenConnect and LogMeIn Resolve alongside TrustConnect. After Proofpoint disrupted some of the malware’s infrastructure, the threat actor resurfaced with a rebranded version called DocConnect. This development underscores the growing abuse of legitimate RMM software in cyberattacks.

3. Chrome Moves to Two-Week Release Cycle
Google has announced a significant shift in its Chrome browser release strategy, moving from a four-week to a two-week release cycle. This change aims to provide developers and users with faster access to performance improvements, fixes, and new capabilities. The new cycle will also apply to beta releases, starting with Chrome 153, set to arrive on September 8, 2026. This move reflects Google’s commitment to keeping pace with the rapidly advancing web platform and ensuring users benefit from the latest innovations.

4. TPMS Signals Allow Covert Vehicle Tracking
Researchers at IMDEA Networks Institute have discovered that Tire Pressure Monitoring System (TPMS) sensors in vehicles broadcast unencrypted wireless signals containing persistent identifiers. While designed for safety, these unique IDs allow cars to be recognized and tracked over time. This vulnerability opens the door to low-cost monitoring networks using software-defined radio receivers near roads and parking areas to collect TPMS messages and build movement profiles of thousands of vehicles. The researchers warn that malicious users could deploy passive receivers on a large scale to track citizens without their knowledge, as no direct line-of-sight is needed with TPMS sensors. This finding adds to the growing body of research demonstrating how modern vehicle components can become unintended conduits for surveillance and exploits.

5. Telegram Emerges as Cybercrime Command Hub
A new analysis from CYFIRMA highlights how Telegram’s structure has become a powerful tool for cybercriminals. The platform allows threat actors to extend their global reach without specialized tooling, enable frictionless onboarding of buyers and affiliates, support payment options, and facilitate audience growth. Telegram has fundamentally changed how cyber operations are coordinated, monetized, and publicized. For financially motivated actors, it functions as a scalable storefront and customer support hub. For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks. In many cases, Telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility.

6. AuraStealer Infrastructure Revealed
Intrinsec has uncovered 48 command-and-control (C2) domain names linked to AuraStealer, an emerging infostealer that first appeared on underground hacker forums in July 2025. The threat actor behind the malware uses .shop and .cfd top-level domains and routes all traffic through Cloudflare to conceal the real server. AuraStealer was advertised by a user named AuraCorp on the XSS forum, offering two subscription packages: $295/month for Basic and $585/month for Advanced. The stealer is primarily distributed through ClickFix, a technique that tricks users into executing malicious code. This development highlights the ongoing evolution of infostealer malware and the importance of robust cybersecurity measures.

7. Malvertising Pushes New Atomic Stealer Variant
A malvertising campaign is using bogus ads on Google Search results pages to redirect users looking for ways to free up macOS storage to fraudulent web pages hosted on Medium, Evernote, and Kimi AI. These pages serve ClickFix-style instructions that drop a new variant of the Atomic Stealer called malext, designed to steal a wide range of data from compromised macOS systems. The campaign uses over 50 compromised Google Ads accounts to push more than 485 malicious landing pages, ultimately leading to a ClickFix attack that deploys the potentially new version of AMOS Stealer. This campaign demonstrates the increasing sophistication of malvertising and the need for vigilance when interacting with online ads.

8. Bots Hammer DRAM Pages for DDR5 Inventory
A large-scale data gathering operation has submitted over 10 million web scraping requests to hit DRAM product pages on e-commerce sites, aiming to find sellers carrying desirable DDR5 RAM stock. These bots check the stock of specific RAM kits every 6.5 seconds using a technique called cache busting to ensure they get the most up-to-date information. DataDome reports that these bots aggressively target the entire supply chain, from consumer RAM to B2B industrial memory providers and raw hardware components like DIMM sockets. By rapidly snapping up limited DDR5 memory inventory for profitable resale, these bots further deplete consumer supply, effectively boxing out legitimate customers and driving market prices even higher. This activity highlights the growing impact of automated bots on the tech market and the challenges faced by consumers and businesses alike.

9. Reddit Fined Over Children’s Data Handling
The U.K. Information Commissioner’s Office (ICO) has fined Reddit £14.47 million for unlawfully processing the personal information of children under the age of 13 and failing to properly check the age of its users. This failure put them at risk of being exposed to inappropriate and harmful content online. In response, Reddit introduced age assurance measures in July 2025, including age verification to access mature content and asking users to declare their age when opening an account. Reddit has stated it will appeal the decision, arguing that it doesn’t require users to share information about their identities, regardless of age, to ensure online privacy and safety. This fine underscores the importance of robust age verification measures and the potential consequences of failing to protect children’s data.

10. Samsung Restricts TV Data Collection in Texas
Texas Attorney General Ken Paxton has announced that Samsung will no longer collect Automated Content Recognition (ACR) data without consumers’ express consent. This decision comes in the wake of a lawsuit filed against the South Korean electronics giant for its data collection practices and allegations that the collected ACR information could be used to serve targeted ads. The agreement compels Samsung to promptly update its smart TVs and implement clear and conspicuous disclosures and consent screens to ensure Texans can make informed decisions about whether their data is collected and how it’s used. Samsung has denied it spies on users, but this development highlights the growing scrutiny of smart TV data collection practices and the importance of consumer consent.

11. NATO Clears Consumer iPhones and iPads
Apple iPhones and iPads have been approved to handle classified information in NATO networks, becoming the first consumer-grade devices to receive this approval without additional special software or settings. This approval follows a security evaluation conducted by Germany’s Federal Office for Information Security, which previously approved iPhone and iPad to handle classified German government data on devices using native iOS and iPadOS security measures. This development underscores the growing trust in Apple’s security measures and the potential for consumer devices to meet the stringent requirements of government and military use.

12. TikTok Rejects End-to-End Encryption for DMs
ByteDance’s TikTok has stated it has no plans to add end-to-end encryption (E2EE) to direct messages because it would prevent law enforcement and safety teams from reading messages if necessary. In a statement shared with the BBC, the company said it wants to protect users, especially young people, from harm. This decision has sparked debate about the balance between user privacy and safety, with some arguing that E2EE is essential for protecting sensitive communications, while others believe it could hinder efforts to combat harmful content and illegal activities.

13. Multi-Stage Phishing Attack Spreads Agent Tesla
A new phishing campaign using purchase order lures has leveraged a multi-stage attack chain to deliver Agent Tesla, a powerful information-stealing malware. The attack uses techniques like obfuscation and in-memory execution to evade detection. From the initial obfuscated JSE loader to the reflective loading of .NET assemblies and process hollowing of legitimate Windows utilities, Agent Tesla is designed to stay invisible. Its extensive anti-analysis checks ensure that it only reveals its true nature when it’s certain it isn’t being watched. This campaign highlights the increasing sophistication of phishing attacks and the need for robust email security measures.

14. Attackers Abuse Infrastructure-Only .arpa Domain
New research from Infoblox has found a novel campaign where actors are abusing the .arpa top-level domain, a space strictly reserved for network infrastructure, to host malicious content and bypass standard blocklists. This development shows cybercriminals are finding “impossible” hiding spots within the internet’s core infrastructure to bypass security. Additionally, threat actors are abusing LNK shortcut files and WebDAV to download malicious files on targets’ systems. Because being able to remotely access things on the internet via File Explorer is a relatively unknown functionality to most people, WebDAV is an exploitable way to make people download files without going through a traditional web browser file download. This campaign underscores the need for continuous monitoring and adaptation of security measures to address emerging threats.

15. Spoofed Email Chains Target LastPass Users
A new phishing campaign that commenced on March 1, 2026, is using lures related to unauthorized access to individuals’ accounts to trick recipients into visiting fake LastPass login pages to take control of their accounts. The attack takes advantage of the fact that many email clients, especially mobile, show only the display name, hiding the real sender address unless users expand it. Attackers are forwarding fake email chains to make it appear as though another individual is trying to take unauthorized action on their LastPass account (i.e., export vault, full account recovery, new trusted device registered, etc.). They use display name spoofing so that the name portion of the sender field is manipulated to impersonate LastPass, while the actual sending email address is unrelated. This campaign highlights the importance of verifying sender addresses and being cautious of unsolicited emails, especially those related to account security.

16. Experts Warn Against Blind Trust in AI Coding Agents
With the emergence of tools like Claude Code Security, OX Security is urging users to resist the temptation to outsource judgment, architecture, and validation to a single artificial intelligence (AI) model. AI doesn’t invent fundamentally new code patterns; it reproduces the most common ones it has seen before. That means it scales not only productivity but also existing weaknesses in software engineering practice. The cybersecurity company also warned that AI systems may be prone to false positives and may not reliably inform a user if an issue flagged in a single repository is actually exploitable in a complex and unique environment. A pipeline that relies on the same AI system for both writing and reviewing code is not ideal, it added. This warning underscores the importance of human oversight and critical thinking in the development and deployment of AI-powered tools.

17. LLMs Enable Automated Internet Deanonymization
A team of academics from Anthropic, ETH Zurich, and MATS Research has developed large language models (LLMs) that can deanonymize internet users based on past comments or other digital clues they leave behind. Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, the researchers implemented a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives. The method works even if targets use different pseudonyms across multiple platforms. The researchers said using their LLMs outperforms classical research methods, where digital footprints are examined manually by a human operator. This enables fully automated deanonymization attacks that can work on unstructured data at scale, while also reducing the cost and effort that goes into intelligence gathering. The researchers concluded that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered. The average online user has long operated under an implicit threat model where they have assumed pseudonymity provides adequate protection because targeted deanonymization would require extensive effort. LLMs invalidate this assumption. This development highlights the growing power of AI in compromising online privacy and the need for new approaches to protect user anonymity.

That wraps up this week’s quick look at what has been happening across the cybersecurity landscape. Each update on its own may seem small, but together they show how quickly things continue to change. New techniques appear, old tactics evolve, and security decisions from major companies can shift the wider ecosystem. For security teams, researchers, and anyone who follows the threat landscape, keeping track of these signals helps make sense of the bigger picture. Stay tuned for the next edition of the ThreatsDay Bulletin with more developments from the cyber world.

Tags: Cybersecurity, Malware, Phishing, AI, Privacy, Tech Policy, Data Breach, Surveillance, Cybercrime, Encryption, Smart Devices, Social Media, Software Updates, Threat Intelligence, Online Security

Viral Phrases: “Cybersecurity is evolving faster than ever,” “AI is changing the game in cyber threats,” “Your privacy is at risk—stay informed,” “The future of tech security is here,” “Don’t trust everything you see online,” “Big tech is watching—know your rights,” “Stay one step ahead of hackers,” “The internet is not as anonymous as you think,” “Your smart devices could be spying on you,” “Cybersecurity is everyone’s responsibility.”

,