Cyber Threats Digest: OAuth Abuse, AI Breaches, and TikTok’s Comeback

Another week, another wild ride through the digital underworld. From sneaky OAuth consent abuse to AI agents hacking their way into corporate secrets, this week’s cybersecurity landscape is a mix of old tricks, new tech, and a few jaw-dropping surprises. Here’s the breakdown:

OAuth Consent Abuse: The “Click and Regret” Scam

Cloud security firm Wiz is sounding the alarm on malicious OAuth applications exploiting “consent fatigue.” Attackers are creating apps with legitimate-looking names, tricking users into granting permissions that give them access to sensitive data like emails and files—without ever needing a password. In early 2025, a large-scale campaign impersonated brands like Adobe and DocuSign, targeting multiple organizations. The lesson? Always double-check before clicking “Accept.”

Messaging App Takeovers: Signal and WhatsApp Under Siege

Russian-linked hackers are targeting Signal and WhatsApp accounts of government officials, journalists, and military personnel. Their method? Impersonating Signal Support chatbots to steal verification codes or PINs. Germany and the Netherlands have issued warnings, and Google revealed that Signal’s popularity among Ukrainian soldiers and politicians has made it a prime target for Russian espionage. Pro tip: Enable two-factor authentication and never share your codes.

Cloud Breaches via Software Flaws

Google reports a surge in cloud breaches exploiting third-party software vulnerabilities. The window between vulnerability disclosure and exploitation has shrunk from weeks to days. While misconfigurations and exposed APIs are declining, attackers are doubling down on sophisticated software exploits for data exfiltration. The takeaway? Patch fast, or risk being next.

Microcontroller Debug Bypass: Voltage Glitching Strikes Again

Researchers at Quarkslab found a way to bypass debug password protection on RH850 microcontrollers using voltage fault injection in under a minute. By “glitching” the chip’s power supply, they could alter its behavior and gain unauthorized access. This highlights the growing threat of hardware-level attacks—something to watch as IoT devices proliferate.

Solar Spider Arrested: Nigerian Duo Nabbed in India

Two Nigerian nationals were arrested in India for their alleged roles in the Solar Spider cybercrime operation. This group has targeted Indian cooperative banking systems, using spear-phishing campaigns and deploying tools like the JSOutProx malware framework since 2019. The duo, Okechukwu Imeka and Chinedu Okafor, are suspected of being part of an international fraud syndicate.

PlugX Malware Hits Qatar: China-Linked Espionage

Check Point uncovered targeted campaigns against Qatari entities using conflict-related content as bait to deliver PlugX and Cobalt Strike malware. The attacks used LNK files in ZIP archives, DLL side-loading, and even exploited the NVDA screen reader. While attributed to Mustang Panda, the exact threat actor remains unclear. The lesson? Even screen readers aren’t safe.

Teen DDoS Kit Sellers: Poland’s Young Cybercriminals

Polish police referred seven minors (ages 12-16) to family court for selling DDoS kits online. The teens allegedly targeted websites like auction portals, IT domains, and booking services. It’s a stark reminder that cybercrime is attracting younger and younger recruits.

Microsoft Entra Passkeys: Phishing-Resistant Logins Arrive

Microsoft is rolling out passkey support for Microsoft Entra on Windows, enabling phishing-resistant, passwordless authentication via Windows Hello. This means no more phishing for credentials—just face, fingerprint, or PIN. A big win for security, but expect attackers to pivot to new tactics.

Sysmon Goes Native: Windows 11 Gets Built-In Monitoring

Microsoft has integrated System Monitor (Sysmon) functionality directly into Windows 11 and Windows Server 2025. Previously a separate tool, Sysmon is now an optional built-in feature, making endpoint visibility easier than ever. Defenders, rejoice—but attackers will adapt.

Canada Phishing Campaign: Iranian-Linked Infrastructure

An active phishing campaign is targeting Canadian residents using fraudulent domains impersonating trusted institutions like the Government of British Columbia and Hydro-Québec. The hosting infrastructure is linked to RouterHosting LLC (aka Cloudzy), a provider accused of serving state-sponsored hacking groups from Iran, China, Russia, and North Korea.

Meta’s Advanced Browsing Protection: Privacy Meets Security

Meta detailed how Advanced Browsing Protection (ABP) in Messenger protects users’ privacy while warning about malicious links. ABP uses private information retrieval (PIR), Oblivious HTTP, and other privacy-preserving techniques to match URLs against a database of threats without exposing user data. Smart, secure, and privacy-focused.

BlackSanta EDR Killer: HR Departments Under Siege

A sophisticated attack campaign is targeting HR departments and job recruiters with social engineering and advanced evasion techniques. The malware, BlackSanta EDR, uses legitimate but vulnerable kernel drivers to kill antivirus and endpoint detection software—a tactic known as Bring Your Own Vulnerable Driver (BYOVD). The goal? Stealthy system compromise.

Zombie ZIP: The New Evasion Technique

A new technique called Zombie ZIP allows attackers to hide payloads in malformed ZIP files that bypass security tools. Despite malformed headers, some extraction software can still decompress the archive, allowing malicious payloads to run. Tracked as CVE-2026-0866, this is a reminder that even file formats can be weaponized.

AI Agent Hacks McKinsey: The Future of Cybercrime?

Researchers at CodeWall claimed their AI agent hacked McKinsey’s internal AI platform Lili in just two hours, gaining access to 46.5 million chat messages, 728,000 files, and 57,800 user accounts. The agent found over 200 exposed endpoints, including one vulnerable to SQL injection. While McKinsey has since fixed the issue, this is a wake-up call for AI security.

Teams-Based Malware: Quick Assist Gets Abused

Hackers are impersonating IT staff on Microsoft Teams to trick employees into granting remote access via Quick Assist. The goal? Deploy A0Backdoor, a new piece of malware that uses DNS tunneling for command-and-control. This aligns with the playbook of Storm-1811, a known threat actor.

Doppelgänger: The Industrialized Disinformation Network

The Russian influence operation Doppelgänger has been described as industrialized, prioritizing infrastructure resilience and scalability over short-term visibility. The network systematically impersonates media brands at scale, targeting EU member states and the U.S. with tailored propaganda.

Anthropic vs. Pentagon: The AI Ethics Showdown

Anthropic has sued the Pentagon to block its placement on a national security blocklist, arguing the designation violates its free speech and due process rights. The dispute centers on Anthropic’s refusal to remove guardrails against using its tech for autonomous weapons or surveillance. Meanwhile, OpenAI struck a deal with the DoD, amending its contract to exclude domestic surveillance. The debate over AI ethics and military use is heating up.

GitHub SEO Malware: BoryptGrab Steals Your Data

A new info stealer campaign is distributing BoryptGrab via over 100 public GitHub repositories. These fake repositories use SEO keywords to lure victims into downloading ZIP files containing malware. BoryptGrab can steal browser data, cryptocurrency wallets, Discord tokens, and more. Also delivered is a backdoor called TunnesshClient, which establishes reverse SSH tunnels.

Transparent Tribe Targets India: RAT Attacks Continue

The Pakistan-aligned threat actor Transparent Tribe has launched fresh attacks on Indian government entities using a RAT (Remote Access Trojan). The malware enables remote command execution, process monitoring, file upload/download, and live screen monitoring. The campaign relies on social engineering, distributing malicious ZIP archives disguised as exam-related documents.

Signed Phishing Malware: TrustConnect Gets Abused

Microsoft warns of phishing campaigns using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the malware installs RMM tools like ScreenConnect and Tactical RMM, enabling persistent access.

TikTok Stays in Canada: A U-Turn

Following a national security review, Canada’s Minister of Industry, Mélanie Joly, announced that TikTok can keep its business operational. The company will implement enhanced protections for Canadian user data and minors. This marks a complete reversal from a 2024 decision to shut down TikTok over “national security risks.”

Vulnerabilities Rise 12%: The Exploit Arms Race

Flashpoint reports a 12% increase in vulnerability disclosures in 2025, with 466 confirmed as exploited in the wild. Ransomware attacks also surged 53% YoY, with groups like Qilin, Akira, and Cl0p leading the charge. Manufacturing, technology, and healthcare were the top targets.

RondoDox Botnet: 174 Flaws Exploited

The RondoDox DDoS botnet has implemented 174 different exploits between May 2025 and February 2026, peaking at 15,000 exploitation attempts in a single day. The botnet uses a “shotgun approach,” sending multiple exploits to the same endpoint in hopes one works. This highlights the growing sophistication of botnets.

Memory-Only Keylogger: Phishing Gets Stealthy

Phishing emails bearing purchase order lures are delivering an executable within RAR archives. Once launched, the binary extracts and runs VIP Keylogger in memory without touching the disk. This keylogger captures browser cookies, logins, credit card details, and more—all while staying under the radar.

Cloudflare-Shielded Phishing: Gatekeeping Gets Abused

A new Microsoft 365 credential harvesting campaign is abusing Cloudflare’s services to delay detection. The campaign uses human verification, IP block lists, and user agent checks to ensure only real targets can access the phishing page. It’s a clever way to evade security scanners.

That’s it for this week’s cyber chaos. Stay sharp, stay patched, and remember: the internet is a wild place. See you next week!

OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More