Placeholder
In today’s cybersecurity news…
Ransomware rivals turn on each other
A ransomware group listing a company on their leak site is a distressingly commonplace occurrence. Listing another ransomware group on your leak site? That’s a different story. The group 0APT listed the group Krybit on its leak site. In the classic double extortion playbook, it also leaked samples of allegedly stolen data to prompt payment. 0APT threatened to leak the identities and location of Krybit members. Both groups are new, 0APT active since January 2026 and described by Halcyon as showing “credible technical depth,” while Krybit only shows as being active for a few weeks. Krybit’s website is currently down, replaced with the message, “Everything will return to work shortly.”
Fake Ledger app drains millions in crypto
CoinDesk reports on a phishing campaign using a fake version of the Ledger Live app on the Apple App Store that ran from April 7th through the 13th. This impacted at least 50 victims, draining over $9.5 million in various cryptocurrencies. One user lost 5.9 Bitcoin after mistakenly downloading the fake app when setting up a new computer. Once pilfered, the funds were routed to over 150 KuCoin addresses tied to the crypto mixing service AudiA6. It’s unclear how the app made it through Apple’s review process.
(CoinDesk)
US Treasury wants access to Mythos
Bloomberg’s source say US Treasury Chief Information Officer Sam Corcos is seeking to gain access to Anthropic’s Mythos Preview model as early as this week. This comes as Corcos briefed the Treasury’s cybersecurity team last week to be ready for a deluge of vulnerabilities found by increasingly capable LLMs. Access might be a sticky situation, as the Pentagon labeled Anthropic a US supply chain risk earlier this year. Bloomberg’s sources say major financial institutions like JPMorgan Chase, Citigroup, BOA, and Goldman Sachs have gained early access to Mythos.
Internet censorship milestones abound
According to the cyber watchdog group NetBlocks, Iran’s internet blackout has become the longest nationwide internet shutdown on record, now going over 45 days. This coincided with the start of the war with the US and Israel. This blackout followed a 20-day internet block in January in response to anti-regime protests. Iran’s closed-off National Information Network remains available in the country, with limited access to banking, taxis services, domestic messaging apps, and government sites.
In related censorship news, the Russian digital rights organization RKS Gloval reports that the regulator Roskomnadzor added the social network Bluesky to Russia’s registry of banned sites. This year the regulator also blocked access to Discord, Signal, Viber, WhatsApp, and Telegram.
(FT, The Record)
Huge thanks to our sponsor, Conveyor
Conveyor goes beyond a trust center.
You get a living knowledge library your AI keeps up to date, questionnaire automation that handles any format, and a self-serve experience so customers and sales teams get answers without looping in infosec.
Top enterprise SaaS companies trust Conveyor to handle it all. Check it out at conveyor.com.
Google calls “back button hijacking” spam
The search giant updated its spam policy to punish sites engaged in this practice. “Back button hijacking” is when a site prevents users from “using their back button to immediately get back to the page they came from” and instead servers another unsolicited page with promotions or ads. Google Search will now treat this as a “malicious practice” and demote pages in search. The company will give site owners until June 15, 2026 to make changes before this impacts search results. Google made the change after it saw a spike in back button hijacking in recent months.
Rust-based DNS parser coming to Pixel 10 modems
Google is integrating a Rust-based DNS parser into the modem firmware of its Pixel 10 devices, the first Pixel device to bring a memory-safe language down to the modem level. The company justified the move, saying that DNS underpins modern cellular communications to the point that even basic call forwarding relies on it, and a memory-unsafe implementation opens the door to out-of-bounds memory attacks. Google cited a real-world exploit that this new firmware will prevent. This follows a broader Android Rust push that already drove memory-safety vulnerabilities to below 20% of total Android CVEs last year.
Threat actors get swole on gym data
The European fitness chain Basic-Fit disclosed a data breach this week that exposed personal information on roughly 1 million members across Spain, Germany, France, Belgium, and Luxembourg. Basic-Fit is Europe’s largest gym chain with over 5 million members. Data exposed includes names, emails, addresses, phone numbers, and bank account details. The company said it detected and blocked the intrusion within minutes.
14-year-old flaw added to KEV catalog
Adding new vulnerabilities to CISA’s Known Exploited Vulnerabilities catalog isn’t news in and of itself. It’s hopefully a sign of a vibrant patching program. But this week, CISA added a library loading vulnerability in Microsoft Visual Basic for Applications that allows for remote code execution. Nasty stuff in its own right, but the CVE for this flaw was added in 2012. Back when it was disclosed, about 5,000 or so days ago, Microsoft said it found limited signs of exploitation. Well, CISA must have seen more signs of this all these years later. Federal civilian agencies have until April 27th to patch it.
Threat actors somehow make Meta ads worse
Researchers at the Italian firm Cleafy spotted an Android remote access trojan called Mirax targeting Spanish-speaking countries in a new campaign. The operators spread the trojan through ads on Meta platforms, spreading to over 220,000 accounts across its various platforms. This operates like many other types of Android malware, logging keystrokes, stealing lock screen messages, monitoring user activity, and running background commands. Mirax can also turn infected devices into residential proxy nodes to create persistent channels that allow them to route traffic through the victim’s IP address. The Meta ads spreading the malware promote free streaming services, tricking users into downloading dropper apps to infect them.