Issue #195 - April 20, 2026
- 4 days ago
- 2 min read
Kyber Ransomware Gang Toys with Post-Quantum Encryption on Windows
Source: BleepingComputer
A newly identified ransomware operation called Kyber is targeting Windows servers and VMware ESXi environments, with its Windows variant implementing Kyber1024 post-quantum key encapsulation to protect symmetric encryption keys — a notable first among active ransomware groups. Rapid7 analyzed both variants, finding the Windows version written in Rust deletes shadow copies, disables backup services, and includes experimental Hyper-V shutdown capabilities, while the ESXi variant targets VMware datastores. Kyber's only confirmed victim so far is a multi-billion-dollar US defense contractor and IT services provider, suggesting deliberate focus on high-value targets.
Bluesky Disrupted by Sophisticated DDoS Attack
Source: SecurityWeek
Bluesky suffered a 24-hour service disruption following a sophisticated DDoS attack that knocked the social network offline and degraded performance for millions of users. A pro-Iran hacktivist group subsequently claimed responsibility, linking the attack to escalating Iranian cyber operations amid ongoing US-Iran hostilities. The incident highlighted concerns about the resilience of newer social media infrastructure under sustained attack and the growing willingness of state-affiliated hacktivists to target mainstream communication platforms as geopolitical pressure points.
Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Source: The Hacker News
Security researchers have identified a self-propagating worm targeting the npm ecosystem that spreads by stealing developer authentication tokens via malicious postinstall hooks, then republishing infected package versions from compromised accounts to autonomously widen the attack surface. The campaign runs alongside a parallel operation impersonating phone insurer Asurion via fake npm packages exfiltrating credentials to Slack webhooks and AWS endpoints, and a Wiz-identified campaign abusing GitHub Actions to steal CI/CD secrets — together representing a significant escalation in self-replicating open-source supply chain threats.
Surge in Silent Subject Phishing Campaigns Targets VIP Users
Source: Infosecurity Magazine
Cyberproof researchers documented a sharp rise in null-subject phishing campaigns — emails with deliberately empty subject lines designed to bypass email security filters that rely on subject-line content analysis. Activity rose 13.9% between January and February 2026, then a further 7% in March, with campaigns frequently targeting executives and privileged users through QR code lures and RMM tool abuse. The empty subject line exploits both technical detection gaps and human curiosity, making these campaigns a growing threat for organizations relying on keyword-based email defenses.
Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Source: The Hacker News
Kaspersky researchers have uncovered Lotus Wiper, a previously undocumented destructive malware deployed against Venezuela's energy and utilities sector in late 2025 and early 2026. Unlike ransomware, Lotus Wiper carries no ransom demand — its purpose is pure destruction: erasing recovery mechanisms, overwriting physical drive contents, and systematically deleting files across all volumes to render systems completely inoperable. The sample was compiled in September 2025 and uploaded from Venezuela in December 2025, weeks before reported US military activity in the region.