Weekly INK

Kyber Ransomware Gang Toys with Post-Quantum Encryption on Windows Source: BleepingComputer A newly identified ransomware operation called Kyber is targeting Windows servers and VMware ESXi environments, with its Windows variant implementing Kyber1024 post-quantum key encapsulation to protect symmetric encryption keys — a notable first among active ransomware groups. Rapid7 analyzed both variants, finding the Windows version written in Rust deletes shadow copies, disables bac

EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses Source: Dark Reading EDR killers, once a rarity in the threat landscape, are now linchpins of perplexing ransomware attacks, leaving enterprise security teams scrambling for answers. Over the past year, security researchers have observed an expansion of the ecosystem around these tools, which can disable endpoint detection and response (EDR) platforms and other threat detection products in a targeted environment.

Hackers Exploiting Acrobat Reader Zero-Day Flaw Since December Source: BleepingComputer Security researcher Haifei Li discovered that attackers have been actively exploiting an unpatched zero-day vulnerability in Adobe Reader since at least December 2025, using a sophisticated fingerprinting-style PDF exploit that requires no user interaction beyond opening a file. The flaw enables attackers to steal local information via privileged Acrobat APIs and potentially launch follow-

New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks Source: BleepingComputer A new phishing-as-a-service platform called EvilTokens has emerged on Telegram, providing cybercriminals with a turnkey Microsoft device code phishing kit that abuses the OAuth 2.0 device authorization flow to harvest both short-lived access tokens and long-lasting refresh tokens — granting persistent account access without triggering password-based alerts. The kit includes pre-built

FBI Links Signal Phishing Attacks to Russian Intelligence Services Source: BleepingComputer The FBI issued a public service announcement directly attributing widespread campaigns that hijack Signal and WhatsApp accounts to Russian intelligence-linked threat actors, making it the first formal US government attribution of these attacks. Rather than breaking end-to-end encryption, the campaign exploits legitimate device-linking features to silently add attacker-controlled device

FBI Seizes Handala Data Leak Site After Stryker Cyberattack Source: BleepingComputer The FBI has seized two websites operated by the Handala hacktivist group following the group's destructive cyberattack on medical technology giant Stryker, which remotely wiped approximately 80,000 devices. Both the group's clearnet domains now display a federal seizure notice issued under a warrant from the US District Court for the District of Maryland. The seizure follows confirmation that

Medtech giant Stryker offline after Iran-linked wiper malware attack Source: BleepingComputer Iranian-backed hacktivist group Handala claimed responsibility for a devastating wiper malware attack against medical technology giant Stryker, reportedly wiping over 200,000 systems, servers, and mobile devices across offices in 79 countries. The group also claims to have stolen 50 terabytes of data before triggering the destructive wipe. Stryker confirmed the incident in an SEC fil

Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets Source: The Hacker News Attackers are abusing legitimate OAuth redirection behavior to route victims from seemingly trusted identity-provider URLs to attacker-controlled pages. Campaigns target public-sector organizations and use links that trigger malware delivery via ZIP payloads, PowerShell execution, and DLL sideloading. Key mitigations include tightening user consent and reviewing OAuth app permi

Attackers Now Need Just 29 Minutes to Own a Network Source: Dark Reading Attack chains are compressing. This piece highlights how modern intrusions move from initial access to full environment control in under an hour by abusing stolen credentials, remote tools, and weak identity controls. For SMBs, the takeaway is clear: focus on MFA, credential hygiene, monitoring, and fast containment playbooks. Link to article CISA: BeyondTrust RCE flaw now exploited in ransomware attacks