This week in cybersecurity feels like a rollercoaster ride through the darker corners of the internet. From spyware disguised as game cheats to ransomware that encrypts entire networks in under 24 hours, the threats are as creative as they are dangerous. Let’s dive into the chaos and see what’s been keeping cybersecurity teams up at night.
Game Cheats Drop Spyware
Cybersecurity researchers have uncovered 11 malicious NuGet packages masquerading as game utilities, bots, and 'panels.' These packages act as first-stage downloaders, fetching and executing a Python payload named 'pepesoft.exe' from GitHub and Hugging Face. The payload, which includes a dormant BitTorrent fallback mechanism, uses AWS-style key material to retrieve remote configurations, authenticate to Google Sheets, and bind activations to hardware. Worse still, it can send screenshots back to a Telegram bot. Yikes.
Fake Installers Deploy RATs
A Russian-speaking adversary, UAT-11795, has been targeting users in the U.S. and Europe since June 2025. The campaign delivers a Python-based remote access tool (RAT) called Starland RAT and a sophisticated PowerShell-based C2 memory implant known as WLDR agent. The attackers use trojanized installers for software like MobaXterm, Zoom, and FaceIT to distribute the malware. The goal? Steal credentials, target cryptocurrency wallets, and maintain persistent access to victims’ machines.
Ransomware Encrypts Network in 24 Hours
In June 2026, an IT services company in South Asia was hit by a new ransomware family called Spirals. The attackers gained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Within three hours, they established persistent access, uninstalled endpoint security software, and deployed the ransomware payload across the network using PsExec. The ransom note threatens to publish stolen data if the ransom isn’t paid within six days. Scary stuff.
Actively Exploited Flaws
CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-46817 in Oracle E-Business Suite and CVE-2023-4346 in KNX Protocol. Both are actively being exploited, and federal agencies are required to patch them by July 2026. The details of the KNX Protocol exploit are still murky, but it’s clear that patching these flaws is a priority.
Windows Bind Links Evade EDR
Bitdefender Labs has demonstrated how Windows’ bind links can be misused to evade endpoint detection and response (EDR) products. The techniques, which include File-Binding, Process-Binding, and Silo-Binding, allow attackers to bypass EDR sensors and built-in Windows defenses like AMSI and AppLocker. Microsoft has classified these findings as low severity, but they’re still a cause for concern.
290 Fake Repos Spread Infostealer
A financially motivated threat actor has set up over 290 fake GitHub repositories impersonating trusted vendors like Arctic Wolf. The repositories distribute a Windows infostealer that targets cryptocurrency wallets, browser credentials, and other sensitive data. The stolen information is exfiltrated to a C2 server with an IP residing in Russia. This campaign is believed to be the work of a Russian-speaking operator.
$62M Cybercrime Indictment
The U.S. Justice Department has unsealed an indictment charging three Russian nationals and two bulletproof hosting companies for cybercrimes causing tens of millions of dollars in losses. The defendants and companies were previously sanctioned by the U.S., U.K., and Australia. The U.S. is now offering a $10 million reward for information on their activities.
Chrome Sync Becomes Spyware
A legitimate Chrome sync feature is being misused by stalkers to spy on victims. By gaining brief physical access to a victim’s phone and adding a Google account under their control, attackers can monitor the victim’s browsing activity from anywhere. This highlights the importance of securing your devices and being cautious about who has access to them.
eCards Deliver Remote Access
A phishing campaign called SeasonalInvite has been abusing commercial RMM tools like ConnectWise ScreenConnect and LogMeIn Resolve since January 2026. The campaign uses eCard-themed domains and AI-generated code to distribute phishing pages, making it harder for security tools to detect.
OAuth Codes Bypass MFA Defenses
Researchers have identified a new AI-powered device code phishing toolkit called Jalisco, which provisions fresh OAuth codes in real time to bypass MFA defenses. This toolkit pairs with AI-powered kits like EvilTokens to run phishing campaigns at scale. Once inside a compromised account, attackers establish persistence and exfiltrate sensitive data from SaaS platforms.
3,900 Threat Servers Mapped
A new analysis has uncovered over 3,900 threat activity-enabling servers across Eastern European infrastructure providers. Keitaro leads the pack with 1,277 unique IPs, followed by Tactical RMM and Acunetix. These servers are linked to various APT groups and malicious activities, including the exploitation of zero-day vulnerabilities.
One Infection, Two Revenue Streams
A campaign delivering Vidar stealer and XMRig cryptocurrency miner has been targeting consumers and small businesses since April 2026. The attackers use malvertising to lure victims into downloading malicious files disguised as cracked software. Vidar stealer targets browser credentials and crypto wallets, while XMRig mines Monero cryptocurrency. The operators sell stolen credentials on criminal markets while profiting from hijacked CPU cycles.
The Lesson: Trust No One (Or At Least, Be Cautious)
This week’s threats highlight the importance of verifying everything—from repos to installers to sync settings. Small shortcuts can quickly turn into full-blown attack paths. And when a bug seems too simple to matter, assume someone has already found a way to exploit it. Patch the boring stuff, tighten those defaults, and stay vigilant.
Stay safe out there, folks. The digital wilderness is wilder than ever.
