Cybersecurity Roundup: Major Disruptions, State-Backed Threats, and Critical Vulnerabilities Operation Endgame Targets Evil Corp’s SocGholish Malware A multinational law enforcement effort, Operation Endgame, disrupted a key infection chain tied to the Evil Corp cybercrime group. Authorities from the Netherlands, Canada, the U.S., and Germany (BKA) cleaned SocGholish malware from 14,971 compromised WordPress sites and took 106 servers and domains offline. While malware and backdoors were removed, website owners were urged to secure their systems by updating credentials and enabling multi-factor authentication. Klue OAuth Breach Fuels Icarus Extortion Campaign The market intelligence platform Klue suffered an OAuth breach, allowing the Icarus threat group to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign. Cybersecurity firms ReliaQuest and Huntress confirmed the incident, with Huntress reporting its own Salesforce data was compromised. Salesforce has since disabled the connection to Klue’s Battlecards app. State Actors Behind 75% of UK Critical Infrastructure Attacks Richard Horne, CEO of the UK’s National Cyber Security Centre (NCSC), revealed that 75% of the 200+ critical infrastructure cyber incidents handled in the past year were attributed to state-backed actors. Speaking at the Royal United Services Institute, Horne warned that adversaries are prepositioning within British infrastructure, with potential kinetic targeting in future conflicts. Earlier this year, the NCSC reported handling four nationally significant cyber incidents per week, most linked to hostile governments. Senator Warns of CISA Staffing and Funding Shortfalls Sen. Mark Warner (D-VA) raised concerns in letters to CISA Acting Director Nick Andersen and DHS Secretary Markwayne Mullin over budget cuts, understaffed regional divisions, and the shutdown of a critical information-sharing center supporting state and local infrastructure. Warner also introduced the Guaranteeing Universal Access to Cybersecurity Act, aiming to fund the Multi-State Information Sharing and Analysis Center (MS-ISAC), previously defunded by former DHS Secretary Kristi Noem. Apple Patches Beats Studio Buds Eavesdropping Flaw Apple released security updates for Beats Studio Buds wireless earbuds to fix a high-severity Bluetooth vulnerability (CVE-2025-20701) that could allow attackers within range to eavesdrop on unpaired devices. The flaw stemmed from a missing authentication weakness in the Bluetooth BR/EDR radio, affecting open-source code used in Apple’s software. DragonForce Hackers Exploit Microsoft Teams for C2 Traffic The DragonForce hacking group is using a custom Go-based RAT (Backdoor.Turn) to conceal command-and-control (C2) traffic via Microsoft Teams relay infrastructure. The malware obtains an anonymous Teams visitor token, routes traffic through a legitimate Microsoft TURN relay, and establishes a QUIC session to the attacker’s C2 server evading detection. The backdoor was deployed against an unnamed major U.S. services firm, per reports from Symantec and Carbon Black. F5 Patches Critical NGINX Vulnerabilities F5 issued out-of-band patches for two critical NGINX vulnerabilities (CVE-2026-42530, CVE-2026-42055, CVSS 9.2), which could enable unauthenticated remote code execution via memory corruption. The flaws affect HTTP modules in NGINX Open Source, with one being a use-after-free issue and the other a heap-based buffer overflow. Outdated REDCap Servers Expose Medical Research Data A Censys report found that 8,500 internet-accessible REDCap servers used for clinical research data are largely outdated, with only 1% running the latest version. Google’s Threat Intelligence Group (GTIG) linked legacy REDCap servers to UNC6508, a China-linked threat actor, which deployed the InfiniteRed backdoor in past attacks. In one case, the group harvested credentials, accessed internal networks, and exfiltrated data after remaining undetected for over a year.