Global Law Enforcement Disrupts Evil Corp’s SocGholish Malware Network An international law enforcement operation has dismantled a major malware network tied to Russia-based cybercrime group Evil Corp, seizing over 100 servers and disinfecting nearly 15,000 compromised websites used to distribute malicious software. Authorities from the Netherlands, Canada, the U.S., and Germany announced the takedown on Thursday, targeting the SocGholish botnet also known as FakeUpdates which has been active since 2017. The operation disrupted the botnet by seizing domain names and shutting down servers that infected visitors to legitimate websites, including small businesses like restaurants and auto repair shops. Dutch police also removed malware and backdoors from thousands of hacked WordPress sites and notified affected owners. SocGholish spreads through fake browser or software update prompts, tricking users into installing malware that establishes a foothold for further attacks. According to the FBI, the botnet has been used to deploy ransomware and espionage tools, serving as a gateway for multiple ransomware groups, including DoppelPaymer, WastedLocker, Hades, LockBit, and RansomHub. Evil Corp, sanctioned by the U.S. in 2019 for its role in the Dridex banking malware linked to over $100 million in global financial losses has long been associated with SocGholish. Cybersecurity firm Infoblox, which assisted in the operation, confirmed the malware’s role in enabling ransomware campaigns. Maikel Rollman of the Dutch National High Tech Crime Unit stated the takedown deprived cybercriminals of access to infected systems, mitigating further harm to individuals and organizations. He described the action as "the beginning of further efforts" against SocGholish.

The Gentlemen Ransomware Gang’s Internal Breach Exposes Operations in Rare Leak In May 2026, the ransomware group The Gentlemen suffered a significant breach of its own systems, offering cybersecurity researchers an unprecedented look into its operations. According to Check Point Research (CPR), the compromise exposed backend infrastructure, affiliate activity, and victim management tools effectively turning the tables on a group that had spent months targeting organizations worldwide. The leaked data included internal systems used to track victims, coordinate attacks, and manage affiliates. Researchers uncovered private chats where affiliates discussed attack methods, credential abuse, EDR-killing tools, and access to enterprise networks. Conversations also referenced techniques involving Fortinet systems, Cisco-related exploits, and NTLM relay attacks. The Gentlemen emerged in 2025 as a ransomware-as-a-service (RaaS) operation, offering affiliates a 90% revenue share an unusually high cut that likely attracted skilled cybercriminals. Unlike groups that rely on flashy tactics, The Gentlemen focused on execution, targeting internet-facing systems, disabling security tools, and encrypting Windows, Linux, NAS, and ESXi environments. The leak also revealed the use of SystemBC malware for persistence and remote access. One of the most striking findings was the scale of the group’s victim count. While its public leak site listed a fraction of its targets, researchers identified over 1,570 likely victims tied to the operation. Despite the breach, The Gentlemen appears undeterred. On May 16, 2026, the group was announced as an official partner of BreachForums, a dark web platform providing infrastructure and operational support. The partnership was later confirmed when the gang displayed a BreachForums banner on its dark web portal. The incident underscores a persistent vulnerability in ransomware operations: internal security failures. While criminal groups project an image of sophistication, disputes among affiliates, poor infrastructure security, and operational mistakes continue to create openings for researchers and law enforcement to gather intelligence.

North Korean Threat Group UNC1069 Targets Crypto Professionals with Fake Meeting Malware A North Korean cyber threat group, UNC1069, has been conducting a sophisticated campaign targeting cryptocurrency and Web3 professionals through fake online meetings. Posing as venture capital firms, the attackers establish trust over time before delivering malware designed to steal digital assets funding North Korea’s missile, nuclear, and espionage programs. The operation begins with initial contact via LinkedIn and Telegram, often using compromised accounts for legitimacy. Victims receive Calendly scheduling links for meetings hosted on counterfeit platforms mimicking Zoom, Google Meet, and Microsoft Teams. These fake environments include live participation from attackers, sometimes using deepfake video footage of real executives to enhance credibility. During the meeting, victims are told their microphone or camera is malfunctioning. A ClickFix-style prompt appears, urging them to copy and run a piece of code deploying malware tailored to their operating system (Windows, macOS, or Linux). The payloads are updated variants of Cabbage RAT (CageyChameleon), a remote access trojan linked to previous attacks, including the Axios NPM package compromise and the Bluenoroff threat cluster. On Windows systems, the attack exploits PowerShell commands to download and execute malicious scripts. These scripts: - Add the C:\Users directory to Windows Defender’s exclusion list to evade detection. - Deploy a VBScript-based RAT that collects system details, including installed browser extensions (targeting crypto wallets). - Establish persistence via a .lnk shortcut in the Windows Startup folder. - Communicate with a command-and-control server, receiving coded instructions for further payloads or termination. Beyond system compromise, the fake platforms capture audio and video in real time via the browser’s navigator.mediaDevices.getUserMedia API, streaming data to attacker-controlled servers. This footage is later reused in social engineering campaigns, making future attacks harder to detect. Researchers at Validin uncovered the full attack chain in April 2026, exposing the campaign’s technical sophistication and infrastructure. Security teams are flagging unexpected terminal command requests during video calls as a critical red flag, while organizations in the crypto and Web3 sectors are urged to verify meeting organizers through out-of-band channels and monitor for unsigned scripts, unusual Defender exclusions, and suspicious outbound connections.

APT37’s "Ruby Jumper" Campaign Targets Air-Gapped Networks with Novel Malware Toolkit In December 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage campaign by APT37 (also known as ScarCruft, Ruby Sleet, and Velvet Chollima). Dubbed "Ruby Jumper," the operation introduces a new malware toolkit designed to infiltrate air-gapped environments highly secure, isolated networks via removable media, marking a significant evolution in the group’s tactics. ### Attack Chain and Key Innovations The campaign begins with a malicious Windows shortcut (LNK) file, which triggers a multi-stage infection process: 1. Initial Execution – The LNK file launches PowerShell, extracting embedded payloads, including encrypted shellcode and the RESTLEAF implant. 2. Cloud-Based C2 Abuse – RESTLEAF communicates with attackers via Zoho WorkDrive, the first observed use of this platform by APT37 for command-and-control (C2) operations. 3. In-Memory Payload Deployment – Additional malware components are executed reflectively, minimizing forensic traces. A standout feature is the deployment of a full Ruby runtime environment (v3.3.0) via SNAKEDROPPER, disguised as a legitimate executable (usbspeed.exe). The malware replaces a standard Ruby file with malicious code, ensuring persistence through a scheduled task. ### Bridging the Air Gap Two critical components enable lateral movement into isolated networks: - THUMBSBD – A backdoor that uses USB drives as covert C2 channels, creating hidden folders ($RECYCLE.BIN) to transfer encrypted commands and exfiltrate data. - VIRUSTASK – Propagates infections by replacing legitimate files on removable media with malicious shortcuts, executing shellcode when opened. Later stages deploy: - FOOTWINE – A surveillance backdoor (disguised as an Android APK) with capabilities for keylogging, screenshots, audio/video capture, and remote shell access. - BLUELIGHT – A previously documented backdoor leveraging cloud storage for C2 communications. ### Impact and Significance The campaign highlights APT37’s refined tactics, combining: - LNK-based social engineering - In-memory shellcode execution - Cloud infrastructure abuse - USB-driven lateral movement This toolkit represents a complete framework for breaching air-gapped systems, posing a severe threat to government entities, journalists, and organizations aligned with DPRK interests. The use of legitimate platforms (Zoho WorkDrive, Ruby runtime) and minimal forensic artifacts further complicates detection. Key indicators include unusual Ruby installations, hidden directories on USB drives, and suspicious scheduled tasks. The campaign underscores the growing sophistication of state-aligned threat actors in targeting high-security environments.

Mandiant Report: Cyberattack Tactics Shift Toward Speed, Persistence, and Recovery Denial Mandiant’s M-Trends 2026 report, released at the RSA Conference, reveals a rapidly evolving cyber threat landscape marked by faster attacks, more sophisticated social engineering, and a focus on undermining recovery capabilities. Based on over 500,000 hours of incident response engagements in 2025, the findings highlight key shifts in attacker behavior and defensive challenges. Key Trends in Attack Vectors and Tactics Exploits remain the leading initial infection vector at 32%, but voice phishing has surged to 11%, becoming the second most common entry point. Email phishing, meanwhile, declined to 6% from 14% the prior year, reflecting a broader move toward interactive social engineering. Attackers are increasingly leveraging messaging platforms, social media, and manipulated help desk processes to bypass technical controls. Ransomware tactics have also evolved. While encryption and data theft persist, operators now prioritize recovery denial targeting backup infrastructure, identity services, and virtualization management planes to cripple an organization’s ability to restore operations. This shift turns ransomware into a "resilience problem," forcing victims to choose between paying or rebuilding from scratch. Speed vs. Persistence: A Dual Threat Attack timelines have compressed dramatically. The median time between initial access and handoff to a secondary threat group often a ransomware operator collapsed from over 8 hours in 2022 to just 22 seconds in 2025. This specialization within the cybercrime ecosystem has led to a rise in hand-off operations, where one actor gains access and rapidly transfers it to another. Yet, median dwell time increased to 14 days (up from 11 days in 2024), driven by espionage operations and North Korean IT worker schemes, where attackers maintained access for a median of 122 days. Incidents detected externally had a median dwell time of 25 days, compared to 9 days for internal detections, underscoring persistent visibility gaps in complex environments. Identity and SaaS Under Siege Identity systems have become a central battleground. Attackers exploit SaaS environments, harvesting tokens and credentials to move laterally across organizations and partners. Interactive social engineering such as voice phishing often bypasses multi-factor authentication (MFA), necessitating stricter privilege controls and continuous identity verification. Defensive Gaps and Recommendations While internal detection improved (52% of intrusions in 2025, up from 43% the prior year), 34% of incidents were still identified by external notifications, and 14% by the attackers themselves. Visibility remains a critical weakness, with some threats persisting for nearly 400 days due to limited log retention and monitoring of edge devices. Mandiant’s report emphasizes the need for behavioral detection over static indicators, as attackers increasingly rely on legitimate tools and in-memory malware. Core infrastructure identity systems, backups, and virtualization platforms must be treated as Tier-0 assets, isolated and tightly controlled. Alert triage must also adapt, as low-level detections can escalate into full-scale incidents within seconds. AI’s Role: Accelerating, Not Revolutionizing Artificial intelligence is enhancing early-stage attacks improving phishing, reconnaissance, and evasion but is not yet a primary driver of successful breaches. The report notes that fundamental human and systemic failures remain the root cause of most intrusions. The findings underscore a threat landscape where speed, collaboration, and recovery denial define modern cybercrime, while nation-state actors prioritize long-term persistence. Defenders must balance rapid response with improved visibility to counter these evolving tactics.