ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware, and 14 Additional Security Breaches
In the ever-evolving landscape of cybersecurity, recent developments highlight a troubling trend: vulnerabilities are often found in seemingly innocuous systems. This week, multiple incidents reveal that attackers are exploiting minor gaps in security protocols across various platforms, from email services to AI systems. The implications of these breaches extend beyond immediate damage, raising concerns about the integrity of digital infrastructures globally.
Ransomware Phishing Campaigns Targeting Small Businesses
A phishing campaign has emerged, targeting small businesses across Europe, Asia, the Middle East, and the United States. The attackers are impersonating law enforcement officials, sending emails that claim to contain evidence of suspicious company activity. Bitdefender reports that these emails pressure recipients into opening password-protected archives, which ultimately deliver ransomware. The malware appears to be a custom-built payload, rather than part of a known ransomware family, indicating a sophisticated level of planning and execution.
Vulnerability in Apple’s Hide My Email Service
A significant vulnerability has been disclosed in Apple’s Hide My Email service, allowing attackers to unmask users’ real email addresses. Researcher Tyler Murphy reported the issue to Apple over a year ago, but it remains unpatched. Testing revealed that 100% of Hide My Email addresses were exploitable in limited trials. The lack of a timely fix raises questions about Apple’s commitment to user privacy and the potential for widespread exploitation.
Sandbox Root Escape in Claude Cowork
Research from Armadin has uncovered an attack chain affecting Claude Cowork on Windows. This vulnerability allows an attacker with local code execution to plant a malicious file in the application directory, hijacking a trusted process to communicate with the underlying VM service. The exploit takes advantage of unvalidated parameters, enabling attackers to execute arbitrary commands as root without network egress restrictions. Anthropic, the company behind Claude, stated that it does not consider this a security issue since exploitation requires pre-existing local code execution.
China-Linked RAT Activity
A new variant of the open-source DCRat framework, dubbed BeepRAT, has been identified. Distributed via a Chinese phone number management utility, this malware establishes persistence on the host and utilizes DNS-over-HTTPS (DoH) for command-and-control communication. The malware’s capabilities include file transfer, keystroke logging, and remote command execution, indicating a sophisticated multi-stage infection chain. Analysts suggest that BeepRAT operates within a China-nexus espionage ecosystem, raising concerns about its implications for international cybersecurity.
AI Cyber Benchmarking
An evaluation of OpenAI’s GPT-5.6 Sol by AI security lab Irregular has shown that while the model performs slightly better than its predecessor, GPT-5.5, it still struggles against well-defended targets. The model demonstrated capabilities relevant to offensive cyber misuse, including the ability to find and exploit high-impact zero-day vulnerabilities. However, it continues to show limitations in operational security and decision-making under time constraints.
Platform-Aware Phishing Operations
Cofense has reported a shift in phishing tactics, with threat actors moving towards platform-aware delivery methods. These campaigns adapt to the victim’s device and environment, delivering specific payloads based on the operating system. This evolution reflects a broader strategic change in the threat landscape, designed to increase the likelihood of compromise and improve the return on investment for attackers.
U.S. State Department Offers Reward for Russian Cyber Actors
The U.S. State Department has announced a reward of up to $10 million for information leading to the identification of threat actors associated with UNC5792, a group linked to the Russian Federal Security Service (FSB). This group has been involved in phishing campaigns targeting U.S. government officials and military personnel. The State Department noted that while these activities did not exploit vulnerabilities in encryption protections, they have compromised thousands of accounts.
Clipboard Attack Defense Introduced by Opera
In response to increasing clipboard-based attacks, Opera has launched a new feature called Paste Protect. This tool aims to block malicious commands that may be executed through social engineering techniques. The feature alerts users to suspicious clipboard activity, helping to mitigate risks associated with ClickFix-style attacks, which accounted for over 53% of malware loader activity in 2025.
FTC Enforcement Action Against Amazon
The U.S. Federal Trade Commission has fined Amazon $2.25 million for failing to assist customers who reported identity theft. Victims were often subjected to a convoluted process requiring them to identify the thief before Amazon would release transaction records. This enforcement action underscores the importance of corporate responsibility in protecting consumer data.
Telegram RAT Surge
The Millennium RAT, a remote access trojan, has transitioned from .NET to native C++, while still leveraging the Telegram Bot API for command-and-control. The malware is offered as malware-as-a-service, enabling threat actors to exfiltrate sensitive data from compromised Windows machines. As of now, over 62,000 devices have been infected, indicating a significant threat to users.
Search Hijack Extension Discovered
Microsoft has identified a malicious Chromium-based extension that impersonates the AI-powered search engine Perplexity AI. This extension, which was removed after gaining 10,000 installs, aimed to intercept search traffic and collect user data. The incident highlights the ongoing exploitation of AI tools by threat actors for malicious purposes.
Meeting Bot Controls in Microsoft Teams
Microsoft is introducing new features to enhance bot protection in Teams meetings. These measures aim to provide organizations with better visibility and control over external bots, reducing the risks associated with unauthorized participants in sensitive discussions.
Defender Zero-Day Abuse Confirmed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the recently patched Microsoft Defender vulnerability, known as BlueHammer, was exploited in ransomware attacks. This zero-day was initially disclosed in April 2026, and its exploitation underscores the ongoing challenges in securing widely used software.
Stolen AI Compute Abuse
Threat actors have been observed using a misconfigured Ollama model server for offensive security operations. This marks a new phase in resource hijacking attacks, where malicious actors exploit stolen cloud credentials to run heavy AI workloads, leaving the legitimate account holders to bear the costs.
The recent wave of cybersecurity incidents demonstrates that attackers are increasingly adept at exploiting minor vulnerabilities across various platforms. As organizations continue to navigate this complex landscape, the need for robust security measures and proactive threat intelligence becomes ever more critical.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.


