Payouts King Ransomware Uses QEMU VMs to Bypass Endpoint Security
The Payouts King ransomware has begun using the open‑source QEMU emulator to spin up hidden Alpine Linux virtual machines on compromised hosts. By launching these VMs through a SYSTEM‑level scheduled task named TPMProfiler, the malware evades host‑based endpoint scanners and creates reverse SSH tunnels for covert command‑and‑control. Sophos documented two campaigns—STAC4713 (linked to the GOLD ENCOUNTER group) and STAC3725 (exploiting CitrixBleed 2)—that leverage QEMU to harvest credentials, exfiltrate data, and deploy additional tools. The technique builds on prior QEMU abuse by other threat actors and signals a shift toward more sophisticated evasion tactics.
Inside an Underground Guide: How Threat Actors Vet Stolen Credit Card Shops
An underground guide uncovered by Flare analysts reveals how cyber‑criminals now vet stolen‑card marketplaces. The document outlines a disciplined vetting process—checking domain age, SSL, WHOIS, mirror sites, and community reputation—to avoid scams and law‑enforcement takedowns. It also highlights the adoption...
Webinar: From Phishing to Fallout — Why MSPs Must Rethink Both Security and Recovery
BleepingComputer will host a live webinar on May 14, 2026 featuring Kaseya experts to discuss why managed service providers (MSPs) must align security and recovery strategies. The session highlights the rise of AI‑driven phishing, business‑email compromise, and targeted ransomware that...
Microsoft: Some Windows Servers Enter Reboot Loops After April Patches
Microsoft confirmed that certain Windows domain controllers using Privileged Access Management enter reboot loops after installing the April 2026 security update KB5082063. The LSASS crashes cause repeated restarts, disabling authentication and potentially taking the entire domain offline. Affected operating systems include...
Man Gets 30 Months for Selling Thousands of Hacked DraftKings Accounts
Kamerin Stokes, a 23‑year‑old from Memphis, was sentenced to 30 months in federal prison for operating a fraud shop that sold access to tens of thousands of hacked DraftKings accounts. The accounts were compromised in a November 2022 credential‑stuffing attack...
Recently Leaked Windows Zero-Days Now Exploited in Attacks
Threat actors are actively exploiting three newly disclosed Windows vulnerabilities after researcher “Chaotic Eclipse” published proof‑of‑concept code. The flaws—BlueHammer, RedSun and UnDefend—target Microsoft Defender, enabling attackers to gain SYSTEM or elevated admin rights. Huntress Labs confirmed real‑world use of all...
ZionSiphon Malware Designed to Sabotage Water Treatment Systems
Darktrace discovered ZionSiphon, a new operational‑technology malware aimed at water treatment and desalination plants, primarily in Israel. The code attempts to raise chlorine levels and hydraulic pressure, but a broken XOR‑based IP check triggers a self‑destruct routine, rendering the current...
US Nationals Behind DPRK IT Worker 'Laptop Farm' Sent to Prison
Two U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced to 108 months and 92 months respectively for orchestrating a scheme that placed North Korean IT workers in over 100 American companies using stolen identities. Between 2021 and October 2024...
Microsoft: April Windows Server 2025 Update May Fail to Install
Microsoft is investigating a failure of the April 2026 KB5082063 security update on Windows Server 2025, which triggers error code 0x800F0983 and, in some cases, forces servers into BitLocker recovery mode. The issue appears limited to enterprise‑managed configurations and does not affect...
New AgingFly Malware Used in Attacks on Ukraine Govt, Hospitals
CERT‑UA uncovered a new malware family called AgingFly targeting Ukrainian government agencies, hospitals and possibly Defense Forces. The campaign begins with phishing emails offering humanitarian aid, leading victims to click links that deliver malicious LNK shortcuts and HTA files. Once...
Microsoft Pays $2.3M for Cloud and AI Flaws at Zero Day Quest
Microsoft awarded $2.3 million to security researchers after the 2026 Zero Day Quest, recognizing over 80 high‑impact cloud and AI flaws uncovered during the live event. The contest attracted nearly 700 submissions from participants in more than 20 countries, building on...
CISA Flags Windows Task Host Vulnerability as Exploited in Attacks
CISA has placed the Windows Task Host privilege‑escalation flaw (CVE‑2025‑60710) on its catalog of actively exploited vulnerabilities, urging federal agencies to apply Microsoft’s November 2025 patch within two weeks. The defect allows a low‑complexity local attack to elevate a standard user...
Microsoft Adds Windows Protections for Malicious Remote Desktop Files
Microsoft rolled out new Windows defenses against RDP‑phishing attacks in the April 2026 cumulative updates for Windows 10 (KB5082200) and Windows 11 (KB5083769, KB5082052). The changes introduce a one‑time educational prompt and a persistent security dialog that disables all resource redirections by default....
Microsoft Releases Windows 10 KB5082200 Extended Security Update
Microsoft released the Windows 10 KB5082200 extended security update, addressing the April 2026 Patch Tuesday fixes. The update patches 167 vulnerabilities, including two zero‑day flaws, and upgrades Windows 10 to build 19045.7184 (Enterprise LTSC 2021 to 19044.7184). It adds RDP file phishing protections, Secure Boot status...
McGraw-Hill Confirms Data Breach Following Extortion Threat
McGraw‑Hill disclosed that hackers leveraged a misconfigured Salesforce page to view a limited set of internal data. The company emphasized that the breach did not compromise its Salesforce accounts, customer databases, courseware, or any sensitive student information. Extortion group ShinyHunters...