Today’s roundup
FBI investigates breach of surveillance and wiretap systems
China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks
Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor
Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical
Getting a Shell on the Tapo C260 Webcam (CVE-2026-0651, CVE-2026-0652, CVE-2026-0653)
WordPress membership plugin bug exploited to create admin accounts
From Ukraine to Iran, Hacking Security Cameras Is Now Part of War’s ‘Playbook’
Phobos Ransomware admin faces up to 20 years after guilty plea
Summary
FBI Investigates Breach of Wiretap Systems
The U.S. Federal Bureau of Investigation confirmed an ongoing investigation into a breach affecting systems used for managing surveillance and wiretap warrants. Details on the nature or scope of the breach remain undisclosed.
China-Linked APT UAT-9244 Targets South American Telecoms with New Malware
A China-linked advanced persistent threat actor, UAT-9244, has been actively targeting telecommunication service providers in South America since 2024. The campaign compromises Windows, Linux, and network-edge devices using a new malware toolkit that includes implants named TernDoor, PeerTime, and BruteEntry. This activity has been tracked by Cisco Talos.
Iran-Linked MuddyWater Hackers Deploy New Dindoor Backdoor Against U.S. Networks
The Iranian state-sponsored hacking group MuddyWater, also known as Seedworm, has been observed embedding itself in several U.S. companies' networks, including banks, airports, and non-profit organizations, as well as an Israeli software company. The group is leveraging a newly discovered backdoor named Dindoor in these targeted attacks.
Microsoft Exposes ClickFix Campaign Using Windows Terminal for Lumma Stealer Deployment
Microsoft has revealed a new widespread ClickFix social engineering campaign observed in February 2026. This campaign leverages the Windows Terminal application as a novel vector to initiate a sophisticated attack chain, ultimately deploying the Lumma Stealer malware. This method bypasses traditional command execution routes.
Cisco Confirms Active Exploitation of New SD-WAN Manager Vulnerabilities
Cisco has disclosed active exploitation of two additional vulnerabilities affecting its Catalyst SD-WAN Manager, formerly SD-WAN vManage. These include CVE-2026-20122, an arbitrary file overwrite vulnerability with a CVSS score of 7.1, which could allow an authenticated remote attacker to overwrite arbitrary files on the local file system. This follows previous reports of SD-WAN product exploitation.
Cisco Discloses 48 New Firewall Vulnerabilities, Including Two Critical Flaws
Cisco has released patches for 48 new vulnerabilities impacting its firewall products, two of which are rated as critical with CVSS scores of 10.0. These flaws enable unauthenticated remote attackers to bypass authentication or exploit Java deserialization for root access and arbitrary code execution on Secure Firewall Management Center (FMC) systems.
Critical Vulnerabilities Uncovered in TP-Link Tapo C260 Webcam
Researchers have detailed a chain of critical vulnerabilities in the TP-Link Tapo C260 webcam, including local file disclosure (CVE-2026-0651), guest-privilege remote code execution (CVE-2026-0652), and privilege escalation (CVE-2026-0653). The exploitation involves manipulating JSON configuration values via the mobile app API to achieve command injection through unsanitized popen calls.
WordPress Membership Plugin Vulnerability Actively Exploited to Create Admin Accounts
A critical vulnerability within the User Registration & Membership plugin, installed on over 60,000 WordPress sites, is being actively exploited by hackers. The flaw allows attackers to create unauthorized administrative accounts, posing a significant threat to affected websites.
Hacking Security Cameras Emerges as a Key Cyber Warfare Tactic
New research indicates that hacking consumer-grade security cameras has become a standardized tactic in modern warfare. Apparent Iranian state hackers have been observed hijacking hundreds of these devices, often synchronized with missile and drone strikes. Similar activities have also been documented involving Israeli, Russian, and Ukrainian actors.
Phobos Ransomware Administrator Pleads Guilty, Faces 20 Years in Prison
Russian national Evgenii Ptitsyn, 43, pleaded guilty in the U.S. to wire fraud conspiracy for his involvement in the Phobos ransomware operation. The scheme extorted over $16 million from more than 1,000 public and private entities worldwide. Ptitsyn, arrested in South Korea in 2024 and extradited, faces up to 20 years in prison, with sentencing scheduled for July 15. The operation utilized a ransomware-as-a-service model, with Ptitsyn facilitating malware distribution and receiving a share of ransom payments.
Want to dig deeper?
Cyber Groups
| MuddyWater | Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450 |
Malware Families