CyberNews: 11/05/2026 Edition

Published by Dunateo on 2026-05-11

Today’s roundup

  • TrickMo Android banker adopts TON blockchain for covert comms
  • Hackers abuse Google ads, Claude.ai chats to push Mac malware
  • US: FCC Relaxes Foreign-Made Router Ban to Allow for Security Updates
  • ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign
  • Zara Data Breach Impacts Nearly 200,000 Customers
  • Crimenetwork returns after takedown, dismantled again by German authorities
  • U.S. CISA adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog
  • Instagram removed end-to-end encryption for DMs. What should users do?
  • New cPanel vulnerabilities could allow file access and remote code execution
  • The State of Ransomware – Q1 2026

    • Summary

    A new TrickMo Android banking malware variant is now targeting European users, utilizing The Open Network (TON) blockchain for covert command-and-control communications to enhance stealth.

    Hackers are abusing Google Ads and legitimate Claude.ai shared chats in a malvertising campaign to push Mac malware. Sponsored search results for "Claude mac download" redirect users to malicious installation instructions.

    The U.S. FCC relaxed its ban on foreign-made routers, permitting security updates for US-based users, a measure also extending to foreign-made drones to ensure ongoing device security.

    ShinyHunters escalated its Canvas extortion campaign, defacing hundreds of school login pages and threatening to leak stolen data unless individual educational institutions negotiate.

    ShinyHunters conducted a data breach impacting nearly 200,000 Zara customers, leading to the exfiltration of emails and other sensitive personal data.

    German authorities, supported by Spanish police, dismantled a relaunched Crimenetwork dark web marketplace and arrested its 35-year-old administrator in Mallorca. The platform processed over €3.6 million in cryptocurrency from 22,000 users.

    CISA added CVE-2026-42208, a critical SQL injection in BerriAI LiteLLM (CVSS 9.3), to its KEV catalog. Actively exploited within 36 hours of disclosure, federal agencies must patch by May 11, 2026.

    Instagram removed optional end-to-end encryption for DMs on May 8, 2026, granting Meta access to chat content. Users are advised to download chat histories, aligning with the U.S. Take It Down Act's compliance.

    cPanel released security updates for three vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) in cPanel & WHM, addressing file reads, RCE, and privilege escalation. Users must update, following recent zero-day exploitation of another cPanel flaw for Mirai botnet deployment.

    A Q1 2026 ransomware report shows ecosystem consolidation, with top 10 groups, including Qilin and LockBit, claiming 71.1% of 2,122 victims. Noteworthy is LockBit 5.0's shift away from U.S. targets and The Gentlemen's use of 14,700 pre-exploited FortiGate devices.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-42208 Critical
    CVE-2026-29201 Medium
    CVE-2026-29202 High
    CVE-2026-29203 High