Salt Typhoon's multi-year campaign against U.S. telecoms signals China's shift to society-scale data collection over recruited-asset espionage. The model—collect widely, analyze fast, operationalize at scale—outpaces Western counterintelligence frameworks built around single-source tradecraft.
Sustained operations linked to the Iran conflict are depleting high-end warship capacity and munitions inventories faster than current construction doctrine can replenish. The Indo-Pacific deterrence posture depends on a shipbuilding model Sen. Wicker called too small and too old in 2024.
Russia entered this week's Xi-Putin summit pushing to resolve trade bottlenecks and deepen economic ties as Western sanctions bite. China's structural advantages mean Moscow is negotiating from dependency, not partnership.
Trump and Xi met May 14-15 in Beijing, covering Taiwan, Iran, the Strait of Hormuz, and bilateral trade under a framework both sides labeled constructive strategic stability. Regional governments are recalibrating alignments based on what the two leaders agreed to leave unresolved.
Fox Tempest operates a malware-signing-as-a-service platform used by Vanilla Tempest and multiple Storm groups to legitimize and distribute ransomware and other malicious code. Commoditizing code-signing infrastructure lowers the barrier for ransomware deployment across the broader cybercriminal ecosystem.
Cisco Talos identified a BadIIS variant bearing embedded demo.pdb strings sold or shared across multiple Chinese-speaking cybercrime groups under a malware-as-a-service model.
Fox Tempest, operating since May 2025, sold code-signing-as-a-service to ransomware gangs by abusing Microsoft's Artifact Signing infrastructure. Microsoft's legal disruption sets a precedent for using civil courts against cybercrime enablement platforms.
Fox Tempest exploited Microsoft's Artifact Signing service to generate fraudulent code-signing certificates distributed to ransomware operators. Criminals leveraging a vendor's own trust infrastructure against it exposes a systemic gap in software supply-chain verification.
7-Eleven confirmed a network intrusion following ShinyHunters' public extortion claim against the convenience-store giant. ShinyHunters continues targeting high-volume retail brands to maximize leverage, sustaining a pattern of pressure-through-disclosure.
Financially motivated Fox Tempest industrialized malware delivery by circumventing software verification systems for ransomware and other criminal operators at scale. The commoditization of code-signing bypass lowers the barrier for any actor to defeat endpoint security controls.
HUMAN's Satori team identified Trapdoor: 455 malicious Android apps and 183 C2 domains generating 659 million fraudulent daily ad bid requests. The operation's dedicated C2 infrastructure signals a professional, revenue-driven fraud syndicate rather than opportunistic ad abuse.
Fox Tempest sold code-signing services that disguised ransomware and malware as legitimate software, serving multiple criminal operators. Microsoft's disruption removes a key trust-laundering layer that allowed signed malware to bypass enterprise security stacks.
CISA flagged an authentication-bypass vulnerability in ZKTeco SSC335-GC2063-Face-0b77 cameras scoring CVSS 9.1, enabling credential capture on globally deployed units. Exploitation at commercial facilities could hand attackers persistent physical-surveillance access with zero prior authentication.
CVE-2026-4293 affects eight Kieback & Peter DDC4000-series building-controller firmware versions, allowing full browser takeover on unpatched systems. Building-automation compromise enables lateral movement into HVAC, access control, and broader OT networks.
GitHub announced a potential breach while CISA inadvertently exposed credentials and keys in a public repository, both disclosed in the same news cycle. Simultaneous trust failures at a code-hosting giant and the U.S. cyber defense agency compound supply-chain and government-security credibility risks.
A buffer overflow in PAN-OS's User-ID Authentication Portal allows unauthenticated root-code execution on PA-Series and VM-Series firewalls embedded in Siemens RUGGEDCOM APE1808 industrial devices; fixes are not yet available for all affected products.
CVE-2025-3465 allows unauthenticated path traversal in ABB CoreSense HM (≤2.3.4) and M10, enabling complete system compromise. Industrial control system exposure without authentication raises immediate OT network risk; patching is available.
ScadaBR 1.2.0 contains CVE-2026-8602 through CVE-2026-8605 — missing auth, OS command injection, CSRF, and a fourth flaw — enabling unauthenticated remote code execution. CVSS 9.1 on an OT/SCADA platform signals high exploitation likelihood in industrial environments.
Zellic and V12 released a working PoC for CVE-2026-31635, a Linux kernel local privilege escalation flaw patched after being flagged as a duplicate. Public PoC availability compresses the patch-or-exploit window for every unpatched Linux host globally.
Also reported by: SecurityWeek
Drupal warns attackers could develop a working exploit for an undisclosed highly critical vulnerability within hours or days of disclosure. The tight exploitation window on a widely deployed CMS puts millions of sites at risk before patch rollout completes.