VENON banking trojan — the first Rust-based malware targeting Latin American banks — hits 33 Brazilian financial institutions. Apple releases emergency patches for the Coruna WebKit exploit on legacy iOS. Russian hackers target Signal and WhatsApp accounts of government officials and journalists worldwide. Wiz warns of large-scale OAuth consent abuse. Plus: Cisco IOS XR patches, n8n server takeover, Polyfill supply chain attack linked to North Korea, and Meta disrupts 150K scam accounts.
ZenoX researchers have discovered VENON, the first banking trojan written in Rust targeting Latin American financial institutions. It targets 33 Brazilian banks using DLL side-loading, banking overlay attacks, and LNK hijacking. The developer username "byst4" was leaked, and the malware shows signs of AI-assisted development.
The Latin American banking malware landscape has been dominated by Delphi-based trojans for over a decade — families like Grandoreiro, Casbaneiro, and Mekotio. VENON represents a fundamental paradigm shift: a banking trojan written entirely in Rust, demonstrating that threat actors are modernizing their toolkits with memory-safe, high-performance languages.
Discovered by researchers at ZenoX, VENON employs a sophisticated multi-stage attack chain:
The shift to Rust is strategically significant for several reasons:
The leak of the developer username "byst4" provides a potential attribution lead, but also suggests operational security failures within the malware development team.
Apple has released iOS 16.7.15 and iOS 15.8.7 to patch WebKit vulnerabilities exploited in the wild through the Coruna exploit. Older devices running iOS 15 and 16 that cannot upgrade to iOS 17/18 were vulnerable to remote code execution through malicious web content.
Apple has released emergency security updates for legacy iOS devices — those still running iOS 15 and iOS 16 because they cannot support newer versions. The patches address WebKit vulnerabilities that were actively exploited through what researchers call the Coruna exploit chain.
This is particularly significant because it affects devices that many organizations assume are "too old to matter" — but in practice, millions of iPhones and iPads in enterprise environments, especially in education, healthcare, and government sectors, still run iOS 15 or 16.
WebKit vulnerabilities are particularly dangerous because exploitation requires nothing more than visiting a malicious webpage. No app installation, no user interaction beyond clicking a link. The Coruna exploit leverages this to achieve remote code execution on unpatched devices.
The Netherlands intelligence services MIVD and AIVD have issued a public warning that Russian-linked hackers are actively targeting Signal and WhatsApp accounts of government officials, journalists, and military personnel worldwide. Germany issued a similar warning last month.
Dutch intelligence agencies have revealed a coordinated campaign by Russian state-linked actors to compromise secure messaging accounts. The attackers are using two primary techniques:
Attackers create a fake Signal Support chatbot that contacts targets claiming to verify their account or assist with a "security issue." The chatbot requests the victim's verification code or PIN, which is then used to register the victim's Signal account on the attacker's device. Once registered, the attacker has full access to all incoming messages.
Signal's "linked devices" feature — designed to let users access Signal on multiple devices — is being exploited. Attackers trick victims into scanning a QR code that links the attacker's device to the victim's Signal account. This gives the attacker real-time access to all messages without the victim losing access, making detection much harder.
Germany's BSI issued a similar warning last month, confirming this is a Europe-wide campaign with global reach. The targets include diplomats, defense officials, journalists, and NGO workers — anyone whose communications would be of interest to Russian intelligence.
The campaign extends beyond Signal to WhatsApp, using similar social engineering techniques to steal verification codes and abuse the multi-device feature. Organizations using WhatsApp for business communications should implement the same defensive measures.
Cloud security firm Wiz has identified a large-scale campaign using 19 distinct malicious OAuth applications impersonating Adobe, DocuSign, and OneDrive to steal access tokens. The campaign exploits "consent fatigue" and has been active since early 2025.
Wiz researchers have uncovered an active and large-scale OAuth consent abuse campaign that exploits a fundamental weakness in cloud identity: users have been trained to click "Accept" on consent prompts without reading them.
The attack works as follows:
This attack is particularly dangerous because it bypasses MFA entirely. The victim authenticates with their own credentials and MFA, then grants the malicious app an access token. The attacker never needs the password.
Cisco has released patches for high-severity vulnerabilities in IOS XR that could lead to denial of service, command execution, or complete device takeover. These affect enterprise routing and switching infrastructure.
Cisco has published security advisories addressing multiple high-severity vulnerabilities in IOS XR, the operating system powering Cisco's carrier-grade and enterprise routing platforms. These vulnerabilities affect devices at the core of network infrastructure — routers and switches that handle critical traffic flows.
The vulnerabilities could allow attackers to:
IOS XR powers Cisco ASR, NCS, and CRS series routers — devices deployed by ISPs, telecoms, data centers, and large enterprises. A successful exploit could disrupt backbone connectivity affecting thousands of downstream users and services.
Both Splunk and Zoom have released patches for critical and high-severity vulnerabilities. Splunk flaws allow arbitrary shell command execution. Zoom vulnerabilities enable privilege escalation.
Splunk — used by security operations centers worldwide for log management and SIEM — has patched vulnerabilities that allow authenticated attackers to execute arbitrary shell commands on the Splunk server. Given that Splunk instances typically have access to logs from across the entire infrastructure, a compromised Splunk server gives attackers visibility into the entire security posture.
Zoom has simultaneously released patches for privilege escalation vulnerabilities. With Zoom deployed across virtually every organization for video conferencing, these flaws represent a broad attack surface.
Critical vulnerabilities in the n8n workflow automation platform allow unauthenticated attackers to execute arbitrary code, steal credentials, and take over servers. n8n instances often have broad access to internal systems, APIs, and databases.
The n8n open-source workflow automation platform — used for API integration, data pipelines, and business process automation — has critical vulnerabilities that allow unauthenticated attackers to completely compromise n8n servers.
This is particularly dangerous because n8n instances are typically configured with credentials for dozens of connected services — databases, cloud APIs, email servers, CRM systems, and more. A single compromised n8n instance can cascade into breaches across the entire connected infrastructure.
A SQL injection vulnerability in the Starter Templates by flavor (Starter Templates) WordPress plugin exposes over 200,000 websites to database extraction attacks. Attackers can extract sensitive information including user credentials, personal data, and configuration details.
A critical SQL injection vulnerability has been discovered in a popular WordPress plugin installed on over 200,000 websites. The flaw allows attackers to inject malicious SQL queries to extract sensitive database information — including admin credentials, user personal data, and configuration secrets.
WordPress plugins remain one of the most exploited attack vectors on the web. Many organizations treat their WordPress sites as "just a website" without applying the same security rigor as their core infrastructure — a dangerous oversight given that these sites often process customer data, lead generation forms, and payment information.
The 2024 Polyfill.io supply chain attack — which compromised over 100,000 websites — was initially attributed to Chinese threat actors. New evidence from an infostealer infection has now revealed North Korean involvement in the campaign.
The Polyfill.io incident was one of the most significant software supply chain attacks of 2024. The Polyfill.io CDN — used by over 100,000 websites to provide JavaScript polyfills for browser compatibility — was taken over by malicious actors who injected malicious code into the JavaScript served to visitors.
The attack was initially attributed to Chinese entities after the Polyfill.io domain was acquired by a Chinese company. However, new intelligence from an infostealer infection on a device connected to the operation has revealed North Korean involvement — suggesting the campaign may have been a collaboration or that North Korean actors were behind the Chinese front company.
Meta has announced the disabling of over 150,000 accounts powering scam centers primarily operating out of Southeast Asia. These accounts were linked to pig-butchering scams, romance fraud, and investment fraud operations that have caused billions in losses worldwide.
Alongside the account disruptions, Meta is launching new protection tools designed to identify and warn users about potential scam interactions in real-time. The tools use AI to detect patterns consistent with scam operations, including unusual messaging patterns and financial solicitations.
Bell Ambulance has disclosed a data breach affecting approximately 238,000 individuals. Stolen data includes Social Security numbers, driver's licenses, and personal health information.
Bell Ambulance, an emergency medical services provider, has confirmed a significant data breach that exposed sensitive personal information of 238,000 individuals. The compromised data includes:
This breach highlights the ongoing vulnerability of healthcare organizations to cyber attacks. Ambulance services and emergency medical providers often operate with legacy IT systems, limited cybersecurity budgets, and high-pressure operational environments that prioritize availability over security.
The U.S. Senate has confirmed Joshua Rudd as the new head of both the National Security Agency (NSA) and U.S. Cyber Command — the "dual-hat" role that combines signals intelligence with military cyber operations. Rudd takes command at a critical time as nation-state cyber threats escalate.
The confirmation comes amid heightened concerns about:
For European organizations, the change in US cyber leadership is relevant because NSA and Cyber Command intelligence sharing with allied nations (through Five Eyes and NATO) directly impacts threat intelligence feeds and defensive capabilities available to European CERTs and security teams.
KENSAI continuously monitors your infrastructure against the latest vulnerabilities, maps them to NIS2, DORA, and GDPR compliance requirements, and generates audit-ready reports — all powered by AI threat intelligence.
Start Your Free Security Scan →Stay vigilant and patch proactively,
The KENSAI Threat Intelligence Team
Daily security briefing powered by AI threat intelligence. Published every day at 06:00 CET.