Risky Bulletin: Meta says NSO violated court order with new campaign targeting WhatsApp
In other news: Security incident at France's Tchap messenger; Putin cuts some Kremlin security cameras; Russia bans foreign login services.
This newsletter is brought to you by SpecterOps, the experts in Attack Path Management. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
Social media company Meta says it found and disrupted a new NSO Group hacking campaign targeting WhatsApp users, in violation of a US court order issued last October.
The campaign was a spear-phishing operation that tried to lure certain users into clicking a malicious link sent to their WhatsApp accounts that took them to an external site.
Meta filed a legal complaint against the Israeli spyware company on Monday, asking the court to hold NSO in contempt.
Meta initially sued in 2019, after the Israeli company developed and used an exploit to hack thousands of WhatsApp users.
NSO fought the lawsuit by claiming state immunity because it was its customers—usually governments and law enforcement agencies—that deployed the exploit.
In 2024, a judge found NSO liable for the hacks and awarded Meta $168 million in damages. This was later cut to $4 million in October of last year, when the judge also issued a permanent injunction barring NSO from targeting Meta's WhatsApp app, servers, and users.
The Israeli company has been sanctioned by the US Treasury in 2021 and has spent the last almost two years cozying up to Republican lawmakers in an attempt to get itself off the sanctions list.
In a blog post today, Meta urged US lawmakers to keep the sanctions, citing the recent violation of US courts as a sign of untrustworthiness.
"When a malicious company on the US government's Entity List continues to defy US courts, existing restrictions must remain firmly in place. Easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk."
A researcher who tracks spyware operations told Risky Business on Monday that while NSO has lost most of its staff and contracts, its semi-dead legal status has made it more desperate and dangerous, with its tools being used in campaigns that most surveillance vendors would want nothing to do with.
On top of the legal complaint, Meta also made a "significant contribution" to the Spyware Accountability Initiative (SAI), a global fund that sponsors civil society organizations that track and expose spyware campaigns.
Glad to see WhatsApp continuing to invest significant efforts & resources into countering the threat of spyware and holding companies like NSO Group accountable!
— Natalia Krapiva 🕊️👩🏻💻 (@natynettle.bsky.social) June 8, 2026 at 8:39 PM
[image or embed]
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq speak at the NATO CyCon conference on Cyber Conflict in Tallinn, Estonia. The pair discuss how cyber operations complement conventional military operations and the past, present and future of cyber conflict.
Breaches, hacks, and security incidents
Tchap security incident: Hackers have breached an account on Tchap, the French government's encrypted messaging app. The hacker joined public channels and harvested conversations. Officials say they've now suspended the account and urged government employees to use the app's encrypted chat feature for sensitive topics. A threat actor took credit for the breach and posted some of the scraped data on a hacking forum over the weekend. [French government]
ServiceNow hack: Hackers have abused an API bug to access data from ServiceNow customer instances. ServiceNow quietly patched its platform last week and has now notified affected customers. The company says the incidents mainly impacted customers on its Australia platform release. According to Reddit posts, the bug has been exploited since at least April. [ServiceNow // The CyberSec Guru // Reddit]
NûJINHA hack: Iranian hackers have attacked an independent all-female news agency operating out of Turkiye. The hackers breached the NûJINHA website, deleted articles, and disrupted online broadcasts. The Handala group took credit for the hack and threatened to dox and harm employees. [NûJINHA]
Hokkaido hospitals leak: The personal information of more than 180,000 patients and employees from two Hokkaido hospitals was exposed after two old hospital hard drives were put up for sale on an online auction site. [NHK]
Oxford University breach: Oxford University in the UK has disclosed a security breach that impacted its CareerConnect platform. Hackers accessed the portal at the end of May and stole the data of alumni, research staff, and employers. Oxford University uses the platform to connect students and staff with recruiters and employers about internships and jobs. [Oxford University // BleepingComputer]
SoFi breach: SoFi's Hong Kong division has been hacked and data was stolen about some of the financial and securities' company customers. The data was stolen from an unnamed third-party service provider. [BleepingComputer]
Tempo DDoS attacks: Indonesian news site Tempo says it was hit with massive DDoS attacks that brought down its website over the weekend. The attacks come weeks after hackers breached its platform and deleted articles related to corruption cases. Tempo has since changed its CMS to remove the ability to delete past articles. [Tempo]
Illuminate escapes fine: Illuminate, an IT provider of school attendance and grading software, has settled with the FTC and won't pay any fine for a 2022 security breach that exposed the data of 1.7 million students. The company was ordered to implement a data security program, refrain from collecting unnecessary data, and delete old unneeded student data. The company was fined $5.1 million last November by the New York Attorney General for the same breach. [FTC]
The JLR password change event: Speaking at the Infosecurity Europe security conference earlier this month, Ashish Shrestha, the CISO of Jaguar Land JLR at the time of a ransomware attack last year, has confirmed that the company opted to reset the password of more than 30,000 employees in-person at the company's offices to be sure the employees had control over their account and they evicted the hackers. [Infosecurity Magazine]
Major MAX bot got hacked: A hacker has hijacked a major bot for Russia's MAX messenger service and spammed over 30,000 channels and their users. The spam contained information about the bot's vulnerability and warned users not to click on links. The hacker claimed they notified the bot's developers about the bug but they never replied. The bot was being used for posting scheduled messages but has now been suspended by the MAX security team. [SecPost // Habr]
Helm warns of lapsed domain turned evil: Kubernetes package manager Helm has warned users that an old lapsed domain was acquired by a third-party and used to deliver malicious content. Helm has urged users to remove the baltocdn[.]com domain from configuration files to prevent future connections. The domain was retired from Helm infrastructure last September. [Helm]
General tech and privacy
Anthropic has released new cyber models: Claude Fable is intended for general use and has been released to the public, while Mythos 5 is designed for cybersecurity use cases and will initially only be available to Project Glasswing participants. The guardrails in Claude Fable 5 currently prevent any use of the model for “cybersecurity or biology topics”, as well as reasoning extraction attempts.
new policy from anthropic: if you use fable/mythos, they collect your data.
— jpark (@jparkjmc) June 9, 2026
no exceptions. not even for enterprise partners. https://t.co/8tt3oS0peu pic.twitter.com/uJsFPLq1DD
Let's Encrypt adds PQC support: Certificate authority Let's Encrypt has committed to supporting Merkle Tree-based quantum-safe certificates. [Let's Encrypt]
Clegg accuses Meta of going full MAGA: Former Meta head of global affairs Nick Clegg says his former employer abandoned its political neutral position to adopt MAGA principles after Donald Trump took office in 2025. (If you were wondering why that platform is flooded with right-wing content and Russian disinformation, there you go, your confirmation from the inside). [The Guardian]
"Executives who had previously shunned politics pivoted right; the products themselves “changed utterly: from being human-centric to being much more about content, often synthetic content, algorithmically recommended to you”, Clegg said."
DOJ gags Apple: The US Justice Department has told Apple to keep quiet about the surveillance of a Congressional staffer. The gag order was issued last year in an FBI investigation targeting a senior Republican official suspected of acting as a foreign agent on behalf of Qatar. Apple won a legal case and had the gag order lifted to notify the user. The Congressional staffer never came forward to reveal their name. [Forbes]
The surveillance was ongoing as of mid-2025. Current status unknown, as is the subject's identity. If you know anything about this surveillance operation and the FBI probe, get in touch. I'm on Signal at +1 929-512-7964. www.forbes.com/sites/the-wi...
— Thomas Brewster (@thomasbrewster.bsky.social) June 9, 2026 at 7:15 PM
[image or embed]
Massachusetts prepares data sale law: The Massachusetts state government has voted a bill that would ban the sale of precise location data of state residents. The bill passed with a unanimous vote of 146 to 0. It was sent to Governor Healey's office last week. If signed, the bill would also allow state residents to request tech companies to delete their data, similar to privacy laws active in California and the EU. [TechCrunch]
Meta deletes facial recognition code: Meta has removed a facial recognition module from the company's smart glasses after journalists found the component last week hidden inside the Meta AI app. [WIRED]
How interesting that Meta called @wired.com "dishonest" and then (quietly) removed the face-recognition system it had previously (also quietly) integrated into an app downloaded onto 50 million phones. Dishonest!
— Katie Drummond (@katie-drummond.bsky.social) June 8, 2026 at 9:24 PM
[image or embed]
macOS Golden Gate: At its yearly WWDC event, Apple announced the next macOS, v27, codenamed Golden Gate. The new OS will also be the first Mac version to drop support for Intel processors. [AppleInsider]
Apple adds AI-based password changer: Apple has added a new feature to the iOS Passwords app that will detect compromised passwords and use an AI agent to secure accounts. The new Apple Intelligence assistant will log into the accounts and change credentials on users' behalf. The new feature is expected with iOS 27 later this year. [Apple]
Government, politics, and policy
NATO barely survives disinfo war simulation: A NATO team barely won against a Ukrainian team using Russian tactics as part of a disinformation exercise meant to test the bloc's ability to respond to wartime propaganda. [The Financial Times // Ukrainska Pravda]
A bit contradictory The German officer: yeah, we can learn from the Ukrainians. But their narrative in this game wasn't consistent, so they lost A Ukrainian participant: but there is no consistent narrative in the real world, that's what you could learn www.ft.com/content/cda1...
— Oleg Shakirov (@shakirov2036.bsky.social) June 8, 2026 at 11:29 PM
[image or embed]
Putin cuts Kremlin security cameras: The Russian Presidential Administration has shut down parts of a security camera system designed to watch over the Kremlin. Officials inspected the system for hacks and only reconnected cameras that had no internet connection. The audit was meant to protect President Vladimir Putin against having his movements traced through hacked cameras. Israel killed Iran's supreme leader in February by using hacked CCTV systems to track his movements ahead of a missile strike. [The Financial Times // MSN]
Russia bans foreign login services: Russia will fine website operators up to $10,000 for letting users log in using foreign email addresses. The government passed a new law this week mandating that any Russian website only authenticate users via local identifiers. This includes Russian phone numbers, Russian email addresses, or an official Gosuslugi government account. There are no fines for users. The new law also includes a clause that makes it illegal for telcos to reveal details on how the SORM surveillance system works. [Interfax // Mediazona // Russian Duma]
Russia explores new ethical hacking bill: The Russian Duma is at it again with a new attempt to regulate the white-hat hacking landscape after a previous bill was heavily criticized earlier this year and eventually failed. Nothing much to report so far. We'll keep you updated as this goes forward. [RIA Novosti]
Afghanistan bans smartphones for government workers: The Afghanistan Taliban leadership has banned government employees from using smartphones at work. Offenders would be prosecuted in a military court. The government also banned students last week from bringing phones to school and religious seminaries. Officials didn't reveal the reason for the ban. They previously described smartphones as "one of the three main enemies of Muslims." [Afghanistan International]
EU prepares NIS2 lawsuits against France and Spain: The European Commission is preparing lawsuits against France and Spain for failing to pass required cybersecurity legislation. Both France and Spain missed an October 2024 deadline to implement the NIS2 Directive in local laws. The NIS2 Directive introduced new rules to help safeguard the bloc's critical infrastructure operators. The Commission is expected to sue both countries at the Court of Justice of the EU after the summer break. [Politico Europe]
UK wants companies to take down illegal content that goes viral: The UK's communications watchdog has ordered social media networks to set up protocols to take down illegal content that goes viral. The new protocols are meant to be used during public riots and terrorist attacks. Ofcom expects tech platforms to create dedicated crisis teams and work with law enforcement. [Ofcom]
UK wants tech firms to block child nude photos: Tech companies operating in the UK must introduce device-level software that blocks children from taking, sending, and receiving nude images. The companies have until September to comply with a new rule announced by UK Prime Minister Keir Starmer on Monday. The new protection must be added to all phones and tablets sold in the UK. Tech companies that don't comply could face huge fines and criminal prosecution of their executives. [Keir Starmer speech // The Guardian]
Sponsor section
In this Risky Business sponsor interview, Tom Uren talks to Justin Kohler, Chief Product Officer at SpecterOps, about how attack paths exist in the seams between different identity or permissions management domains.
Arrests, cybercrime, and threat intel
Cyber scam compounds expand to Sri Lanka: Cyber scam syndicates are moving operations to Sri Lanka as crackdowns intensify across Cambodia and Thailand. Sri Lankan authorities have arrested more than 1,000 suspects linked to cyber scams this year, in a huge spike compared to the previous year's numbers. Suspects were operating out of beach resorts and office buildings across the island. A new cybercrime unit has been set up to deal with the rise in cyber scam reports. [Bloomberg]
THE.Hosting group shuts down: Bulletproof hosting provider THE.Hosting Group has shut down all operations after raids on two of its member companies. In a message to customers, the company called the raids "unforeseen and unavoidable force majeure circumstances." Dutch police seized more than 800 servers from the MIRHosting and WorkTitans companies last month. THE.Hosting Group is a rebrand of Stark Industries, a bulletproof hosting provider sanctioned across the world for hosting Russian hacking and disinformation infrastructure. [THE.Hosting]
4BID profile: A pro-Ukrainian hacktivist group named 4BID appears to have broadened attacks from Russia and Belarus to new countries, such as Kazakhstan, the UAE, Syria, and Egypt. Kaspersky says some attacks involved financially-motivated ransomware deployments. Kaspersky says it also found the group's server infrastructure hosting samples of Warp RAT, a malware family typically used by the Goffee APT. [Kaspersky]
Fluffy Wolf profile: An e-crime group tracked as Fluffy Wolf is launching attacks against Russian organizations and deploying the PureRAT and Pay2Key ransomware. [BI.ZONE]
Hades campaign: DevSecOps companies are tracking a Shai-Hulud worm variant called Hades that is hitting PyPI "bioinformatics" libraries. [Socket Security // Step Security]
Miasma code released: The source code of the Miasma worm has been published on GitHub this week. The code reveals that Miasma evolved from the Shai-Hulud worm, but has extra features baked in, making it a more complete credentials theft toolkit. [SafeDep]
Linter blocks supply chain attack: A Python source code formatter and linter blocked an attacker from pushing malicious code to a GitHub project twice after the malicious code did not match the target project's code formatting rules. [Step Security]
Russia sees spike in ransomware attacks: More than 220 Russian organizations have been hit with ransomware this year with the highest ransom demand reaching $3.8 million. [F6]
Reels-based phishing: In a new type of phishing threat, e-crime groups are using TikTok and Instagram video reels to lure users on websites peddling malware-laced software installers. [ReversingLabs]
Malware technical reports
PulseRAT: Security researchers have spotted a new .NET RAT named PulseRAT that uses Google Sheets as a command-and-control channel. [dmpdump]
NFCShare: There's new campaigns spreading the NFCShare banking trojan in Italy, with signs pointing to growing sophistication in the ranks of this novel threat, a trojan specialized in stealing PINs and NFC payment data. [D3Lab]
Grixba Tool: Threat intel analyst Rakesh Krishnan has published a report on Grixba Tool, an in-house developed toolkit by the Play ransomware group for their intrusions. It is used to scan networks, enumerate users, and move laterally across networks to gather and exfil data. [The Raven File]
Sponsor section
In this sponsored Soap Box edition of the show, Patrick Gray and James Wilson talk about red teaming AI systems with Russel Van Tuyl, Vice President of Services at elite penetration testing firm SpecterOps. SpecterOps is the company behind attack path enumeration tool Bloodhound and Bloodhound Enterprise, but they're also a pentest and red teaming shop with world class expertise in popping shells on all sorts of interesting systems in all sorts of interesting places.
APTs, cyber-espionage, and info-ops
WinRAR abuse in Ukraine: Trend Micro looks at how a WinRAR bug tracked as CVE-2025-8088 has been heavily abused in Ukraine for malware delivery by a suspected Russian group tracked as UAC-0226, but also some of the other big players. [Trend Micro]
UNK_DeadDrop campaign: A group of North Korean hackers are behind a massive spam campaign designed to lure developers to execute malicious GitHub repositories. According to Proofpoint, the campaign has targeted workers at almost 100 organizations in finance, cryptocurrency, education, and technology. There are final malware payloads for all three major operating systems. The tactics are identical to another major North Korean operation known as Contagious Interview but Proofpoint reports no infrastructure overlaps. [Proofpoint]
"The emails contained links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects. The instructions encouraged the target to clone the repository and open it in an editor such as VS Code or Cursor. A pre-configured task executes silently when the user opens the repository folder in the IDE, triggering platform-specific loaders that decode embedded payloads on Linux, macOS, and Windows."
Vulnerabilities, security research, and bug bounty
Check Point patches VPN zero-day: Check Point has patched a zero-day vulnerability in its Access VPN and Mobile Access appliances. The company says the zero-day (CVE-2026-50751) was used in attacks against a few dozen organizations. The vulnerability is an authentication bypass on devices where the IKEv1 key exchange protocol was enabled. The earliest observed exploitation was on May 7 and attacks increased this month. In some attacks, the final payload was the Qilin ransomware. [Check Point presser // Check Point support]
New Chrome zero-day: Google has released a security update to patch a Chrome zero-day exploited in the wild. Tracked as CVE-2026-11645, the zero-day is a memory corruption bug in Chrome's V8 JavaScript engine. It is the fifth Chrome zero-day patched this year. [Google Chrome]
RoguePlanet zero-day: The security researcher known as Nightmare Eclipse has dropped another zero day vulnerability in Microsoft Defender. Named RoguePlanet, the zero-day can allow an attacker to elevate privileges to SYSTEM level on devices running the security product. They released the zero-day hours after Microsoft's monthly security patches that included fixes for two other zero-days they published last month. [Nightmare Eclipse]
Ghost-Sender bug abused in the wild: Threat actors are abusing a Microsoft Exchange bug to send spoofed email spam. Exchange Online and Exchange email servers in hybrid configurations are vulnerable. According to Microsoft, exploitation has been taking place since late April. An anti-spoofing patch was rolled out in April but reverted after five days. The issue remains unpatched. [InfoGuard Labs // Ghost-Sender]
Arista bug exploited in the wild: Threat actors are exploiting a bug on Arista switches and routers to intercept traffic. A patch for the bug was released last month. No other details are available about the attacks. [Arista advisory // CISA]
New Langflow bug exploited: And since AI is all in the rage these days, a new bug is being exploited in the wild in Langflow AI servers. This one's tracked as CVE-2026-5027 and was patched back in March. [VulnCheck]
Mythos can write exploits in under 1h: Anthropic claims that its Mythos cybersecurity model can now write exploits for newly disclosed bugs in under one hour. In private tests, Mythos was able to craft exploits for both Firefox and Windows bugs. The company's lower-tier Claude Opus and Sonnet models were also able to develop working exploits, but at slower paces. [Anthropic // Axios]
Patch Tuesday: Yesterday was the June 2026 Patch Tuesday. We had security updates from Adobe, Microsoft, Chrome, Opera, AMD, NVIDIA, Cisco, SAP, IBM, HPE, Dell, Fortinet, Ivanti, Supermicro, TP-Link, Zoom, OpenSSL, Schneider Electric, Siemens, Kubernetes, Moodle, and Veeam. Other projects and companies like Android, ChromeOS, Tails, Firefox, HP, Zyxel, Dell, Juniper, ABB, Gogs, SolarWinds, Samsung, Qualcomm, AWS, Apache HTTPD, Apache ActiveMQ, Revive Adserver, Mastodon, Drupal, Arista, and Axis released security updates earlier this month.
Infosec industry
Threat/trend reports: Check Point, CrowdStrike, CyeSec, CyFirma, F6, GuidePoint, Incogni, Kaspersky, Menlo Security, NCTA, and ThreatMon have recently published reports and summaries covering various threats and infosec industry trends.
New tool—Karna: Security firm Sicuranext has built and released Karna, a new open-source WAF engine.
New tool—ACSC guides: Australia's cybersecurity agency has launched a portal on Tuesday with tens of various cybersecurity guides. [h/t Andy Jabbour]
Predatorgate game wins award: A browser game centered around Greece's Predatorgate spyware scandal won an award at the INDIGO gaming conference earlier this month. [OCCRP]
"Predatorgate," has won Floodlight Gaming’s second Investigative Journalism Game Jam. Developed by Izzy Fiacco and Z. Daniel Barnet the game is based on an investigative report into Predator spyware by Athens-based outlet Inside Story. Read more here: www.occrp.org/en/announcem...
— Organized Crime and Corruption Reporting Project (@occrp.org) June 8, 2026 at 10:22 AM
[image or embed]
Risky Business podcasts
In this episode of Risky Business Features, Brad Arkin joins James Wilson to talk about how the fear of being left behind in the AI era means enterprises are taking risks that would have been considered insane just a couple of years ago.
