TL;DR
Russian intelligence phishing now escalates to stealing Signal backup recovery keys, giving attackers access to message history. Cisco vulnerability is under active in-the-wild exploitation with emergency CISA deadline. KDDI breach exposes numerous email credentials across six Japanese ISPs.
Executive Summary
- Russian intelligence phishing campaign targeting Signal users has evolved to steal backup recovery keys, enabling account takeover and historical message access.
- Cisco Unified Communications Manager Server vulnerability is being actively exploited; CISA mandated patching deadline for federal agencies.
- Japanese telecommunications operator KDDI disclosed breach affecting one of its email systems used by five other ISPs, exposing up to 14.2 million email login credentials.
- GitHub-hosted malicious repositories can trick AI coding agents into executing invisible malware payloads undetected by security tools.
- New SharkLoader malware family deploys Cobalt Strike in ongoing StrikeShark campaign tracked by Kaspersky.
Top Threats Today
1. Russian Intelligence Escalates Signal Phishing to Backup Key Theft
Severity: High Affected: Government
The Security Service of Ukraine (SSU) and FBI have confirmed that Russian intelligence services are conducting a long-running phishing campaign targeting messaging ⚠ accounts of government officials, military personnel, politicians, and activists [1][2]. The campaign has escalated beyond credential theft: operators now coax targets into surrendering their Signal Backup Recovery Keys [2][3]. Once obtained, an attacker can restore the account's backup and read all historical messages without the victim's knowledge ⚠[2]. The FBI and CISA have issued an updated warning after initially reporting the campaign in March [2].
Sources:[1] The Hacker News[2] The Hacker News[3] BleepingComputer
Recommended Action
- Warn staff: never share Signal backup recovery keys via email or messaging, even in response to apparent support requests
- Enforce mandatory Signal PIN setup to prevent account recovery without additional authentication
- Review Signal account settings and enable security notifications for unusual access
- Educate users on phishing red flags: domain spoofing, urgency language, and requests for recovery materials
2. Cisco Unified Communications Vulnerability Actively Exploited
Severity: High Affected: Government
A vulnerability in Cisco Unified Communications Manager Server is being actively exploited in the wild [1]. CISA has set an urgent deadline requiring federal agencies to patch the flaw by Sunday [1]. No patch status or CVE details are specified in available reports.
Sources:[1] BleepingComputer
Recommended Action
- Prioritize patching of Cisco Unified Communications Manager Server across all federal and critical infrastructure networks
- Check Cisco security advisories for the specific vulnerability identifier and available patches
- Monitor network logs for exploitation attempts targeting Unified Communications infrastructure
- Isolate or segment Unified Communications systems from untrusted networks until patched
3. KDDI Email Breach Exposes numerous Credentials Across Japanese ISP Ecosystem
Severity: High Affected: Telecom
Japanese telecommunications operator KDDI Corporation disclosed a data breach in which threat actors gained access to one of its email systems used by five other internet service providers (ISPs) in Japan [1]. The breach exposed login credentials for up to 14.2 million email accounts [1]. The shared email infrastructure amplifies the attack surface, as a single compromised system cascades across multiple ISP customer bases. ⚠
Sources:[1] BleepingComputer
Recommended Action
- Monitor for credential stuffing attacks using the exposed numerous email/password pairs across enterprise systems
- Issue breach notification to customers and recommend password resets for affected ISP accounts
- Implement passwordless authentication or mandatory MFA for critical email accounts
- Audit email system access logs for unauthorized activity during the breach window
4. AI Coding Agents Tricked Into Running Invisible Malware via GitHub
Severity: Medium Affected: Technology
An agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human code reviewers [1]. The attack exploits the automated workflow of AI-driven development tools that clone, configure, and run untrusted repositories without sufficient isolation.
Sources:[1] BleepingComputer
Recommended Action
- Restrict AI coding agents to sandboxed or containerized environments with minimal system privileges
- Require manual review and approval of any repository setup steps before execution
- Monitor for suspicious post-clone or post-install activity from development tools
- Maintain a whitelist of approved GitHub repositories for automated agent use
5. SharkLoader Malware Delivers Cobalt Strike in StrikeShark Campaign
Severity: Medium Affected: Technology
A newly discovered malware family called SharkLoader has been observed delivering Cobalt Strike Beacon payloads in a campaign tracked by Kaspersky under the moniker StrikeShark [1]. SharkLoader functions as a loader, enabling attackers to deploy the widely-used post-exploitation framework on compromised hosts [1].
Sources:[1] The Hacker News
Recommended Action
- Hunt for SharkLoader and Cobalt Strike indicators of compromise (IOCs) in network telemetry
- Block known command-and-control (C2) infrastructure used by StrikeShark campaign
- Strengthen email filtering to prevent initial delivery vectors for the loader
- Review Kaspersky threat intelligence for campaign-specific IOCs and TTPs
Today's Action Checklist
- ☐ URGENT: Verify patching of Cisco Unified Communications Manager before CISA federal deadline (Sunday)
- ☐ URGENT: Alert users to Signal phishing escalation; block suspicious domains impersonating Signal support
- ☐ Credential rotation for any users with KDDI ISP email accounts; monitor for account takeovers
- ☐ Review GitHub repository usage in AI/agentic development workflows; enforce sandboxing
- ☐ Update endpoint detection rules to identify SharkLoader and Cobalt Strike C2 beaconing