Signal Phishing Campaign Targets Journalists and Activists to Steal Backup Recovery Keys
A targeted phishing campaign is sending text messages that impersonate Signal Support, urgently requesting users paste their 64-character backup recovery key into the chat. Unlike standard account takeovers that only expose future messages, stealing the recovery key gives attackers full access to the victim’s entire encrypted message archive — making journalists, lawyers, and activists who rely on Signal particularly high-value targets. The attack mirrors a suspected Russian phishing campaign that previously compromised German politicians’ Signal accounts, suggesting the technique is spreading across threat actors. Signal has confirmed it will never contact users to request their registration code, PIN, or recovery key.
New Infostealer Reaches Enterprise Devices Through FortiClient EMS Vulnerability
Attackers are actively exploiting CVE-2026-35616, a critical authentication bypass in FortiClient Enterprise Management Server, to push a credential-stealing malware called EKZ Infostealer to managed enterprise endpoints. The attack is particularly insidious because the payload is disguised as a legitimate Fortinet firmware update and delivered through the very VPN scripting workflows that IT admins use to manage their fleets — meaning it appears to arrive from a trusted internal source. EKZ harvests session cookies, saved credentials, and autofill data from a wide range of browsers including Chrome, Edge, Firefox, and Tor, with Arctic Wolf warning that the stolen material is likely being used for follow-on access to cloud services and internal applications.
Carnival Confirms Data Breach Impacting Nearly 6 Million
Carnival Corporation has begun notifying approximately 5,995,277 people that their personal data was copied from its systems in an April breach, adding yet another chapter to the cruise giant’s long history of cyber incidents. The attack was carried out through social engineering: a threat actor deceived an employee into granting account access on April 14, then used it to exfiltrate records from the Mariner Society loyalty program before being blocked. The extortion group ShinyHunters subsequently published the stolen dataset after Carnival declined to engage with ransom demands; the leaked data exposes names, dates of birth, email addresses, genders, and loyalty program details for nearly 5 million unique email addresses.
Botnet of 17 Million Devices Dismantled in the Netherlands
Dutch police and the national cybersecurity agency NCSC seized over 200 servers hosting a massive botnet of at least 17 million infected devices — including computers, tablets, and smartphones — linked to the ASOCKS residential proxy service. Residential proxy botnets are especially dangerous because they make malicious traffic appear to originate from ordinary consumer devices, complicating detection. The operation was triggered by a tip from an independent security researcher and led to a collaborative takedown in which the hosting provider pulled the plug after confirming the infrastructure was being used for criminal operations. ASOCKS had previously been linked to covertly enrolling hundreds of thousands of Android devices via malicious apps distributed through Google Play.
Charter Communications Confirms Data Breach as ShinyHunters Threaten Leak of 42 Million Records
Charter Communications, parent of the Spectrum broadband brand, confirmed a cybersecurity incident after ShinyHunters claimed to have stolen 42 million customer records via a voice phishing attack that compromised a Microsoft Entra employee account. The group set a May 27 deadline for ransom negotiations and ultimately published the data when Charter declined to engage; Have I Been Pwned confirmed the leaked dataset exposed 4.9 million unique email addresses along with names, phone numbers, and physical addresses, with roughly 85,000 internal employee records also included. The breach is part of a broader ShinyHunters campaign that researchers say has now targeted over 1,000 organizations through Salesforce environment exploitation.
