📌 Big Cyber News - CISA credential leak, Silent Ransom Group’s in-person law firm data theft

🚨 Can’t Miss - Verizon DBIR exploit trends, fake FIFA World Cup websites

🤖 AI in Cyber - LLMShare malware delivery, ChatGPhish summarization abuse

🕵️ Threat Intel - Kali365 phishing-as-a-service, GhostWriter targeting Ukrainian officials

🛠️ Tools & Tactics - Microsoft 365 OAuth app permission lockdown

🧪 Strange Cyber - Kimwolf botmaster arrest after attacking the researcher investigating him

🫠 CISA Contractor Exposes U.S. Government Cloud Credentials on Public GitHub
A public GitHub repository tied to CISA contractor Nightwing reportedly exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November 2025. GitGuardian flagged the leak, lawmakers demanded briefings, and CISA said it was investigating with no confirmed compromise. Still, when the federal cyber defense agency ends up in a “keys left on GitHub” story, the irony does not need much seasoning.
👉️ Key takeaway: Secret scanning, contractor oversight, and credential rotation need to be automatic, not aspirational, especially when the agency involved teaches everyone else this lesson for a living.

🕴️ FBI Warns Silent Ransom Group Is Sending People in Person to Steal Law Firm Data
The FBI warned that Silent Ransom Group, also tracked as Luna Moth and Chatty Spider, is targeting U.S. law firms with phishing, fake IT support calls, and in-person visits to insert storage devices. That is cyber extortion with a lobby badge, which is a fun way to make every receptionist part of the security stack. Law firms are prime targets because they hold client data, litigation strategy, financial records, and enough sensitive material to make extortion crews feel productive.
👉️ Key takeaway: Physical security and cyber defense need to stop acting like separate departments. Verify visitors, train staff on fake IT support, restrict USB use, and treat surprise devices as incidents.

📊 Verizon DBIR 2026 Says Exploits Have Overtaken Credentials as the Top Breach Entry Point
Verizon’s 2026 DBIR says vulnerability exploitation jumped past credential theft as the leading initial breach vector, with exploit involvement rising from 20% to 31%. Median patch time is still sitting around 43 days, which is not great when attackers are compressing exploit timelines and ransomware is still parked in nearly half of breaches. Translation: the patch backlog is no longer background noise. It is the front door.
👉️ Key takeaway: Vulnerability management needs asset visibility, exploit-based prioritization, and emergency patch paths. “We patch monthly” is starting to sound like “we lock the doors seasonally.”

⚽ FBI Warns of 300-Plus Fake FIFA World Cup Websites Run by Chinese Fraud Gang
The FBI warned that a China-linked fraud operation known as GHOST STADIUM has built hundreds of fake FIFA World Cup websites and thousands of related domains. The sites mimic FIFA login flows, steal accounts, and lock victims out after takeover, because apparently even international soccer needed a credential-harvesting side quest. With the 2026 World Cup hosted across the U.S., Canada, and Mexico, this is consumer fraud at event scale.
👉️ Key takeaway: Fans should avoid ads and unofficial ticket links, use FIFA’s official channels, and enable strong account protections before the scams get louder than the vuvuzelas.

🧟 LLMShare Abuses ChatGPT Share Links to Deliver Infostealer Malware
The LLMShare campaign abuses legitimate ChatGPT share links to host fake outage pages that push users to download malware disguised as a desktop app. The attack uses Google Ads to drive traffic and benefits from the trust of a real OpenAI domain, which is exactly the kind of “looks official” trick security filters hate. Similar abuse has reportedly appeared around other AI-sharing features, because attackers noticed users trust shiny AI URLs now.
👉️ Key takeaway: Treat AI share links like any other web content: inspect the destination, block suspicious download prompts, and do not let trusted domains become trust autopilot.

🎣 ChatGPhish Turns ChatGPT Web Summaries Into a Phishing Surface
Permiso Security showed that crafted web pages can make ChatGPT summaries render attacker-controlled links, images, QR codes, and fake alerts inside the assistant interface. The trick does not require a malicious attachment or email. A user simply asks ChatGPT to summarize a page, and the page’s hidden instructions ride along like a little phishing gremlin in the Markdown.
👉️ Key takeaway: AI summarization tools need to be treated as browsing surfaces. Organizations should train users not to trust links, QR codes, or security prompts just because they appear inside an AI response.

🔐 FBI Warns Kali365 Is Selling Microsoft 365 OAuth Theft at Subscription Prices
The FBI warned that Kali365 is a Telegram-sold phishing-as-a-service platform built to steal Microsoft 365 OAuth tokens through device-code abuse. The kit offers AI-generated phishing lures, campaign templates, dashboards, and pricing tiers from $250 to $2,000, because apparently enterprise compromise now has a SaaS pricing page. Once victims authorize the device flow, attackers can access Outlook, Teams, and OneDrive without needing the password or a fresh MFA challenge.
👉️ Key takeaway: Lock down OAuth consent, audit risky app permissions, monitor device-code flows, and treat token theft as credential theft’s sneakier cousin.

🎓 GhostWriter Targets Ukrainian Officials With Fake Training Certificate Phishing
Belarus-linked GhostWriter targeted Ukrainian government officials with phishing emails spoofing Prometheus, a real online learning platform. The campaign used fake training certificate themes and malicious attachments to deliver OysterFresh malware, with later-stage activity linked to Cobalt Strike. Trusted platform impersonation works because it feels normal, useful, and boring, which is exactly the attacker’s preferred emotional range.
👉️ Key takeaway: Training, HR, and certificate-themed lures deserve extra scrutiny, especially in government and high-risk environments where “routine attachment” can become a foothold.

🧰 Kali365 Defense: Audit and Lock Down Microsoft 365 OAuth App Permissions
Kali365’s trick is not magic. It abuses Microsoft’s legitimate OAuth device-code flow, then captures access and refresh tokens after users unknowingly approve attacker-initiated sessions. The practical defense is to audit Entra ID for risky app permissions like mail.read and full_access_as_user, restrict user-level app consent, require admin approval for new app registrations, and use Conditional Access to block unfamiliar app authorizations.
👉️ Key takeaway: MFA is not enough when attackers steal OAuth grants. Permission hygiene, consent controls, and token monitoring need to be part of the Microsoft 365 defense playbook.

🐺 He Built a Record-Breaking Botnet, Attacked the Researcher Investigating Him, Then Got Arrested
Authorities in the U.S. and Canada charged Jacob Butler, the alleged “Kimwolf” botmaster also known as “Dort,” after investigators tied him to a massive IoT botnet capable of near-30 Tbps DDoS attacks. Krebs reported that Butler allegedly targeted Defense Department address ranges and later attacked the researcher who was publicly identifying him with swatting and DDoS attempts. The technical operation was enormous, but the downfall had a very human flavor: when someone is exposing you, maybe do not keep poking them with more evidence.
👉️ Key takeaway: Operational security is not optional just because the botnet is powerful. Sometimes the fastest way to lose a sophisticated cybercrime operation is to make it personal.