SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
Threat actors poison AI chatbot queries to harvest computing power
Microsoft reported that threat actors are exploiting both SEO and AI chatbot recommendations to trick users into downloading fake utilities that impersonate legitimate tools like CrystalDiskInfo and PDFgear. Once an endpoint is compromised, the attackers abuse ConnectWise ScreenConnect to secure persistent remote access and deploy a specialized binary that hollows out trusted Microsoft .NET processes. The hijacked processing power is ultimately used to run cryptocurrency miners specifically engineered to target high-performance GPUs.
Grandoreiro banking trojan attacks
WatchGuard researchers observed a new Grandoreiro malware campaign targeting financial institutions across Portugal and Latin America using DLL side-loading techniques that abuse four legitimate software applications. The malware has been around for a decade and it continues to be active despite law enforcement action.
Self-propagating Go encryptor automates full network compromise
Microsoft Threat Intelligence is tracking Storm-2697, a financially motivated group operating ‘The Gentlemen’ ransomware-as-a-service, which features an aggressive Go-based encryptor obfuscated with Garble. The malware uses password-protected command-line arguments to establish its encryption speed and automatically self-propagates across targeted networks by creating scheduled tasks with SYSTEM privileges. The Gentlemen ransomware was recently also dissected by Halcyon and Huntress.
Let’s Encrypt adopts Merkle trees for post-quantum future
To mitigate the massive bandwidth bloat caused by post-quantum cryptographic algorithms, Let’s Encrypt is adopting Merkle Tree Certificates to secure future web authentication infrastructure. By batching certificates under a single signature rather than authenticating them individually, this new approach significantly shrinks TLS handshake sizes while inherently baking in certificate transparency. The certificate authority plans to launch a staging environment for these optimized post-quantum certificates in late 2026, followed by a full production rollout in 2027.
Federal agencies sound alarm on exposed tank gauge systems
CISA, the FBI, the NSA, and other US agencies are warning critical infrastructure operators about threat actors actively exploiting internet-exposed Automatic Tank Gauge (ATG) systems used for remote liquid and fuel monitoring. Attackers are bypassing authentication and leveraging OS command execution to modify configurations, prompting the government to urge facilities to immediately disconnect ATGs from the public internet. Attacks on ATGs at US gas stations were recently linked by officials to Iran.
Palantir technology chief eyed for CISA director role
The Trump administration is reportedly considering Palantir Technologies Chief Technology Officer Shyam Sankar to serve as the next director of CISA. If nominated, the longtime Palantir executive would step into the vacant leadership position as CISA faces significant budget cuts. Tom Parker, a security services lead at IBM, was recently also positioned as a frontrunner for the role.
Malware infection triggers leak of Ultrahuman data
Indian health technology vendor Ultrahuman disclosed a data breach exposing user contact details, transaction history, and wellness metrics for a fraction of its customer base. The threat actor gained unauthorized, read-only access to an internal analytics system by leveraging credentials stolen from a malware-infected employee laptop, though the company confirmed no passwords or payment details were compromised.
Crypto-miner hitches a ride on Hola Browser
Sophos discovered an XMRig crypto-miner binary quietly bundled within a certified version of the Hola Browser installer for Windows. Hola attributed the anomaly to a localized supply chain compromise affecting a small segment of its distribution pipeline, which allowed the unauthorized payload to evade detection.
AI attack mapping exposes rapid rise in autonomous agentic scaffolding
A year-long Anthropic analysis mapping AI-enabled cyber operations against the MITRE ATT&CK framework reveals a sharp increase in threat actors leveraging LLMs for high-risk activities like lateral movement and credential dumping. The AI giant concluded that an attacker’s threat level will soon be dictated by the external agentic scaffolding they build to orchestrate autonomous attack chains.
Malformed IPv6 packet triggers unpatched Comodo firewall crashes
Security researcher Marcus Hutchins released details and a PoC exploit for ComoDoS, a critical vulnerability residing in Comodo Internet Security. The unpatched flaw enables remote attackers to crash targeted Windows endpoints by sending a single malformed TCP/IP packet, effectively bypassing all configured firewall rules. Hutchins said he attempted to responsibly disclose the flaw, but received no response from the vendor. SecurityWeek was unable to contact Comodo for comment.
Related: In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking
Related: In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws
