FBI Warns North Korean Kimsuky APT Targets U.S. Organizations with QR Code Phishing Campaign
The Federal Bureau of Investigation issued a flash alert warning that North Korean state-sponsored threat group Kimsuky is using malicious QR codes embedded in spear-phishing emails to target U.S. think tanks, academic institutions, and government entities focused on North Korea policy and research. The “quishing” technique forces victims to scan QR codes with mobile devices, bypassing traditional email security controls and routing them through attacker-controlled infrastructure that fingerprints devices before serving credential harvesting pages impersonating Microsoft 365, Okta, and VPN portals. The FBI observed multiple attacks in May and June 2025 where Kimsuky spoofed foreign advisors, embassy employees, and think tank staff to deliver QR codes leading to fake login pages, with successful exploitation frequently ending in session token theft that bypasses multi-factor authentication.
Iranian MuddyWater APT Deploys RustyWater Rust-Based Implant in Middle East Espionage Campaign
CloudSEK’s TRIAD threat intelligence team identified a sophisticated spear-phishing campaign by the Iran-affiliated MuddyWater APT group targeting diplomatic, maritime, financial, and telecom entities across the Middle East with a newly developed Rust-based implant codenamed RustyWater. The malware represents a significant tactical evolution from MuddyWater’s traditional PowerShell and VBScript tooling, featuring asynchronous command-and-control capabilities, anti-debugging mechanisms, detection of over 25 antivirus and EDR products, registry-based persistence, and multi-layered encryption of command and control traffic. The campaign uses weaponized Word documents with icon spoofing and malicious macros that decode and execute the Rust implant, which then establishes contact with command-and-control infrastructure at nomercys.it[.]com to enable file operations and remote command execution while maintaining low operational noise.
Cisco Patches Critical Snort 3 Vulnerabilities Enabling Data Leakage and Denial of Service
Cisco disclosed two medium-severity vulnerabilities in the Snort 3 detection engine affecting multiple enterprise security products including Secure Firewall Threat Defense, IOS XE with Unified Threat Defense, and Meraki MX series appliances. CVE-2026-20026 (CVSS 5.8) involves a use-after-free condition in buffer processing that allows unauthenticated remote attackers to trigger unexpected engine restarts and denial-of-service, while CVE-2026-20027 (CVSS 5.3) exploits an out-of-bounds read vulnerability enabling extraction of sensitive information from the Snort 3 data stream. The flaws stem from improper handling of Distributed Computing Environment Remote Procedure Call requests, with Cisco confirming no active exploitation at time of disclosure while emphasizing the lack of available workarounds makes immediate patching essential, particularly for FTD deployments running Snort 3 by default on version 7.0.0 and later.
IDHS Data Breach Impacts Nearly 700,000 Individuals
The Illinois Department of Human Services disclosed a data breach affecting approximately 700,000 individuals, marking another significant compromise of government systems containing sensitive citizen information. Details regarding the nature of the breach, the type of data compromised, and the timeline of the incident remain limited as investigations continue, though the scale of the breach underscores persistent targeting of state agencies and ongoing challenges in securing personal data at scale.
The U.S. Cybersecurity and Infrastructure Security Agency announced it is retiring 10 emergency directives issued between 2019 and 2024, including ED 21-01 addressing the SolarWinds Orion compromise, ED 21-02 for Microsoft Exchange on-premises vulnerabilities, and ED 24-02 mitigating nation-state compromise of Microsoft corporate email systems. The retired directives also cover DNS infrastructure tampering (ED 19-01), Windows vulnerabilities from multiple Patch Tuesdays, Netlogon elevation of privilege, Pulse Connect Secure vulnerabilities, Windows Print Spooler issues, and VMware vulnerabilities, with CISA’s decision reflecting completion of remediation efforts and evolved threat landscape requiring updated guidance.
