CyberScoop
Coverage of CyberScoop in the Nexus archive.
- Google exposes China espionage group that’s been lurking in networks undetected since 2023
Google threat hunters identified UNC6508, a Chinese state-sponsored espionage group active since 2023, which infiltrated government and private organizations in the U.S. and Canada to steal data from sectors including academia, medicine, and military. The group used a custom backdoor called INFINITERED and exploited REDCap servers, remaining undetected for over a year before being discovered in late 2025.
- Election threats are focused on campaign systems, not voting machines
Cybersecurity threats to the 2026 midterm elections are targeting campaign systems such as email accounts, websites, and fundraising platforms rather than voting machines. Attackers are using AI to enhance phishing and password theft, with 82% of malicious attacks arriving via email and over 16,000 stolen passwords reported from ActBlue and WinRed. New election-related websites are being registered for phishing scams, and AI-generated misinformation is a growing concern.
- Meet Rampart and Clarity, Microsoft’s new red team combo AI agents
Microsoft released two new red teaming tools, Rampart and Clarity, to help developers design more secure software and assist incident responders. Rampart continuously tests code for vulnerabilities during development, while Clarity provides real-time security engineering guidance. The tools aim to improve AI-centric security processes in the software development pipeline.
- Google spotted an AI-developed zero-day before attackers could use it
Google researchers discovered an AI-developed zero-day exploit before attackers could use it, alerting the susceptible vendor to patch the vulnerability. The exploit affected a popular open-source administration tool and allowed attackers to bypass two-factor authentication. This is the first time Google found compelling evidence of AI being used to develop zero-day exploits.
- ShinyHunters claims nearly 9,000 schools affected by Canvas data breach
ShinyHunters claims that nearly 9,000 schools have been affected by a data breach involving Canvas. The breach reportedly compromises sensitive information from the affected schools. ShinyHunters is a cybersecurity company that tracks and reports on data breaches.
- A DOD contractor’s API flaw exposed military course data and service member records
A defense technology company exposed user records and military training materials through API endpoints lacking authorization checks. The issue affected Schemata, a virtual training platform used in military settings, and included sensitive information such as user listings and course information. The vulnerability was disclosed by Strix, an open-source security testing project.
- A college student is suing a dating app that allegedly used her TikTok videos to target men in her dormitory
A 19-year-old college student, Kaelyn Lunglhofer, is suing the makers of a dating app, Meete, for allegedly using her TikTok videos without consent to target men in her dormitory. The lawsuit claims that Meete used geotargeting to serve ads on platforms like Snapchat to users near Lunglhofer, including men in her own dormitory. The allegations highlight concerns about modern technology being used to imitate and harass individuals.
- CISA director pick Sean Plankey withdraws his nomination
Sean Plankey withdrew his nomination to lead the Cybersecurity and Infrastructure Security Agency (CISA) after 13 months without Senate confirmation. His request follows the Senate's confirmation of MarkWayne Mullin as DHS secretary and amid ongoing leadership instability at CISA, which faces budget cuts and personnel changes under Trump's administration.
- Network ‘background noise’ may predict the next big edge-device vulnerability
Research by GreyNoise indicates that spikes in network traffic targeting edge devices can predict upcoming vulnerability disclosures, often up to nine days before public alerts. The study found that 50% of detected activity surges led to vendor disclosures within three weeks, highlighting coordinated attacker behavior against security appliances.