Top stories.
- Chinese threat actor exploits maximum-severity Dell zero-day.
- A 365 Copilot bug may summarize confidential emails.
- Malware campaign targets Iranian protesters and dissidents.
- Spanish court orders NordVPN and ProtonVPN to block illegal football streamers.
Chinese threat actor exploits maximum-severity Dell zero-day.
A suspected Chinese APT has been exploiting a maximum-severity zero-day in Dell RecoverPoint for Virtual Machines since at least mid-2024, according to researchers at Mandiant and the Google Threat Intelligence Group. The vulnerability (CVE-2026-22769) is a hardcoded credential flaw that can allow an unauthenticated remote attacker to gain "unauthorized access to the underlying operating system and root-level persistence." The PRC-nexus threat actor tracked by Google as "UNC6201" has used the flaw to move laterally, maintain persistence, and deploy malware.
Dell released remediation guidance for the flaw yesterday, and Google has outlined steps to help incident responders determine if an organization has been compromised.
A 365 Copilot bug may summarize confidential emails.
Microsoft has issued a service alert warning that a bug has been causing Microsoft 365 Copilot to summarize emails labeled as "confidential," bypassing organizations' data loss prevention rules, BleepingComputer reports. Microsoft said, "The Microsoft 365 Copilot 'work tab' Chat is summarizing email messages even though these email messages have a sensitivity label applied and a DLP policy is configured." The company rolled out a fix earlier this month, and is working with affected users to ensure that the fix is working.
Malware campaign targets Iranian protesters and dissidents.
Acronis has published a report on a new malware campaign dubbed "CRESCENTHARVEST" that appears to be targeting supporters of the ongoing protests in Iran. The malware is distributed via malicious .LNK files posing as protest-related images or videos, bundled with a Farsi-language report providing news about the protests.
Acronis notes, "While the attacker remains unidentified, analysis of methodology, code, and C2 infrastructure points to an Iranian-aligned threat group. Amid ongoing political turmoil, this campaign appears specifically crafted to target Farsi-speaking Iranians sympathetic to the protests, though activists, journalists, and others seeking reliable information from within Iran may also be at risk."
Spanish court orders NordVPN and ProtonVPN to block illegal football streamers.
A Spanish court has ordered Proton VPN and NordVPN to block sixteen websites accused of illegally streaming football (soccer) matches, Tom's Guide reports. The ruling requires the VPN companies to immediately block certain IP addresses that are confirmed to be broadcasting illegal streams.
The orders, requested by the Spanish football league LaLiga and its broadcaster Telefónica, were issued without a hearing for the VPN providers and allow no opportunity for appeal. Proton VPN and NordVPN say they were not notified of the proceedings and have questioned the lack of due process. NordVPN also criticized the method of blocking domains, telling Tom's Guide that this is "ultimately ineffective in combating piracy."
