By the N2K CyberWire staff
Top stories.
- Law enforcement and industry disrupt criminal infrastructure.
- Researchers blame Iranian government for LA transit authority hack.
- Extortion group sends individuals to infiltrate organizations in person.
- Thousands of domains are impersonating FIFA ahead of the World Cup.
- Anthropic says Mythos has found over 23,000 flaws in open-source software.
Law enforcement and industry disrupt criminal infrastructure.
Dutch authorities have dismantled a botnet composed of 17 million infected devices, the Register reports. The Netherlands' National Cyber Security Centre stated, "The investigation revealed that the botnet consisted of at least 17 million infected devices and that the 200 servers used to host the infrastructure were located in the Netherlands. The police then seized multiple botnet servers from a hosting provider for investigation. The botnet was taken offline by the provider because it was being used for criminal purposes." The police didn't name the botnet, but BleepingComputer cites local media reports as saying it was tied to the Asocks residential proxy service.
Separately, Dutch police arrested two men who allegedly ran bulletproof hosting services that were widely used by Russian threat actors, SecurityWeek reports. The suspects, a 57-year-old from Amsterdam and a 39-year-old from The Hague, owned web hosting companies that were sanctioned by the European Union for facilitating Russian cyberattacks against EU countries. The police searched three businesses in Enschede and Almere and two data centers in Dronten and Schiphol-Rijk, seizing over 800 servers.
Finally, CrowdStrike, working with Google and the Shadowserver Foundation, dismantled the Glassworm botnet, which has been targeting software developers since early 2025. The security firms severed all four of the botnet's command-and-control channels, cutting off the operators from the infected machines.
AI Security Brief: Intelligence for the AI-driven threat landscape.
AI Security Brief from TrendAI explores how AI is reshaping cybersecurity, from emerging attack techniques to zero-day research and real-world adversary activity. Join hosts Johnny Hand and Dustin Childs as they sit down with security leaders, practitioners, researchers, and policy experts to discuss the AI trends, risks, and decisions organizations cannot afford to ignore. Listen to AI Security Brief to get ahead of the threats and governance challenges shaping the future of security.
Researchers blame Iranian government for LA transit authority hack.
Iranian government hackers were likely behind a March cyberattack that disrupted parts of the Los Angeles County Metropolitan Transportation Authority (LACMTA), SecurityWeek reports. The attack was claimed by a threat actor dubbed "Ababil of Minab," which purports to be an independent, pro-Iranian hacktivist group. Israeli cybersecurity firm Gambit Security published a report this week, however, tying the threat actor to Iran's Ministry of Intelligence and Security (MOIS). The researchers also blame this group for data-wiping attacks against the South Florida Regional Transportation Authority, Maryland-based connected-vehicle software company Agnik, and a Saudi Arabian construction company focused on critical infrastructure.
Gambit says Ababil of Minab used command-and-control infrastructure that was previously observed in attacks by Black Shadow, a threat actor attributed by Israel's National Cyber Directorate to Iran's MOIS.
Targeting identity in modern networks.
In modern hybrid networks, our identities are foundational. Dave Bittner sat down with Justin Kohler, CPO at SpecterOps, to discuss how threat actors are pivoting their attack patterns to exploit the foundations of today’s environments. By targeting and exploiting identity pathways, attackers can swiftly move around a network to reach their true target. Listen to the conversation to learn how attackers are exploiting the foundations of modern network design.
Extortion group sends individuals to infiltrate organizations in person.
The US FBI warns that the Silent Ransom Group (SRG) is targeting law firms with phone calls and phishing emails that impersonate IT support. The threat actor uses social engineering to trick users into installing legitimate remote access tools, or sends "an individual in-person to the victim company’s location to gain physical access to computers." Once inside, the attackers exfiltrate data to hold for ransom.
The Bureau explains, "SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support. While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim’s location to gain access to insert a storage device into the victim’s computer. In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email."
Space-cyber insights, delivered right to your inbox
In the weekly Signals and Space newsletter, T-Minus host Maria Varmazis and producer Ethan Cook connect the dots between terrestrial infrastructure and the ever-expanding attack surface in space.
Each week, security professionals better understand how to defend tech’s newest battleground with:
- The week’s space-cyber headlines
- A direct link to listen to the week’s conversation or interview on the T-Minus: Space-Cyber Briefing podcast
- Accompanying insights and resources to help cyber professionals go deep in the space domain
Subscribe to the Signals and Space newsletter
Thousands of domains are impersonating FIFA ahead of the World Cup.
Group-IB has identified more than 4,300 malicious domains impersonating FIFA's online presence ahead of the World Cup next month, the Record reports. The researchers are tracking six distinct fraud campaigns run by four separate threat actors, involving "credential phishing, fake ticket sales, counterfeit merchandise storefronts, fake streaming platforms, fraudulent betting and casino sites, and infostealer-driven credential theft."
One of the campaigns tracked by Group-IB is run by a Chinese-speaking threat actor dubbed "GHOST STADIUM" that's using at least 300 identical clones of FIFA's website to steal credentials and payment details. The researchers state, "GHOST STADIUM has built a pixel-perfect clone of the official FIFA website, complete with a replicated single sign-on (SSO) authentication flow, and multi-language support in 11 languages. A conservative estimate based on the campaign’s observable infrastructure places the potential financial losses from premium ticket fraud alone (account for ~25% of 300+ phishing domains) at between $71 million and $474 million — and the total campaign losses across all tiers could reach into the billions."
Anthropic says Mythos has found over 23,000 flaws in open-source software.
Anthropic has provided an update on Project Glasswing, an initiative through which around fifty organizations were granted early access to Anthropic's cybersecurity-focused Claude Mythos model. The company says Mythos has identified more than 23,000 potential vulnerabilities in open-source software, over 1,500 of which have been confirmed to be high- or critical-severity. Anthropic has disclosed 530 of these vulnerabilities to maintainers, and is working to disclose the rest. So far, 75 of the disclosed bugs have been patched.
Anthropic also confirmed that the company plans to release "Mythos-class models to all our customers in the coming weeks."
