Risky Bulletin Newsletter
June 05, 2026
Risky Bulletin: The EU debuts digital sovereignty plan
Written by
News Editor
This newsletter is brought to you by Truffle Security, the makers of Trufflehog. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
The European Commission unveiled on Wednesday a plan to decouple from American companies and boost the bloc's tech sovereignty.
The plan would boost chip production, triple data center capacity, and fund open-source projects as alternatives to US-dominated software.
The proposals cut the typical EU red tape around developing new infrastructure, such as data centers, and provide generous funding for homegrown solutions.
The EU's language doesn't hint at a future ban of American companies but instead focuses on helping local alternatives grow and compete. Regardless, the Americans are p***ed anyway.
According to the @ec.europa.eu Tech Sovereignty package, the EU is currently reliant on foreign providers for over 80% of its critical digital products, services, and infrastructure. We're thrilled to see this acknowledged as an issue, and to see the strategy to fix it. ec.europa.eu/commission/p...
— Hannah Aubry (@haubl.es) June 3, 2026 at 6:33 PM
[image or embed]
At its core, the EU digital sovereignty plan includes four main pieces:
- The EU Chips Act 2.0, a collection of measures to boost chip production in the EU (see this summary).
- The EU Cloud and AI Development Act, a collection of measures designed to incentivize the building of new cloud and AI data centers. This also requires EU members to perform a sovereignty risk assessment for every cloud service they use, which means many non-EU providers would be ruled out of future contracts, which has already p***ed off the American cloud lobby group.
- An Open Source Strategy to provide long-term funding to open-source developers so they can build complex solutions to replace most of the EU's foreign (mostly US) tech. This also includes funding for startups that build or are adjacent to the FOSS ecosystem. On top of that, the EU's open-source strategy would also require member states to develop strategies to slowly move their public services and critical infrastructure to these native open-source solutions as they become available.
- An AI Continent Action Plan, a set of broad actions to help the EU catch up with the US and China on AI development and infrastructure, as well as push the new technology into its services.
For the cybersecurity industry, the third item in that list is where they should be focusing. The EU cybersecurity market has been dominated by American companies to the point where it's hard to name more than ten EU cybersecurity companies without pausing to think really hard about it. Bitdefender, Sophos, NCC Group, WithSecure, ESET, and all of a sudden you're going "aaaaa."
The European Commission has specifically named cybersecurity as a domain where it would be interested in sponsoring open-source projects.
Startups and established companies have an opportunity to apply for funding, and use a dual-licensing scheme to develop products centered around an open-sourced core, which they could also provide as a hosted commercial alternative (see Prowler as the best example of this business model).
If done correctly, this could be a boon for the local EU cybersecurity market. However, the EU's tech sovereignty plan is at the stage of a proposal, so negotiations between member states and lobby groups are expected to change some of its components.
EU member states are spending €264 billion every year on American tech. The EU didn't seem to care about all this money going across the pond when previous US administrations didn't threaten to invade parts of the EU, but the bloc's leadership appears to have understood that the US is not their friend and it may need to take measures to protect itself in the case of an armed conflict.
"We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure. This is about protecting our citizens, defending our interests and making our own choices. Europe has the talent, the research excellence, the industrial base and the Single Market. Together, we must turn these strengths into technological sovereignty," said Commission President, Ursula von der Leyen.
Risky Business Podcasts
The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!
Breaches, hacks, and security incidents
US law firm pays $20m ransom: A major American law firm has paid hackers an estimated $20 million to avoid the release of confidential data. Weil Gotshal & Manges says customer data was stolen from an external cloud storage site this year by a group known as the Silent Ransom Group. The FBI sent out a private industry alert last year warning that the group was specifically targeting US law firms in extortion campaigns. Weil Gotshal & Manges reported revenue of more than $2 billion last year. [Legal Cheek // The Insurer ($)]
NFSP ransomware attack: The UK's National Federation of SubPostmasters has been hit by a ransomware attack. The NFSP is a trade association for subpostmasters, self-employed individuals who run postal branches for the main UK Post Office. [ComputerWeekly]
Camilla breach: Australian luxury lifestyle brand Camilla suffered a security breach in April. Only its Australian operations were impacted. [WWD]
TVING breach: South Korean video streaming service TVING has disclosed a data breach after a hacker accessed customer data stored on an unsecured database and then leaked it online. [TVING // Star News Korea] [h/t Cha Minseok]
Station Casinos breach: Station Casinos, a major hotel and casino chain in Nevada, has disclosed a security breach of its back-office network. [8NewsNow]
Ultrahuman breach: Hackers have stolen user data from smart wearable company Ultrahuman in a hack in March. The company says no passwords or financial data was compromised. It notified affected users this week. Ultrahuman sells smart rings and metabolic health-tracking devices. [Ultrahuman]
CBSE DDoS attack: Hackers have allegedly launched DDoS attacks against a new Indian student platform hours after its launch on Tuesday. The attack hit CBSE, an online portal to allow students to request a re-evaluation of certain exams. Several students also reported breaking into the platform using basic vulnerabilities. The site also launched four days after the intended release day last week. [India Today]
Hola Browser supply chain incident: Hackers have compromised the update infrastructure of the Hola Browser to deploy a crypto-mining component along with the normal browser updates. The incident was discovered by security firm Sophos during a scheduled third-party certification procedure. The Hola Browser team said the malicious update only reached 0.1% of its users. [Sophos]
General tech and privacy
Link-Busters goes crazy: Dutch copyright protection company Link-Busters is the most active DMCA sender to Google, with an insane 70 million takedown requests sent every week, and a whopping 6.5 billion total requests. [TorrentFreak]
Meta pauses employee surveillance tech: Meta has paused parts of a program supposed to track employee mouse movements, clicks, and keystrokes. The company will allow employees to pause the tracking for up to 30 minutes or get full exemptions. Data gathered from employees was supposed to be used to train the company's AI models. According to reports, staff complained about high internet and battery consumption while the tracking was active. [Reuters]
Microsoft launches Scout: Microsoft has announced Scout, an always-on enterprise AI agent built on top of OpenClaw. The agent is already integrated in Microsoft 365 apps. The launch weeks after the company's own executives admitted almost no one was using its previous Copilot AI on Windows. [Microsoft]
Kaspersky is developing a smartphone: Russian cybersecurity giant Kaspersky is allegedly developing a secure smartphone. The device will run an OS developed by the company, with no Android components. The company's founder, Evgeny Kaspersky, showcased a prototype of the device this week at the St. Petersburg International Economic Forum. [Kommersant]
Government, politics, and policy
China imposes travel ban on top AI talent: The Chinese government has imposed travel restrictions on top AI talent. Executives and top professionals at AI firms must get approval from Chinese officials ahead of any overseas travel. The measure is meant to prevent top talent from fleeing to adversaries. Travel bans are often imposed on state officials but almost never on the private sector. [Bloomberg]
Russian telcos are pushing for "whitelisted" VPNs: Two Russian telco providers are pushing authorities to allow for the sale of safe VPN services to Russian citizens. Beeline and T2 are preparing VPN services that are compliant with Kremlin censorship guidelines. The VPNs will be provided to Russian citizens and businesses who want to access services blocked by Western companies. The Russian government has been blocking VPN apps as a way of preventing citizens from getting uncensored news on the war in Ukraine. [RBC]
Russia to declare two hacking groups extremist organizations: The Russian government has filed a lawsuit with the Supreme Court to designate two hacking groups as extremist organizations. The case targets Belarusian hacktivist group Cyber Partisans and pro-Ukrainian group Silent Crow. The Russian government is seeking the designation because of their attacks on Russian critical infrastructure companies like Aeroflot, Rostelecom, and cartography and cadastre agency Rosreestr. The designation would allow the government to go after individuals who support or help the groups. The case has been scheduled for July 21. [RBC] [h/t Oleg Shakirov]
The purpose of labeling hackers extremists is not really clear. It would imply that their activities are prohibited in Russia, which makes no difference when it comes to cyber attacks The designation would likely be used in foreign policy rhetoric & for international warrants
— Oleg Shakirov (@shakirov2036.bsky.social) June 3, 2026 at 8:34 PM
Belgian banks ordered to reimburse phishing victims: A judge has ruled that Belgian banks must reimburse phishing victims as soon as a loss is reported. The judge ruled in favor of an elderly couple who lost €50,000 to a hacker posing as a bank employee in Portugal. The ruling is expected to have broad consequences to the entire banking industry in the country. Belgian banks have usually refused to reimburse phishing victims or did it after long waits or after lawsuits. [VRT NWS]
Five Eyes warn of China's LinkedIn recruiting tactics: Chinese military spies are using LinkedIn and other job portals to recruit individuals with access to classified or privileged information in Western countries. Intelligence agencies from the Five Eyes alliance have issued a joint warning on Wednesday about China's aggressive recruitment operation. The campaigns have targeted former government officials, military personnel, academics, think tank employees, and journalists. Some individuals were paid for the sensitive information they provided from a few hundred to several thousand dollars. [ASIO // CSIS // FBI // MI5 // NZSIS]
US sanctions Nobitex: The US Treasury Department has sanctioned Iranian cryptocurrency exchange Nobitex. Officials say the platform was used to avoid sanctions and finance terrorist groups. It was also used by Iranian cyber operators, including several ransomware groups. Sanctions were also imposed on Wallex, Bitpin, and Ramzinex, three smaller Iranian exchanges. Blockchain analysis firm Elliptic says the four had sent or received at least $40 billion in crypto-assets over their lifetime. [US Treasury // Elliptic]
New CISA Director nomination coming soon: Speaking at a House committee hearing, the new DHS Secretary Markwayne Mullin said the White House is soon expected to submit a new nomination for the role of CISA Director, which has been left unfilled since Trump took office more than a year ago. The Trump administration is currently considering Palantir CTO Shyam Sankar for the role. [NextGov // The Record]
CISA wants to hire more: New DHS Secretary Markwayne Mullin intends to hire 600 more employees to cover CISA's staff requirements. The agency currently employs 2,200 staff, down from its 3,400 peak during the Biden administration. Mullin told Congress he plans to continue Kristi Noem's previous plan for offloading some of CISA's work to local and state municipalities. [CyberScoop // House Homeland Security Committee]
Sponsor section
In this Risky Business sponsor interview, Casey Ellis chats with Truffle Security’s founder and CEO Dylan Ayrey about the recent CISA secrets leak. Days after Brian Krebs ran the story, plenty of the exposed credentials were still live, including an admin-level GitHub app key with full rights over CISA’s org.
Arrests, cybercrime, and threat intel
Scam Disruption Week: Tech companies and law enforcement agencies have suspended millions of email and social media accounts used by industrial scam operations. More than $3.8 million were also seized in crypto accounts as part of a coordinated crackdown this week. The Scam Disruption Week involved the US Justice Department, Thai Police, and companies like Meta, Microsoft, Coinbase, and Starlink. The crackdown was enacted following an White House executive order passed in March that told the DOJ to prioritize the fight against scams and cybercrime. [DOJ // Meta]
Operation KRATOS 2: Europol has detained 29 suspects who ran illegal streaming services online. The services ran on 169 domains and broadcast sporting events, film, and television channels. Officials also went after the "wider criminal ecosystem supporting these services." [Europol]
Europol takes down fake ID portal: European authorities have dismantled an online portal that sold fake ID documents. The fake document factory operated out of an apartment in the city of Alicante, Spain. Most of the produced documents were ordered by criminal groups running migrant smuggling operations. The site's administrator was detained in a raid at the end of May. [Europol]
XSS forum profile: Flashpoint has published a profile on XSS, aka DaMaGeLaB, one of the oldest Russian underground hacking forums around. The forum was seized in July of last year, but a new instance popped up online a month later. [Flashpoint]
Nova apologizes to CIS victim: The Nova ransomware group posted a public apology to a victim after discovering it was a company from the former Soviet space. The group apologized to the Eriell Group, a company operating out of Uzbekistan and Moscow. Nova promised not to leak its data as long as they didn't file a report with authorities. [h/t RVD]
New TA4922 e-crime group: A new e-crime group is emerging out of China and adopting modern social engineering tactics used by the likes of Lapsus$, ShinyHunters, and other western groups. The new TA4922 primarily targets East Asian countries, but has also expanded this year to Europe and South Africa. While the social engineering tactics remained the same, the group has rotated through a plethora of malware payloads, not yet having a custom or fixed toolset. [Proofpoint]
We consider it one of the most unique actors we track due to its high volume and wide variety of lure themes, targeting, and objectives. In our blog, we share recent campaigns observed by TA4922 that illustrate typical behaviors.
— ThreatInsight (@threatinsight.proofpoint.com) June 3, 2026 at 6:15 PM
[image or embed]
ScreenConnect cert revocation: ScreenConnect's certification revocation is not going according to plan and its certs are still being used to sign malware. [Cem Paya]
"As of Jun 3, at least one certificate that signed a malware sample has been revoked retroactively, while another one remains valid. In a sense, it may not matter even if revocation had been more timely and comprehensive. For consumers who were already tricked into installing the malware, the damage is already done: their PCs have already fallen under the threat actor’s control."
PCPJack compromised at least 230 servers: A hacking group known as PCPJack has compromised at least 230 AWS, GCP, and Azure servers as part of a campaign meant to hijack systems previously infected by the TeamPCP group. [Hunt Intelligence]
Hackers target Stock Exchange exec: A cyber-espionage campaign has sought to steal emails from the Outlook inbox of a Stock Exchange executive. [Broadcom]
Malware campaign pokes the bear: If you're an e-crime group involved in hiding malware in legit-looking software, you probably shouldn't try to hide payloads in security tools or the people who use those tools might come to investigate your bizniz! [Check Point]
Most threat actors used Claude to write malware: Most threat actors who abused Anthropic's AI agents did it to write and obfuscate their malware. The company compiled the data from 832 accounts it suspended for malicious activity last year. While most of the abuse of low-skill, some threat actors pulled complex attacks where they chained and scaffolded AI agents for complex automated AI-based intrusion frameworks. Anthropic warns the general trend is that threat actors are getting better at abusing its services for more sophisticated actions like lateral movement and data exfiltration. [Anthropic red team]
Malware technical reports
WeedHack: More than 116,000 users have been infected with a new infostealer named WeedHack. Most of the infections have been traced to a campaign targeting Minecraft players. According to security firm McAfee, the malware is a commercial infostealer sold online for as low as $5/month. [McAfee]
JS.MonoGlyphRAT: Researchers at ANY.RUN have identified a new backdoor called JS.MonoGlyphRAT that's currently being used in a malspam campaign targeting US companies. [ANY.RUN]
DesckVB RAT: Huntress has spotted a new remote access trojan named DesckVB RAT being spread in the wild via malspam campaigns since at least February. [Huntress]
SStar Agent: Iru researchers have found a new Go-based remote access trojan that can target both Windows and macOS systems. [Iru]
Argamal: Researchers have found a new RAT named Argamal hidden in adult-themed hentai games distributed online. [Kaspersky]
GorgonAgora skimmer: Security researchers have found a new web skimmer deployed on more than 5,700 fake online stores that impersonate popular brands. [Sansec]
"Every store runs the same Medusa.js commerce stack and loads the same custom checkout SDK, which renders a fake Stripe iframe and exfiltrates card data over an encrypted WebSocket to a single server in Moldova. The campaign has been active since August 2025 and is still expanding as of today."
C0XMO botnet: A new custom variant of the old Gafgyt IoT malware has been spotted in the wild and used to build the new C0XMO botnet. [Fortinet]
Android.MagicAd: Russian security firm Dr.Web has found a new Android adware family on GetApps, the official app catalog for Xiaomi devices. The malware was hidden in over 50 mobile games and apps hosted on the portal. [Dr.Web]
FalkonC2: Flare's Tammy Harper warns of the rise of FalkonC2, a "highly tailored, commercial C2 framework written completely from scratch in C++ and MASM64." [Tammy Harper]
"The developers designed this thing with two main goals: making the stubs as tiny as possible and ensuring they run entirely in memory without ever touching the disk. They are actively targeting enterprise environments, and the evasion tactics they’re pulling off are definitely worth a closer look."
Kali365 PhaaS: ArcticWolf takes another look at the new Kali365 phishing service, including a campaign impersonating Russia's new MAX messenger. [ArcticWolf]
IronWorm: A new worm is spreading on the npm JavaScript ecosystem. IronWorm is inspired from TeamPCP's Shai-Hulud worm but is written in Rust. Just like the original, it infects a developer machine, steals credentials, and then spreads to that developer's open-source coding projects. So far, IronWorm has been spotted in 37 packages. [JFrog]
AI worm: Academics have developed an AI-driven worm that can spread among PCs and smart devices. [CleverHans Labs]
"We demonstrate these capabilities in a controlled experiment: a prototype AI-driven worm powered by an open-weight LLM running locally, propagated across a heterogeneous network of Linux, Windows, and IoT devices with common corporate network vulnerabilities. The experiment was conducted in an isolated virtual network."
Sponsor section
In this edition of the Snake Oilers podcast, Truffle Security founder Dylan Ayrey joins Risky Business to talk through the latest bells and whistles in Trufflehog, a security tool that searches for exposed secrets and validates them. The Truffle team has done a lot of work on the remediation part of their product over the last few years, and Dylan tells us all about it!
APTs, cyber-espionage, and info-ops
APT28's PixyNetLoader: Security researchers at ExaTrack have published a report looking at the evolution of APT28's PixyLoader malware family since its first sighting in 2024. [ExaTrack]
APT-C-26 (Lazarus): North Korean APT group Lazarus has been spotted exploiting the React2Shell (CVE-2025-55182) vulnerability to deploy the old Copperhedge malware family to compromised systems. [Qihoo 360]
SiribClone targets Russian soldiers: A new hacking group is targeting Russian soldiers stationed near the border or deployed in Ukraine. The hackers have used military and dating-related themes to phish soldiers on Telegram. The goal is to deploy malware on their phones or Windows system and collect information on their location. Russian security firm F6 tracks the new group under the codename of SiribClone. [F6]
Gamareddon's malware arsenal: Sekoia has published the second and third parts in a three-part series on the malware arsenal of Russian APT group Gamareddon. The first report covered GammaPhish and GammaWorm, and the newer ones covered GammaLoad and GamaSteel. [Sekoia #1 // Seokia #2 // Sekoia #3]
Vulnerabilities, security research, and bug bounty
Security updates: Cisco, Firefox, Mastodon, Qualcomm, Revive Adserver, Samsung, SOPlanning, Tails, TP-Link.
1K branded vulns: The Vulnerability Garden portal, which tracks custom-named vulnerabilities, exploits, and techniques, has passed over the 1,000-landmark! A lame milestone, but a milestone nevertheless. Yey to all the infosec PR people! [Vulnerability Garden]
Acer router zero-days: Acer is working on a firmware update to patch two cryptographic-related issues in its Wave 7 router model. The vulnerabilities allow attackers to retrieve cleartext credentials and encryption keys from unprotected router files. The stolen data can be used to access the router and plant backdoors. The patches are scheduled for the end of the month. [Acer]
Mirasvit exploitation: Here's something novel that was added to CISA's KEV DB of actively exploited bugs—a vulnerability in a Magento online store caching plugin. I didn't know this type of stuff fell into the type of bugs KEV regularly indexes. [CISA]
HTTP/2 Bomb attack: A new denial of service bug can crash most of today's web servers within seconds. The HTTP/2 Bomb attack impacts NGINX, the Apache HTTP server, Microsoft IIS, Envoy, and Cloudflare's Pingora. The attack targets the HPACK compression scheme of the HTTP/2 protocol to exhaust tens of gigabytes of server memory. HTTP/2 Bomb attacks can be carried out using one single machine and on a normal internet connection. All servers are vulnerable in their default configurations if HTTP/2 support is enabled. Only NGINX and the Apache server have released patches. The Envoy project accused the researchers of ignoring responsible disclosure and not giving them enough time to patch. [Calif // Envoy comment // CyberVandals]
MotW bypass with NuGet packages: Jim Rush from Tier Zero Security has found a way to bypass Mark of the Web using malicious code hidden in NuGet .targets files. Tasks in these files run automatically when installing or updating NuGet libraries. MSRC called it a feature not a bug. [Tier Zero Security]
SOPlanning bugs fixed: The SOPlanning project management software has fixed seven bugs, including some pretty bad ones that could have been used for SQL injections, backup theft, path traversal attacks, and more. [CERT-PL]
Cisco SSRF POC released: Cisco has released a patch for a SSRF vulnerability in the Unified Communications Manager software. Proof-of-concept code is already online but Cisco says no attacks have been observed yet. To exploit this vulnerability, the Unified CM WebDialer service must be enabled, which is disabled by default. [CVE-2026-20230]
Cross-tenant bug in n8n-mcp: Manifold's Ax Sharma and Francisco Rosales have found a vulnerability in the n8n MCP server that can allow threat actors to access the data of other tenants in n8n multi-tenant environments. [Manifold Security]
OpenSSL gives a heads up: The OpenSSL project has announced security updates for next week, on Patch Tuesday. Nothing critical, but there are some "high" severity bugs. [OpenSSL]
BYORWXDLL technique: Security researchers at 0x12 Dark Development have published details on a new red-team technique named Bring Your Own RWX Region DLL (BYORWXDLL). The name is obviously inspired by BYOVD (Bring Your Own Vulnerable Driver), but instead of loading an outdated driver to exploit, this technique loads legitimate DLLs with pre-defined RWX (Read+Write+Execute) memory regions that can be exploited for shellcode injection. [0x12 Dark Development]
DarkReplica write-up: Israeli security researcher Yeni Sherez has published a write-up on DarkReplica (CVE-2026-23631), a post-auth RCE in Redis that he used for the ZeroDayCloud hacking contest last year. The write-up came out this week after the bug was finally patched last month. [ZeroDayCloud // Redis patch]
FlagLeft vulnerability: Microsoft has released security updates for its Microsoft365 Android apps to remove a development flag that was accidentally left enabled in the code. The flag could have allowed any other app on the same smartphone to steal a user's Microsoft token and hijack their account. [Enclave]
ComoDoS vulnerability: A vulnerability in the Comodo Internet Security firewall can be used to crash a Windows system with one single packet. The bug is caused by an IP parsing issue in the firewall's Windows driver. The vulnerability remains unpatched after the vendor has failed to respond to security researcher Marcus Hutchins. [MalwareTech // Proof-of-concept]
Infosec industry
RIP Carola Frediani: Carola Frediani, one of Italy's best cybersecurity journalists, book author, and former member of Amnesty International and Human Rights Watch, has unexpectedly passed away this week. Our condolences to the family! [Guerre di Rete // ANSA // Obituary]
New tool—OhAuth: AI security firm Offroad has launched OhAuth, a catalog of OAuth apps with over-privileged scopes, dead publisher domains, and silent permission drift.
New tool—Aether: The 0xsp SRD group has released Aether, a Windows memory-forensics and threat hunting tool that scans live process memory.
OrangeCon 2026 streams: Live streams from the OrangeCon 2026 security conference, which took place this week, are available on YouTube.
Threat/trend reports: ANY.RUN, Cloud Security Alliance, OpenSourceMalware, Outtake, Oxylabs, and Positive Technologies have recently published reports and summaries covering various threats and infosec industry trends.
Risky Business podcasts
In this edition of Seriously Risky Business, Tom Uren and James Wilson talk about Tom's trip to NATO's Cyber Conflict conference. NATO countries want to bulk up their cyber efforts, and the pair discuss what that could look like.
In this episode of Risky Business Features, James Wilson takes a detailed look at the evolution and tactical prowess of the TeamPCP hacking group.