Weekly Threat Intelligence Summary

Top 10 General Cyber Threats

Generated 2026-06-01T05:00:05.499034+00:00

1. Update Chrome now: Critical bugs could let attackers run code (www.malwarebytes.com, 2026-05-22T12:10:36)
   Score: 10.083
   This Chrome update fixes critical flaws attackers could exploit through malicious websites, but not the “Browser Fetch” vulnerability.
2. Fake ChatGPT download site infects Windows and Mac users with malware (www.malwarebytes.com, 2026-05-28T10:18:26)
   Score: 7.57
   Searching for ChatGPT? This fake download site serves malware to both Windows and Mac users, using separate payloads tailored to each platform.
3. 700+ education and tech websites hijacked in huge ClickFix malware campaign (www.malwarebytes.com, 2026-05-26T10:46:28)
   Score: 7.24
   Hackers are abusing a Ghost CMS website flaw to serve fake Cloudflare verification pages that pressure users into infecting their own PCs.
4. Microsoft Defender vulnerabilities are being exploited in the wild (www.malwarebytes.com, 2026-05-21T17:36:52)
   Score: 6.454
   CISA added seven known exploited vulnerabilities to its KEV catalog, including two Microsoft Defender flaws.
5. The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. (www.recordedfuture.com, 2026-05-21T00:00:00)
   Score: 6.332
   Boards are asking about AI-driven vulnerability discovery. The leaders who answer that question well will come out with more credibility and more resources. Here's how to be one of them.
6. Fake malware-signing service Fox Tempest dismantled by Microsoft (www.malwarebytes.com, 2026-05-20T15:33:02)
   Score: 6.273
   The service let malware authors sign malicious files with fraudulent Microsoft-issued certificates to bypass security checks.
7. Payment apps are watching what you say (Lock and Code S07E11) (www.malwarebytes.com, 2026-06-01T01:52:57)
   Score: 6.178
   This week on the Lock and Code podcast, we speak with Rainey Reitman about financial censorship that boots customers off major payment apps.
8. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 (www.recordedfuture.com, 2026-05-19T00:00:00)
   Score: 5.999
   Frontier AI models like Mythos are making vulnerability discovery fast and cheap. Here's how defenders use threat intelligence and agentic processing to prioritize and act at the same speed.
9. Signal users targeted in backup-stealing phishing attacks (www.malwarebytes.com, 2026-05-29T12:07:24)
   Score: 5.749
   Cybercriminals are impersonating Signal Support to steal backup recovery keys, giving them access to victims' entire message archives.
10. CrowdStrike Named a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Protection for Seventh Consecutive Time (www.crowdstrike.com, 2026-05-29T05:00:00)
    Score: 5.7

Top 10 AI / LLM-Related Threats

Generated 2026-06-01T06:00:19.775786+00:00

1. GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (cloud.google.com, 2026-05-11T14:00:00)
   Score: 41.079
   Executive Summary Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sop
2. When AI Meets Wall Street: A Survey on Trustworthy AI in Fintech (arxiv.org, 2026-06-01T04:00:00)
   Score: 22.48
   arXiv:2605.30650v1 Announce Type: new
   Abstract: Artificial intelligence is now embedded as a primary decision engine in continuously operated financial AI pipelines spanning training and updating, deployment and inference, and operation with monitoring and feedback. The automation and scale that make these pipelines effective also create novel attack surfaces, where small algorithmic perturbations can amplify into persistent, system-level financial harm. Existing surveys, however, either treat
3. Automatically Attacking Software Reverse Engineering AI Agents (arxiv.org, 2026-06-01T04:00:00)
   Score: 18.78
   arXiv:2605.30667v1 Announce Type: new
   Abstract: Software tools for reverse engineering executable binary files, such as Ghidra, enable malware analysts to safely conduct robust static analysis without having access to original source code. Coupled with the analytic power of large language models (LLM), agentic systems enabled with tools, such as GhidraMCP, can allow analysts to automate a previously human driven process. Although this automation can increase the productivity of a single malware
4. Training Azerbaijani language models on Amazon SageMaker AI (aws.amazon.com, 2026-05-28T21:54:06)
   Score: 17.905
   Azercell Telecom LLC, Azerbaijan's leading telecommunications provider, wanted to build an Azerbaijani large language model (LLM) on Amazon SageMaker AI for telecom use cases and a customer-facing chatbot. The challenge: adapting foundation models (FMs) to a morphologically rich language with limited training data and no existing blueprint for efficient LLM training in Azerbaijani. In a six-week collaboration, Azercell worked with the AWS Generative AI Innovation Center to establish a produ
5. Differentially Private Preference Data Synthesis for Large Language Model Alignment (arxiv.org, 2026-06-01T04:00:00)
   Score: 17.78
   arXiv:2605.30808v1 Announce Type: new
   Abstract: Preference alignment is a crucial post-training step for large language models (LLMs) to ensure their outputs align with human values. However, post-training on real human preference data raises privacy concerns, as these datasets often contain sensitive user prompts and human judgments. To address this, we propose DPPrefSyn, a novel algorithm for generating differentially private (DP) synthetic preference data to enable privacy-preserving prefere
6. TRACE: Task-Aware Adaptive Self-Evolving Agentic Jailbreaking (arxiv.org, 2026-06-01T04:00:00)
   Score: 17.48
   arXiv:2605.30883v1 Announce Type: new
   Abstract: The rise of LLM agents introduces a new threat by enabling planning, coding, and even end-to-end execution of expert-level attack workflows. However, this threat remains underexplored and underestimated since (i) safety alignment prevents LLMs from directly generating harmful instructions, and (ii) most existing jailbreak methods cannot consistently induce agents to execute malicious operations. In this paper, we propose TRACE, a practical agentic
7. The Surface You Test Is Not the Surface That Breaks (arxiv.org, 2026-06-01T04:00:00)
   Score: 16.48
   arXiv:2605.30454v1 Announce Type: new
   Abstract: Tool-augmented LLM agents are vulnerable to prompt injection: a third party who controls part of the agent's context can plant instructions that the agent then executes as if they came from the user. Current evaluations report a single attack success rate per model on one channel, the tool output and treat that number as the model's vulnerability. But tool descriptions, which the agent reads at every turn before any tool is called, are t
8. From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors (arxiv.org, 2026-06-01T04:00:00)
   Score: 16.48
   arXiv:2605.31042v1 Announce Type: new
   Abstract: LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, store it, and execute it later.
9. Steering Beyond the Support: Adversarial Training on Unsupervised Jailbroken Activation Simulation (arxiv.org, 2026-06-01T04:00:00)
   Score: 15.48
   arXiv:2605.24535v2 Announce Type: replace
   Abstract: Jailbreak prompts can trigger harmful completions on aligned LLMs, In accordance, safety steering has been proposed: test-time activation interventions that steer jailbreak activations to trigger refusal while preserving benign utility. However, existing steering methods are fundamentally supervised and tied to a static, limited training set, whereas real jailbreaks evolve and are often out-of-distributed from the training set, leading to fail
10. An Organization-Scoped LLM Agent Runtime Architecture for Regulated Cybersecurity Operations (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2605.30604v1 Announce Type: new
    Abstract: Regulated cybersecurity workflows lack a runtime substrate that enforces organization-level scope across retrieval, tool calls, memory, findings, reports, and audit while remaining model-agnostic and locally deployable. Recent large language model (LLM) agent systems report strong results on isolated cybersecurity tasks, yet they do not by themselves define an auditable platform architecture for regulated security operations centre (SOC) and compl
11. CacheProbe: Auditing Prompt Cache Isolation in Gateway APIs (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2605.30613v1 Announce Type: new
    Abstract: Over the past year, prompt caching in Large Language Models (LLMs) has become increasingly more popular across inference APIs. Prompt caching helps save precious compute resources and speeds up response times by reusing parts of the KV cache of a specific prompt for another request. However, many implementations of prompt caching are not secure against timing attacks or even basic metadata disclosure. Gu et al. (ICML 2025) develop a method to audi
12. Triaging Threats to Specialized Guardrails (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2605.30693v1 Announce Type: new
    Abstract: Building robust safety guardrails is essential for deploying Large Language Models across diverse real-world applications. However, this goal remains challenging because safety risks span heterogeneous threat domains, while existing datasets cover only fragmented risk subsets and rely on inconsistent taxonomies. Consequently, it remains unclear whether current guardrails can generalize beyond narrow evaluation settings. To better understand the ro
13. EvoDefense: Co-Evolving Black-Box Defense with Large Language Models (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2605.31140v1 Announce Type: new
    Abstract: Large Language Models (LLMs) remain highly vulnerable to diverse attacks, particularly in black-box settings where the internals of target models are inaccessible. Existing black-box defenses typically rely on pre-defined filtering heuristics, which often fail to generalize to unseen attack types and target model architectures. We introduce EvoDefense, an experience-guided co-evolving black-box defense paradigm. EvoDefense employs a guard LLM to d
14. Neuroforger: certified violation witnesses for smart contracts verification via LLMs (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2605.31389v1 Announce Type: cross
    Abstract: Recent large language models (LLMs) incorporate reasoning capabilities that allow them to perform well in predicting whether a smart contract respects a certain property, suggesting a complementary approach to traditional formal-methods-based techniques for smart contract verification. However, the application of LLMs in such context has two major issues: 1) properties expressed in natural language are intrinsically ambiguous, and 2) answers ret
15. GoodVibe: Security-by-Vibe for LLM-Based Code Generation (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.78
    arXiv:2602.10778v2 Announce Type: replace
    Abstract: Large language models (LLMs) are increasingly used for code generation in fast, informal development workflows, often referred to as vibe coding, where speed and convenience are prioritized, and security requirements are rarely made explicit. In this setting, models frequently produce functionally correct but insecure code, creating a growing security risk. Existing approaches to improving code security rely on full-parameter fine-tuning or pa
16. Depth-Dependent Indirect Prompt Injection in Tool-Calling ReAct Agents: Injection Depth, Payload Framing, and Turn-Budget Sensitivity (arxiv.org, 2026-06-01T04:00:00)
    Score: 14.48
    arXiv:2605.30686v1 Announce Type: new
    Abstract: ReAct agents that interleave chain-of-thought reasoning with tool calls are increasingly deployed for real tasks such as scheduling, file retrieval, and data access. Their tool observation loop creates a direct attack surface: an adversary who controls any tool's return value can embed instructions that redirect the agent away from the user's goal, a threat known as indirect prompt injection. Existing benchmarks evaluate attack success r
17. Strengthening Polymorphic Prompt Assembling: Dynamic Separator Generation Against Emerging Prompt Injection Attacks (arxiv.org, 2026-06-01T04:00:00)
    Score: 13.48
    arXiv:2605.30534v1 Announce Type: new
    Abstract: Polymorphic Prompt Assembling (PPA) defends LLM agents against prompt injections by randomly selecting separator pairs from a fixed pool to isolate user input from system instructions. Although effective, static pool reuse exposes a blast-radius vulnerability: once a separator leaks, it can be exploited in future requests. We propose a dynamic per-request separator generation using domain-separated SHA-256 digests keyed on the timestamp, session i
18. Prompt Injection as Role Confusion (arxiv.org, 2026-06-01T04:00:00)
    Score: 13.48
    arXiv:2603.12277v5 Announce Type: replace-cross
    Abstract: LLMs see the world as a single stream of text, partitioned into roles like or . We trace prompt injection to role confusion: models perceive the source of text from how it sounds, not its labeled role. A command hidden in a webpage hijacks an agent simply because it sounds like text, despite its label. We design role probes to measure how LLMs internally perceive "who is speaking," and find that injected text occupies the sa
19. $PC^2$: Politically Controversial Content Generation via Jailbreaking Attacks on GPT-based Text-to-Image Models (arxiv.org, 2026-06-01T04:00:00)
    Score: 12.48
    arXiv:2601.05150v3 Announce Type: replace
    Abstract: The rapid evolution of text-to-image (T2I) models has enabled high-fidelity visual synthesis on a global scale. However, these advancements have introduced significant security risks, particularly regarding the generation of harmful content. Politically harmful content, such as fabricated depictions of public figures, poses severe threats when weaponized for fake news or propaganda. Despite its criticality, the robustness of current T2I safety
20. Pwn2Own Berlin 2026 – Day One Results (www.thezdi.com, 2026-05-14T08:27:32)
    Score: 12.239
    Welcome to Day One of Pwn2Own Berlin 2026! Today, 22 entries took the Pwn2Own stage to target AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $523,000 for 24 unique 0-days! DEVCORE is currently in the lead for Master of Pwn, but a pack of teams are right on their heels. Stay tuned tomorrow for
21. Pwn2Own Berlin 2026: The Full Schedule (www.thezdi.com, 2026-05-13T16:23:07)
    Score: 12.079
    Willkommen! (Welcome!) Pwn2Own Berlin 2026 has arrived at OffensiveCon, and the world’s top security researchers are ready. This year’s enterprise-focused competition features AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. Earlier today, we held the random draw to determine attempt order. Below is the official schedule. All times are Berlin local time (CET) and may change as the competition progresses. Check back for live updates. In case you missed i
22. A Multi-Layer Electronic and Cyber Interference Model for AI-Driven Cruise Missiles: The Case of Khuzestan Province (arxiv.org, 2026-06-01T04:00:00)
    Score: 11.98
    arXiv:2510.03542v2 Announce Type: replace
    Abstract: The rapid advancement of Artificial Intelligence has enabled the development of cruise missiles endowed with high levels of autonomy, adaptability, and precision. These AI driven missiles integrating deep learning algorithms, real time data processing, and advanced guidance systems pose critical threats to strategic infrastructures, especially under complex geographic and climatic conditions such as those found in Irans Khuzestan Province. In
23. Metasploit Wrap Up 05/29/2026 (www.rapid7.com, 2026-05-29T19:34:41)
    Score: 11.92
    More Linux LPEs Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module. New module content (5) Citrix ADC (NetScaler) CVE-2026-3055
24. Stateful Online Monitoring Catches Distributed Agent Attacks (arxiv.org, 2026-06-01T04:00:00)
    Score: 11.78
    arXiv:2605.31593v1 Announce Type: new
    Abstract: Language models can find thousands of severe software vulnerabilities, and agents are increasingly being misused for cyberattacks. To avoid detection, attackers frequently distribute their misuse, splitting a harmful task across many user accounts so each individual transcript looks benign. Because safety monitors score only one agent context at a time, they are structurally blind to misuse that is only visible in aggregate, across many accounts.
25. On-Device Generative AI for GDPR-Compliant Visual Monitoring: Natural Language Alerts from Local Object Detection (arxiv.org, 2026-06-01T04:00:00)
    Score: 11.78
    arXiv:2605.30544v1 Announce Type: cross
    Abstract: Visual monitoring systems that rely on cloud-based AI inference expose raw image data to external services, creating fundamental tensions with the data-minimisation principle of the General Data Protection Regulation (GDPR). This paper presents a proof-of-concept privacy-by-design pipeline that resolves this tension by confining all inference entirely to the edge device. A YOLOv5n-seg model compiled for a Hailo-8L AI accelerator delivers real-ti

Auto-generated 2026-06-01