May 5, 2026 by sig9

Hacker Wars - May 05, 2026

Your daily dose of infosec chaos

We’re kicking off Hacker Wars, a daily security newsletter from sig9 where we break down the most important infosec stories so you don’t have to. Expect concise, no-BS coverage of vulnerabilities, breaches, and the creative ways attackers are ruining everyone’s day. No fluff, no vendor pitches, just the stuff that matters. Let’s get into today’s batch.

Karakurt Extortion Gang Negotiator Gets 8.5 Years in Prison

A Latvian national who served as a negotiator for the Russian Karakurt ransomware group has been sentenced to 8.5 years in a US prison. The case highlights that even “cold case” cybercrime investigations eventually catch up with the perpetrators, and law enforcement is getting better at pursuing these actors across borders.

What to do: If you’re dealing with a ransomware incident, remember that paying the ransom doesn’t guarantee anything and may expose you to legal liability.

CloudZ Malware Abuses Microsoft Phone Link to Steal SMS and OTPs

A new CloudZ RAT variant is deploying a plugin called Pheno that hijacks Microsoft Phone Link to intercept SMS messages and one-time passwords directly from your phone. This is particularly nasty because it bypasses SMS-based 2FA entirely by reading messages before you even see them.

What to do: Stop relying on SMS for 2FA. Switch to authenticator apps or hardware keys. Also, audit what apps have access to your Phone Link connection.

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

North Korean hacking group ScarCruft compromised a video game platform in a supply chain attack, trojanizing game components with a backdoor called BirdCall. The attack targeted ethnic Koreans in China and deployed malware on both Android and Windows systems through the same trusted platform.

What to do: Be cautious with game mods and third-party game components. Consider running games in sandboxed environments if you’re in a high-risk demographic.

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries

Microsoft exposed a massive credential theft campaign that hit 35,000 users across 26 countries. The attackers used code-of-conduct-themed lures and legitimate email services to redirect victims to credential-harvesting domains. The multi-stage approach made detection particularly difficult.

What to do: Train employees to recognize phishing attempts, even when they appear to come from legitimate sources. Implement conditional access policies to limit token abuse.

WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities

WhatsApp patched two security flaws that could have allowed attackers to spoof file types and trigger arbitrary URL schemes. The vulnerabilities were responsibly disclosed through Meta’s bug bounty program and have already been fixed in recent updates.

What to do: Update WhatsApp immediately if you haven’t recently. This is a good reminder that even end-to-end encrypted apps can have implementation vulnerabilities.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.