Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 9 stories across 5 topic areas, including: Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks; Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning; Kremlin appoints cyber executive with alleged GRU ties to Security Council role.

Krebs on Security · May 25 · Relevance: █████████░ 9/10

Why it matters to CISOs: The dismantling of Stark Industries-linked infrastructure used by Russian intelligence agencies to stage cyberattacks and influence operations in the EU represents a significant takedown with direct implications for threat actor capability degradation. CISOs should assess whether their organizations were targeted via this infrastructure and expect temporary disruption to related threat actor operations.

📖 Read full article

The Hacker News · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Iranian state-sponsored group Nimbus Manticore is actively targeting US aviation and software sectors with novel AI-built backdoors following the February 2026 US-Israeli military campaign against Iran, signaling a retaliatory escalation that enterprises in critical infrastructure and defense-adjacent sectors must treat as an elevated threat.

📖 Read full article

The Record (Recorded Future) · May 25 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The elevation of a cyber executive with alleged GRU ties to Russia's Security Council under Shoigu signals potential strategic prioritization of offensive cyber operations at the highest levels of Russian government, which may portend increased state-sponsored activity targeting Western enterprise infrastructure.

📖 Read full article

Help Net Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: An AI model autonomously discovering over 10,000 high- and critical-severity zero-days across major vendors' software represents a watershed moment for vulnerability management — CISOs must anticipate dramatically accelerated patch cadences and reassess their exposure windows as AI-driven vulnerability discovery scales industry-wide.

📖 Read full article

Help Net Security · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Google GTIG's analysis of Chinese-language PhaaS ecosystems expanding into territory historically dominated by Russian criminal groups signals a meaningful shift in the threat landscape, with mature, well-resourced services almost exclusively targeting non-Chinese enterprises — making Western organizations the primary focus.

📖 Read full article

BleepingComputer · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: An FBI-flagged PhaaS platform actively bypassing MFA via OAuth device code abuse to hijack M365 accounts poses an immediate threat to any enterprise running Microsoft 365, requiring urgent review of device code authentication policies and conditional access configurations.

📖 Read full article

BleepingComputer · May 26 · Relevance: ██████░░░░ 6/10

Why it matters to CISOs: The ShinyHunters-claimed breach of a global retail chain with 86,000 locations underscores the continued targeting of consumer-facing enterprise brands for PII extraction and extortion, and serves as a benchmark for board-level breach disclosure and notification obligations involving SSNs.

📖 Read full article

The Hacker News · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: India's CERT-In setting a 12-hour patching expectation for internet-exposed critical vulnerabilities — driven explicitly by AI-compressed exploitation timelines — signals a global regulatory direction that will pressure multinational enterprises to fundamentally rethink patch velocity SLAs and automation capabilities.

📖 Read full article

Help Net Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A zero-day being actively exploited in Trend Micro Apex One — a widely deployed enterprise endpoint security platform — means attackers are weaponizing a trust boundary within the security stack itself, requiring immediate emergency patching for all organizations running this product.

📖 Read full article

Alex: Welcome to Cleartext. It's Tuesday, May 26th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. The Dutch just pulled off a massive infrastructure takedown tied to Russian intelligence. Iran's retaliatory cyber campaign is hitting US aviation and software companies with AI-built backdoors. There's a new appointment in Moscow that should make every Western CISO pay attention. Anthropic's Claude Mythos has found over ten thousand zero-days, and we need to talk about what that means for your patch cycles. We've got two phishing-as-a-service stories that paint a converging picture. There's an actively exploited zero-day in Trend Micro Apex One, and India just told organizations to patch internet-facing critical vulns in twelve hours. So let's go.

Jordan: Let's start with the Netherlands. Dutch authorities arrested two co-owners of internet hosting companies and seized more than 800 servers. This infrastructure was linked to Stark Industries Solutions, an ISP the EU had already sanctioned as a staging ground for Russian intelligence cyber operations. These servers were used for cyberattacks, influence operations, and disinformation campaigns inside the EU. And for those who follow Brian Krebs, these are the same individuals he profiled back in 2025.

Alex: This is a significant operational disruption. Eight hundred servers is not a small footprint. For CISOs listening, there are two immediate actions. First, check your threat intel feeds and historical logs for any indicators tied to Stark Industries infrastructure. Your threat intel team should already be pulling those IOCs. Second, understand that this creates a temporary capability gap for the threat actors who relied on this infrastructure, but temporary is the key word. They will reconstitute. They always do.

Jordan: Right. And the reconstitution timeline matters. Russian-affiliated groups have shown they can stand up replacement infrastructure in weeks, not months. So you get a window, not a victory. But I want to connect this to the third story, because the Kremlin just appointed Andrei Kozlov to Russia's Security Council as an aide to Shoigu. Kozlov ran a cybersecurity center within Rostec, Russia's state defense conglomerate, and has alleged ties to the GRU.

Alex: This is a signal, not just a personnel move. When you place someone with deep offensive cyber expertise and intelligence community ties directly into the national security decision-making body, you are telegraphing strategic intent. For board conversations, this is the kind of indicator I'd use to justify sustained investment in threat detection and incident response capabilities against Russian state actors. The threat is not diminishing. It's being elevated within their own government hierarchy.

Jordan: And while the Dutch are dismantling Russian infrastructure on one front, Iran is escalating on another. Nimbus Manticore, also tracked as UNC1549, is running a fresh campaign targeting US aviation and software companies. The context here is critical. This is retaliatory. The joint US-Israeli military campaign against Iran in late February 2026 triggered this. They're using AI-built backdoors called MiniFast and MiniJunk V2, delivered through phishing lures and SEO poisoning.

Alex: Two things stand out to me. First, the targeting. Aviation and software sectors. These are not random. Aviation is critical infrastructure and defense-adjacent. Software companies are supply chain entry points. If you're in either of those sectors, you need to be on heightened alert right now. Second, the AI-built malware piece. This is not a gimmick. AI-generated tooling means faster iteration, more polymorphic variants, and potentially cleaner code that evades signature-based detection. Your EDR needs to be tuned for behavioral detection, not just pattern matching.

Jordan: The SEO poisoning vector is worth calling out specifically. This isn't just spearphishing. They're poisoning search results so that employees researching legitimate aviation or software topics land on weaponized pages. That's a different threat model than email-based phishing, and it requires web gateway controls and DNS-layer security to address.

Alex: Good point. It also means your security awareness training needs to extend beyond "don't click suspicious emails" to "be cautious about what you download from search results, even when you initiated the search."

Jordan: Let's pivot to what might be the most consequential story of the day, even though it's not about an attack. Anthropic announced that Claude Mythos, through Project Glasswing, has autonomously identified over ten thousand high- or critical-severity vulnerabilities in critical software systems. Partners include AWS, Apple, Broadcom, Cisco, CrowdStrike, and Google.

Alex: This is a watershed moment, and I don't use that phrase lightly. We are entering an era where AI can find vulnerabilities faster than humans can patch them. That's not a theoretical problem anymore. It's here. If you're a CISO running a vulnerability management program with a thirty-day patch SLA for critical vulns, you need to fundamentally rethink that number.

Jordan: And the dual-use concern is real. Mythos was designed to find zero-days and create working exploits. Anthropic is running this through a coordinated disclosure framework with major vendors, which is responsible. But the capability exists. If Anthropic can do this, state actors can build or are building something similar. The exploitation timeline for newly discovered vulnerabilities is about to compress dramatically.

Alex: Which brings us directly to the CERT-In story. India's Computer Emergency Response Team just issued guidelines calling for organizations to patch critical vulnerabilities in internet-exposed systems within twelve hours. Twelve hours. And they explicitly cited AI-assisted exploitation as the justification.

Jordan: Twelve hours is aggressive, and they qualified it with "where feasible," but the direction is clear. Regulators are starting to calibrate their expectations to the speed of AI-driven threats, not human-speed threats. If you're a multinational with operations in India, this applies to you now. If you're not, it applies to you soon. Other regulators will follow.

Alex: This is a conversation every CISO needs to have with their board. Achieving twelve-hour patch cycles for internet-facing systems requires significant investment in automation, asset inventory accuracy, and change management streamlining. You cannot meet this with manual processes. Full stop. If your organization can't identify all internet-facing assets within an hour, you can't patch them within twelve.

Jordan: Now let's talk about the two phishing stories that paint a converging picture. First, the FBI issued an official warning about Kali365, a phishing-as-a-service platform that's actively targeting Microsoft 365 accounts. The technique is clever. It abuses the OAuth device code authentication flow to steal session tokens, completely bypassing MFA. They don't need your second factor. They get a persistent session token through the device code grant.

Alex: If you run Microsoft 365, and most of you do, this requires immediate attention. Review your conditional access policies. Specifically, look at whether you've restricted or disabled the device code authentication flow. Most organizations don't need it for general users. Disable it where you can. Where you can't, add additional conditional access controls like requiring compliant devices or restricting by IP range.

Jordan: The second phishing story is from Google's Threat Intelligence Group. They analyzed a dozen active Chinese-language phishing-as-a-service operations and found mature, sophisticated services that almost exclusively target non-Chinese enterprises. These are well-resourced, they offer no-code builder tooling, and they operate primarily through Telegram.

Alex: So we now have Russian-speaking PhaaS, Chinese-language PhaaS, and platforms like Kali365 all operating at scale. The phishing-as-a-service market is diversifying and maturing. For CISOs, this means the volume, quality, and variety of phishing attacks hitting your organization is going to continue increasing. Investment in email security, browser isolation, and identity protection isn't optional.

Jordan: Let's hit the vulnerability story quickly. CVE-2026-34926 is a path traversal vulnerability in Trend Micro Apex One that's being actively exploited in zero-day attacks. CISA has issued a warning. Trend Micro's own TrendAI incident response team reported it.

Alex: This one is particularly uncomfortable because Apex One is endpoint security software. When threat actors compromise your security tools, they're operating inside the trust boundary of your defensive stack. If you run Apex One, this is an emergency patch. Not tomorrow. Today.

Jordan: And the 7-Eleven breach rounds out our breach coverage. ShinyHunters claimed responsibility for an April 2026 breach exposing data on over 185,000 individuals, including SSNs, dates of birth, and addresses. It's a straightforward extortion play against a massive retail footprint of 86,000 stores across 19 countries.

Alex: From a governance perspective, the SSN exposure triggers notification obligations in virtually every US state. If you're in retail or consumer-facing industries, this is a reminder that your data minimization practices directly impact your breach liability. If you don't need to store SSNs, don't store SSNs.

Jordan: Let's look at the bigger picture for the week ahead. The theme I see emerging is compression. Time is compressing across every dimension of security. Exploitation timelines are compressing because of AI. Patch expectations are compressing because regulators see the same thing. The gap between vulnerability discovery and weaponization is compressing. And the phishing-as-a-service ecosystem is compressing the skill barrier for attackers.

Alex: I agree. And the strategic implication is that CISOs who are still running their programs at 2024 speeds are falling behind. The Anthropic story alone should be a wake-up call. When an AI can autonomously find ten thousand critical vulnerabilities, the old model of quarterly patching and annual pen tests is obsolete. The organizations that invest in automation, real-time asset visibility, and AI-augmented defense now will be the ones that survive this acceleration. The ones that don't will be in breach notification headlines.

Jordan: Watch for vendor patch advisories to spike in the coming weeks as Glasswing disclosures start hitting. And keep your eyes on Iranian activity. The retaliatory campaign is likely in its early stages, not its final form.

Alex: That's our show for today. Show notes and links to every story we covered are at cleartext.fm. We'll be back tomorrow. Stay sharp.

Jordan: See you then.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-26.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.