Here are today’s top cybersecurity stories for Friday, May 29, 2026.
Dutch Police Dismantle Asocks Botnet of 17 Million Devices
Dutch cybercrime investigators, working with the National Cyber Security Centre (NCSC-NL), seized 200 servers and dismantled the Asocks residential proxy botnet, which had infected at least 17 million devices worldwide — including computers, routers, smartphones, tablets, and IoT cameras. Asocks operated as a commercial proxy service, renting infected consumer devices to cybercriminals for phishing, DDoS attacks, credential stuffing, and fraud at subscription prices starting at $5 per month. The hosting provider shut down the remaining infrastructure after being notified it was supporting criminal operations. Source: BleepingComputer
ShinyHunters Breach Charter Communications: 4.9 Million Accounts Confirmed
Charter Communications confirmed a data breach affecting 4.9 million customer accounts after the ShinyHunters group used a vishing attack on April 1, 2026, to compromise a Microsoft Entra employee account and pivot into the company’s Salesforce environment. The exposed data includes names, email addresses, phone numbers, and physical addresses; a subset of roughly 85,000 internal staff records also includes job titles. ShinyHunters initially claimed 42 million records and has since published the data after extortion demands went unmet. Charter states no sensitive personal information or CPNI was exfiltrated. Source: BleepingComputer
New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks
WithSecure Labs disclosed a previously undocumented threat actor, GREYVIBE, assessed as Russian-speaking and operating in alignment with Kremlin intelligence interests against Ukraine since at least August 2025. The group uses ChatGPT, Google Gemini, and Ideogram AI across almost every stage of its operations — generating spear-phishing lures, decoy documents, and malware — making it one of the first documented threat actors to weaponize generative AI end-to-end. Two attack chains have been identified: PhantomMail, which delivers ZIP/RAR archives via Google Drive and 4sync, and PhantomRelay, a PowerShell RAT used for host profiling and remote command execution. Source: The Hacker News
OpenClaw AI Agent “Claw Chain” Vulnerabilities Expose 245,000 Servers
Cyera researchers disclosed four chained vulnerabilities in OpenClaw, a self-hosted open-source AI agent platform, including a near-maximum CVSS 9.6 race condition in its sandboxed execution environment. The exploit chain, dubbed “Claw Chain,” allows an unauthenticated attacker to escalate from initial access to persistent, system-level control, stealing credentials and planting backdoors. Approximately 65,000 publicly accessible instances are indexed on Shodan, with around 180,000 on ZoomEye. All four flaws have been patched; unpatched deployments running versions prior to April 23 remain at risk. Source: SecurityWeek
Google Chrome DBSC Now Generally Available on Windows
Google announced that Device Bound Session Credentials (DBSC) is now generally available in Chrome for Windows users, with rollout beginning May 25, 2026. DBSC binds authenticated web sessions to a hardware-backed cryptographic key stored in a device TPM, making stolen session cookies unusable from another device. The browser signs server challenges every five minutes without user interaction. macOS support via the Secure Enclave is planned for an upcoming release. Source: Google Workspace Updates
FBI Warns of Fake FIFA World Cup 2026 Websites Stealing Fan Data and Money
The FBI issued an alert warning that at least 36 fraudulent domains are spoofing FIFA’s official website ahead of the 2026 World Cup, which opens June 11 in Mexico City. The fake sites sell counterfeit tickets, hospitality packages, and merchandise while harvesting personal and financial data. One sophisticated campaign, GHOST STADIUM, is attributed to a Chinese-speaking financially motivated operator running more than 300 fraudulent domains using typosquatting techniques. The FBI recommends typing “www.fifa.com” directly into the browser rather than using search engine results. Source: BleepingComputer
Oracle Launches Monthly Critical Security Patch Updates Starting May 28
Oracle began delivering monthly Critical Security Patch Updates (CSPUs) on May 28, 2026, supplementing its existing quarterly CPU schedule. The first CSPU covers 35 new vulnerabilities across products including Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, and Apache HTTP Server. Monthly releases will follow on the third Tuesday of each month. Oracle cited accelerating AI-assisted vulnerability discovery as the primary driver for the faster patching cadence. Source: Oracle Security Blog
FortiClient EMS CVE-2026-35616 Exploited to Deliver EKZ Infostealer Disguised as Patch
Arctic Wolf researchers confirmed that threat actors are actively chaining the FortiClient EMS vulnerability CVE-2026-35616 (CVSS 9.1) to deliver the EKZ Infostealer disguised as a legitimate Fortinet endpoint patch. The credential stealer extracts saved passwords and session data from Chrome and Firefox, executing silently via PowerShell on endpoints managed by the affected EMS platform. Fortinet released hotfixes for versions 7.4.5 and 7.4.6 in April; unpatched deployments remain at active risk. Source: SecurityWeek
Stay tuned for today’s in-depth analysis posts.
