Here are today’s top cybersecurity stories for Monday, July 13, 2026.
CISA, NSA, FBI, and Nine Allied Nations Warn of Russian Router Attacks on Critical Infrastructure
A joint advisory co-signed by the NSA, CISA, FBI, and partners from Canada, Australia, the United Kingdom, New Zealand, Estonia, Finland, France, the Czech Republic, and Italy warns that Russian state-sponsored hackers — attributed to FSB Center 16 — are exploiting misconfigured and vulnerable routers to infiltrate critical infrastructure networks worldwide. The advisory, designated AA26-194A, provides router hardening guidance and indicators of compromise. Canadian organizations across energy, water, and transportation sectors are urged to review their router security posture immediately. BleepingComputer
Two Joomla Extensions Hit CISA KEV at Maximum CVSS 10.0 — Federal Patch Deadline Was Today
CISA added two zero-day vulnerabilities in popular Joomla extensions to its Known Exploited Vulnerabilities catalog: CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms, both rated CVSS 10.0. Both flaws allow unauthenticated file upload leading to PHP code execution and full remote code execution. Exploitation of iCagenda has been confirmed since June 15, 2026, in automated attacks. The federal patching deadline for civilian agencies was today, July 13. The Hacker News
MemGhost: A Single Email Injects Persistent False Memories Into AI Agents
Researchers published details of MemGhost, a new attack class that uses a single crafted email to trick an AI agent into writing a false “fact” into its own persistent memory, silently steering its future responses. The attack exploits agents that read untrusted email and write to memory without requiring user confirmation. OpenClaw is identified as the primary vulnerable platform. Researchers warn the fix must be architectural: provenance tagging, user approval before memory writes, and full audit logging of all memory changes. The Hacker News
Misconfigured Server Exposes Three Live Evilginx Phishing Operations Targeting Microsoft 365
A French security firm discovered a Python HTTP server left running with directory listing enabled on a public VPS, exposing the complete toolkit of an active phishing operator. Pivoting through the exposed files revealed three simultaneous campaigns using custom Evilginx reverse proxies to steal Microsoft 365 session cookies and OAuth tokens, bypassing MFA. The firm recovered logs showing 218 compromised corporate mailboxes across a dozen countries between June 2025 and July 2026. The Hacker News
RedHook Android Malware Upgrades to Wireless ADB for Shell Access Without Root
Group-IB researchers documented a significant upgrade to the RedHook Android RAT: the malware now exploits Android Wireless Debugging to pair with its host device over the loopback interface, gaining UID 2000 shell-level privileges without requiring root. The attack chain works on any unrooted device after the malware tricks the user into granting Accessibility Services permission. Once active, RedHook streams the screen, intercepts keystrokes, installs or removes apps silently, and harvests banking credentials. BleepingComputer
Attacker Deploys AI-Generated PowerShell Script to Map Active Directory
Huntress analysts documented an incident in which a threat actor deployed a script titled “100% Working AD Information Gathering Script – FULLY FIXED” to enumerate Active Directory users, computers, groups, and trusts after gaining access via compromised credentials over RDP. The script’s title, unedited placeholder hostname, and verbose commenting point to copy-pasted AI output. The attacker followed up with SharpShares for network share enumeration. AD query bursts remain behaviorally detectable even when the tooling is AI-generated. The Hacker News
Mycelium Framework: First AI-as-a-Service Botnet Monetizes Stolen GPU Power and API Keys
Threat intelligence firm Flare documented Mycelium, the first botnet marketed on underground forums as an AI-as-a-Service platform. Rather than deploying ransomware or DDoS, Mycelium classifies compromised hosts by GPU, CPU, local AI model availability, and stolen API keys, then dynamically routes AI inference workloads, cracking tasks, and exploit development jobs to the most capable nodes. The framework features a C++ core with Windows and Linux paths, pluginized modules, and rootkit components, making organizations with GPU workstations or stored AI API credentials the highest-value targets. CybersecurityNews
Microsoft July 2026 Patch Tuesday Arrives Tomorrow — 127 CVEs and Kerberos RC4 Enforcement
Microsoft’s July 2026 Patch Tuesday drops tomorrow, July 14, with approximately 127 CVEs expected — above every pre-2026 monthly average. One enforcement change arrives with this update: Phase 2 of Kerberos RC4 hardening reaches full enforcement, permanently removing the rollback control from all supported Windows Server domain controllers. Organizations relying on the RC4 safety net must complete testing before tomorrow’s update. Microsoft’s AI-assisted vulnerability discovery program continues to expand monthly patch volumes. Help Net Security
Stay tuned for today’s in-depth analysis posts.






