CISO Daily Digest: ShinyHunters Second Wave; TCLBANKER Banking Trojan Targets WhatsApp (20260509)

ShinyHunters Claims Second Attack on Instructure, Deepening the Canvas Crisis

The ShinyHunters threat group has claimed a second attack against Instructure, the developer of the Canvas LMS platform used by thousands of educational institutions. Following the initial breach that disrupted schools nationwide, this second wave of attacks suggests persistent access to Instructure’s infrastructure. Educational institutions should prepare for extended service disruptions and potential data exposure as investigations continue.

🔗 Reference: Dark Reading

Active Threats & Vulnerabilities

📌 TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp

A new banking trojan named TCLBANKER is actively targeting financial platforms and spreading through WhatsApp messages. The trojan intercepts SMS-based two-factor authentication codes and steals banking credentials, primarily targeting users in Asia-Pacific regions. It poses as legitimate banking notifications.

🔗 Reference: The Hacker News

📌 Inside Department 4: Russia’s Secret School for Hackers Revealed

An investigation has revealed the inner workings of Russia’s ‘Department 4’ — a secret government program training elite offensive cyber operatives. The program recruits from technical universities and provides advanced training in vulnerability research, exploit development, and operational security for state-sponsored cyber operations targeting critical infrastructure globally.

🔗 Reference: Bitdefender

📌 cPanel and WHM Release Fixes for Three New Vulnerabilities

cPanel and Web Host Manager have released patches for three newly discovered vulnerabilities affecting their hosting management platforms. System administrators are urged to patch immediately as the flaws could allow privilege escalation and unauthorized access to hosting environments.

🔗 Reference: The Hacker News

📌 Fake Call History Apps on Google Play Defraud 7.3 Million Users

Fraudulent call history apps on Google Play have defrauded 7.3 million users by tricking them into premium service subscriptions. The apps requested extensive permissions and processed unauthorized recurring payments, highlighting the ongoing risk of malicious applications in official app stores.

🔗 Reference: The Hacker News

📌 Quasar Linux RAT Steals Developer Credentials for Supply Chain Attacks

A Linux variant of the Quasar RAT is actively targeting software developers to steal credentials for launching supply chain attacks. The malware captures IDE tokens, SSH keys, and source code repository access credentials, enabling attackers to inject malicious code into trusted repositories.

🔗 Reference: The Hacker News

📌 One Missed Threat Per Week: 25M Alerts Reveal Prioritization Gaps

Analysis of 25 million security alerts across multiple organizations reveals that security teams miss an average of one significant threat per week due to alert fatigue and poor prioritization of low-severity findings, underscoring the need for AI-assisted triage.

🔗 Reference: The Hacker News

How Can OPSWAT Help

The TCLBANKER banking trojan spreading through WhatsApp and the Fake Call History apps demonstrate the growing threat of credential theft via mobile channels. MetaDefender Email Security and Mobile Threat Defense detect and block phishing attempts and malicious apps before they reach end users.