In partnership with
☀️ Good morning. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
A disgruntled researcher just leaked three Microsoft Defender zero-days and two remain unpatched, AI voice agents are now automating phone scams at scale, Tycoon 2FA's takedown pushed phishers to an even harder-to-detect attack method, a sanctioned crypto exchange collapsed after a $13.7M surgical hack, and the US Coast Guard just made maritime cybersecurity mandatory.
🔥 Top Stories
01 — Three Microsoft Defender Zero-Days Leaked by a Disgruntled Researcher — Two Still Unpatched
Vulnerabilities
A security researcher operating as "Chaotic Eclipse" publicly released proof-of-concept code for three critical Defender zero-days after a dispute with Microsoft's bug bounty program — reportedly claiming Microsoft "ruined my life" over severity and payout disagreements. The result: a ready-made attack toolkit now circulating among ransomware groups.
The three flaws — RedSun, BlueHammer, and UnDefend — target the core Defender engine. RedSun escalates local privileges to SYSTEM by tricking Defender into restoring a malicious file from quarantine. BlueHammer is a remote code execution flaw in the network inspection driver — potentially zero-click if a user visits a compromised website. UnDefend silently disables Tamper Protection so malware can persist undetected. Microsoft patched UnDefend in an out-of-band update. RedSun and BlueHammer remain unpatched as of this morning.
02 — AI Voice Agents Are Now Automating Phone Scams at Scale — Meet ATHR
Artificial Intelligence
ATHR is a new Vishing-as-a-Service platform that uses high-fidelity AI voice clones to conduct fully automated credential theft calls — no human operator required. The attack model: send a fake "unauthorized login" or "subscription renewal" alert, list a customer service number, and connect victims to an AI agent that holds a convincing real-time conversation before asking them to "verify" by reading their OTP out loud.
The AI voices include realistic stammers, breathing patterns, and professional customer service cadence. Targeted platforms include Google, Microsoft, and major crypto exchanges. The attack bypasses SMS and voice-based MFA by design — there's no technical defense if the victim reads the code aloud. The only reliable counter is FIDO2 hardware keys or passkeys, which generate no readable code to steal.
03 — Tycoon 2FA Is Down — But Its Replacement Is Harder to Detect
Digital Identity
Europol and Microsoft disrupted the Tycoon 2FA phishing-as-a-service infrastructure — but depriving thousands of criminal affiliates of their primary toolkit has had an unintended consequence. They've migrated to Device Code Phishing, a technique that exploits a legitimate Microsoft authentication flow intended for smart TVs and printers.
The attack: send a victim a message asking them to "verify their device" by visiting microsoft.com/devicelogin and entering a code. Because the URL is real, it passes every email security filter and browser warning. When the victim enters the code, the attacker's device receives a persistent OAuth token — bypassing MFA entirely and remaining valid until manually revoked. Fix: disable Device Code Flow in Entra ID Conditional Access for any user who doesn't need it.
04 — Sanctioned Crypto Exchange Grinex Collapses After $13.7M Surgical Hack
Cyber Crime
Grinex — a Russia-linked cryptocurrency exchange already blacklisted for sanctions evasion and money laundering — has permanently suspended operations after attackers drained $13.74 million from its hot wallets in minutes. Blockchain analytics from Elliptic and Chainalysis traced the funds through peeling chains and decentralized mixers immediately after withdrawal — a hallmark of sophisticated APT-level execution.
Grinex leadership is blaming "foreign intelligence services." Whether true or not, the operational reality is stark: because Grinex was sanctioned, it has zero legal recourse. International law enforcement won't assist. Major exchanges automatically freeze any linked addresses. The target was chosen precisely because it had no shield. A cautionary reminder that operating in regulatory grey zones doesn't protect you from attackers — it eliminates your ability to respond.
05 — US Coast Guard Maritime Cybersecurity Rules Are Now Mandatory — No More Grace Period
Policy & Government
The US Coast Guard's 2026 Maritime Cybersecurity final rule has crossed from guidance into enforcement. Vessel owners and port operators must now submit approved Cybersecurity Plans, designate a qualified Cybersecurity Officer, immediately report incidents to the National Response Center and CISA, and enforce MFA and logging on all remote access to critical shipboard systems.
The regulation explicitly targets IT/OT convergence — vessels connected via Starlink and other satellite links have dramatically expanded attack surfaces that legacy security models don't cover. The USCG's enforcement posture is clear: non-compliance risks vessel detentions and revocation of facility security certificates. For maritime tech vendors and logistics firms operating in US waters, voluntary compliance is over.
📊 By The Numbers
2 — Microsoft Defender zero-days still unpatched as of this morning — RedSun and BlueHammer
$13.74M — Drained from Grinex's hot wallets in a surgical attack lasting minutes
0 — Human operators required to run ATHR's AI vishing platform at scale
£5.9M — Financial fraud linked to Tycoon 2FA infrastructure prosecuted in the UK
⚡ The Signal
Three of today’s five stories are about the same thing dressed differently: attackers exploiting legitimate systems, legitimate features, and legitimate institutions.
Defender zero-days turn your antivirus into the attack vector. Device Code Phishing uses Microsoft's own authentication URL. ATHR uses real VoIP infrastructure and convincing AI voices — no fake domain required. Grinex was breached via a compromised internal credential, not a perimeter break. The Coast Guard mandate exists because maritime OT is legitimately connected to the internet via satellite and nobody was treating that connection as a security boundary.
The pattern that runs through all of it: the most dangerous attack is the one that arrives wearing the credentials, voice, or URL of something you already trust. The arms race in 2026 isn't about sophistication — it's about legitimacy. Attackers who look legitimate win. Defenders who verify everything, regardless of how legitimate it looks, survive.
🔍 What You May Have Missed
Nexcorium — a new Mirai variant — is hijacking DVRs for DDoS —The campaign exploits CVE-2024-3721, an RCE flaw in TBK-brand surveillance DVRs, to silently enroll devices into a DDoS botnet — no password brute-forcing required. If your enterprise deploys surveillance cameras or DVRs on a flat network, check the vendor and firmware version.
FISA Section 702's 10-day extension is ticking — Congress kicked the surveillance reauthorization down the road again. The window closes this week — watch for either a clean renewal, a lapse, or another short-term extension with mounting compliance implications for managed service providers.
Operation PowerOFF's 75,000 DDoS users are being pursued — Following last week's takedown, law enforcement is actively using recovered platform databases to send legal notices and warnings to identified users. If you've been a repeat DDoS target, victim notifications may be incoming.
📅 What to Watch
Microsoft Defender RedSun and BlueHammer patches — two critical zero-days remain unpatched; watch for an emergency out-of-band update this week
FISA 702 expiration — 10-day extension ends this week; a lapse shifts early-warning threat intelligence entirely to the private sector
ATHR vishing proliferation — now that the platform is documented, watch for rapid adoption by lower-skilled criminal groups using the same VoIP/Asterisk infrastructure
Coast Guard enforcement actions — first vessel detentions or certificate revocations under the new maritime cybersecurity rules will set the compliance tone for the entire sector
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Every headline satisfies an opinion. Except ours.
Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.