In partnership with
☀️ Good afternoon. Here's everything that happened in cybersecurity yesterday & today so far — in under 5 minutes.
Today: a ransomware negotiator just pleaded guilty to secretly working for BlackCat, ransomware groups are hiding inside virtual machines your EDR can't see, 22 vulnerabilities in critical OT hardware are exposing hospitals and power grids, Apple's App Store has dozens of crypto-stealing wallet apps, and scammers are using real Apple notifications to hijack accounts.
🔥 Top Stories
01 — A Ransomware Negotiator Was Secretly Working for BlackCat the Whole Time
Fraud
Pavel Goldberg — a Florida-based professional ransomware negotiator — has pleaded guilty to conspiracy to commit computer fraud and extortion after admitting he was a double agent for BlackCat/ALPHV. His role: sit across from victimized companies as their trusted negotiator, then feed their insurance limits, financial liquidity, and critical data locations back to the attackers to maximize the ransom. He coached BlackCat on how to respond to his own negotiation tactics to justify a higher final payout — and took a commission on the difference.
He's the third US-based cybersecurity professional to plead guilty in the same BlackCat insider ring. The DOJ has seized over $10 million in linked cryptocurrency. The quote from prosecutors: "These individuals were the firefighters who were secretly pouring gasoline on the buildings they were paid to save." The incident response industry has a vetting problem.
02 — Ransomware Groups Are Now Hiding Inside Virtual Machines Your EDR Can't See
Enterprise Infrastructure
Ransomware operators are deploying QEMU — a legitimate open-source hypervisor — on compromised hosts to run their entire attack inside a virtual machine that is invisible to endpoint security. The host's EDR sees only a trusted virtualization process. Inside the VM, attackers run scanning tools, exfiltrate data, and encrypt host files via mounted network shares — fully unmonitored.
The technique was observed in campaigns by the "Payouts King" ransomware group and mirrors previous VM-in-VM tactics used by Ragnar Locker. QEMU is a signed, legitimate tool common in developer environments — blocking it outright disrupts normal operations. The only reliable counter is behavioral monitoring of legitimate tools and immutable off-site backups. If your defense is "detect the malware," this technique beats it.
03 — BRIDGE:BREAK: 22 Vulnerabilities in Serial-to-IP Converters Are Exposing Hospitals and Power Grids
Critical Infrastructure
Forescout's Vedere Labs has disclosed 22 vulnerabilities across widely deployed Serial-to-IP converters — the devices that bridge legacy industrial hardware to modern IP networks in hospitals, power substations, and manufacturing plants. Flaws include unauthenticated RCE, hardcoded credentials, and command injection across devices from Perle, Silex, and Moxa. Over 14,000 are exposed directly to the public internet.
A single malformed packet to a vulnerable Perle device grants a root shell — with direct physical connections to patient monitors, HVAC systems, and substation relays on the other side. CISA has issued advisory ICSA-26-069-02. You cannot patch these quickly — many are in "set-it-and-forget-it" locations. Immediate action: micro-segment these devices off the public internet and general corporate LAN entirely.
04 — Apple's App Store Has Dozens of Crypto-Stealing Wallet Apps — $9.5M Drained from One Victim
Mobile Security
Kaspersky researchers identified at least 26 malicious cryptocurrency wallet apps on the iOS App Store in a coordinated campaign dubbed "FakeWallet." The apps impersonate Ledger, Trezor, Trust Wallet, and MetaMask — using official logos and SEO-optimized descriptions to rank at the top of App Store search results. The attack: prompt users to "sync" their hardware wallet by entering their 24-word seed phrase. Phrase in, funds gone.
On April 14, a fraudulent Ledger Live app drained $9.5 million from a single victim. The campaign uses a bait-and-switch: submit a benign utility app for review, pass inspection, then push server-side updates that activate the credential-stealing interface. Apple has initiated a crackdown, but the reactive nature of removals means weeks of exposure. The rule remains: a legitimate wallet app will never ask for your seed phrase. Ever.
05 — Scammers Are Triggering Real Apple Notifications to Hijack Your Account
Vishing
A campaign documented by Malwarebytes is abusing Apple's own account recovery infrastructure to bombard users with dozens of legitimate "password reset" prompts — real notifications from Apple servers. Once the victim is overwhelmed and panicked, they receive a spoofed phone call from "Apple Support" referencing the active alerts. Because the alerts are real, the call feels real. The "representative" then asks for a one-time verification code — which hands over full Apple ID control.
This is MFA fatigue applied to Apple's notification system. Because the alerts are genuine system-level notifications, they can't be filtered as phishing. The only defense: if you receive a barrage of Apple alerts, do not interact with any incoming calls. Manually navigate to appleid.apple.com on a separate device. Apple will never call you to ask for a verification code.
📊 By The Numbers
3 — US-based cybersecurity professionals who pleaded guilty to working for BlackCat/ALPHV
$10M — Cryptocurrency seized by the DOJ linked to the BlackCat insider ring
26 — Malicious crypto wallet apps discovered on Apple's official iOS App Store
$9.5M — Drained from a single victim via a fake Ledger Live App Store app
14,000 — Serial-to-IP converter devices exposed directly to the public internet via BRIDGE:BREAK
⚡ The Signal
Every story today is a variation of the same attack: the threat arrived wearing something legitimate.
A professional negotiator with authorized access. A signed, legitimate hypervisor running inside your perimeter. A real Apple notification from genuine servers. An App Store app with official logos and positive reviews. Hardware devices designed for connectivity and trusted for decades.
None of it was fake at the surface level. The negotiator had real credentials. QEMU is a real tool. The Apple alerts were really from Apple. The apps passed real review. The converters were really deployed by real IT teams. The exploitation in each case happened in the gap between what was real and what was verified.
The consistent lesson from this week: in 2026, legitimacy is the attack surface. What you've already trusted, approved, installed, or hired is where the risk lives. Verification has to happen continuously — not once at onboarding.
🔍 What You May Have Missed
NGate Android campaign targets Brazil with NFC stealers — A new Android malware campaign is using trojanized NFC relay apps to clone contactless payment credentials from Brazilian bank customers — enabling real-time fraudulent ATM withdrawals without the physical card.
Canada launches Level 1 cyber certification for defense suppliers — Ottawa has codified mandatory cybersecurity baseline requirements for companies supplying Canada's defense sector — mirroring the US CMMC framework. Worth tracking if your organization has Canadian defense contracts.
Google patches critical RCE in Antigravity AI developer tool — A critical remote code execution flaw in Google's Antigravity AI developer platform has been patched following responsible disclosure. The flaw allowed arbitrary code execution in developer environments — a supply chain risk for any team using the tool.
📅 What to Watch
BlackCat insider network — three guilty pleas so far; watch for further DOJ indictments targeting additional collaborators in the same ring
BRIDGE:BREAK patching — 14,000 internet-exposed converters are being actively scanned; watch for CISA escalation and vendor firmware advisories from Perle and Silex
Apple App Store FakeWallet — crackdown is reactive, not proactive; watch for new variants resubmitted under different developer accounts
QEMU ransomware proliferation — now that the technique is documented, expect rapid adoption by lower-tier ransomware groups; review QEMU presence in your environment today
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Arnold Schwarzenegger has a newsletter.
Yeah. That Arnold Schwarzenegger.
So do Codie Sanchez, Scott Galloway, Colin & Samir, Shaan Puri, and Jay Shetty. And none of them are doing it for fun. They're doing it because a list you own compounds in ways that social media never will.
beehiiv is where they built it. You can start yours for 30% off your first 3 months with code PLATFORM30. Start building today.