🔐 **Weekly Cybersecurity Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & AI-Coded Malware**



Another week in cybersecurity — and another reminder that the threat landscape never slows down.


Attackers continued evolving their tactics while defenders raced to patch vulnerabilities and disrupt cybercrime infrastructure. This week brought **major takedowns, new exploit kits, critical vulnerabilities, and emerging AI-driven malware trends.** Here’s a professional breakdown of the developments that mattered most.

⚡ **Threat of the Week**


**Tycoon2FA & LeakBase Infrastructure Dismantled**


A joint operation by international law enforcement agencies and cybersecurity firms has successfully dismantled infrastructure tied to **Tycoon2FA**, one of the world’s largest adversary-in-the-middle (AitM) phishing platforms.


Tycoon2FA enabled attackers to bypass multi-factor authentication (MFA) by intercepting login sessions in real time. According to security researchers, the takedown could significantly disrupt MFA credential-phishing campaigns.


Authorities also shut down **LeakBase**, a major underground marketplace used for trading stolen credentials, databases, and cybercrime tools.


While the disruption is significant, experts warn that **cybercrime ecosystems often adapt quickly**, migrating to alternative platforms such as Telegram or other underground forums.


📰 **Top Cybersecurity Developments**


**AI Discovers Firefox Vulnerabilities**


Researchers from **Anthropic** used their Claude Opus 4.6 large language model to identify **22 vulnerabilities in the Mozilla Firefox browser**, including:


• 14 High severity

• 7 Moderate

• 1 Low


All vulnerabilities were patched in **Firefox 148**. The findings highlight how AI is increasingly being used in **vulnerability discovery and defensive security research.**


**Qualcomm Zero-Day Exploited in the Wild**


A high-severity vulnerability affecting **Qualcomm chipsets used in Android devices** is reportedly being exploited.


• **CVE-2026-21385**

• Buffer over-read vulnerability in the graphics component

• Could allow memory corruption and arbitrary code execution


Google confirmed signs of **limited targeted exploitation**.

**Coruna iOS Exploit Kit Targets Older iPhones**


Google disclosed details about a sophisticated exploit kit called **Coruna (CryptoWaters)** targeting iPhones running **iOS 13 – iOS 17.2.1**.


Key details:


• 5 full exploit chains

• 23 separate exploits

• Initially developed by a **commercial surveillance vendor**

• Later used by **Russian espionage groups** and financially motivated cybercriminals targeting crypto wallets


This development suggests a **secondary market for high-end exploit kits**, where tools are reused by different threat actors for varying objectives.

**Transparent Tribe Deploys AI-Generated Malware**


The Pakistan-aligned threat group **Transparent Tribe** has been observed using **AI-assisted coding tools** to generate malware targeting Indian government entities and embassies.


The malware is written in less common programming languages such as:


• Nim

• Zig

• Crystal


Researchers describe this as a shift toward **AI-assisted malware industrialization**, allowing attackers to rapidly produce disposable malware variants designed to evade detection.


🌍 **Geopolitical Cyber Activity**


**Iran-Linked Hackers Target U.S. and Israeli Organizations**


The Iranian threat group **MuddyWater** launched campaigns targeting banks, airports, non-profits, and technology companies in the United States.


At the same time, another campaign distributed a **trojanized version of Israel’s Red Alert rocket warning app**, collecting sensitive data such as:


• SMS messages

• Contacts

• Location data

• Installed applications


The activity highlights how **cyber operations increasingly escalate alongside geopolitical tensions.**

🔥 **Trending Vulnerabilities (Patch Immediately)**


Security teams should prioritize patching these high-risk vulnerabilities:


• CVE-2026-2796 — Mozilla Firefox

• CVE-2026-21385 — Qualcomm

• CVE-2026-2256 — MS-Agent

• CVE-2026-26198 — Ormar

• CVE-2026-27966 — Langflow

• CVE-2026-24009 — Docling

• CVE-2026-23600 — HPE AutoPass License Server

• CVE-2026-20079 — Cisco Secure Firewall Management Center

• CVE-2025-14500 — IceWarp

• CVE-2026-25611 — MongoDB

• CVE-2026-29058 — AVideo

• Remote Code Execution vulnerability in Ghost CMS


The **time between vulnerability disclosure and exploitation continues to shrink**, making rapid patching critical.

📡 **Research Spotlight: AirSnitch Wi-Fi Attack**

Security researchers introduced a new attack technique called **AirSnitch**, capable of bypassing Wi-Fi client isolation protections.

The attack works by exploiting weaknesses in how networks handle shared group keys and packet forwarding. By manipulating these mechanisms, attackers can **restore man-in-the-middle (MitM) capabilities even on networks with client isolation enabled.**

📊 **Zero-Day Exploitation Trends**

Google reported **90 zero-day vulnerabilities exploited in the wild during 2025**, revealing several key trends:

• Nearly **50% targeted enterprise technologies**

• **Commercial spyware vendors** exploited more zero-days than nation-state actors

• Memory-safety issues accounted for **35% of vulnerabilities**


Top affected vendors included Microsoft, Google, Apple, Cisco, and Fortinet.

🛠 **Cybersecurity Tools Worth Exploring**

**DetectFlow**

An open-source detection pipeline that analyzes streaming log data in real time using Sigma rules, Apache Kafka, and Flink before events reach a SIEM.


**ADTrapper**

An open-source platform designed to detect threats in Windows Active Directory authentication logs using more than **50 built-in detection rules**.


*(For research and educational purposes. Always review code and test in isolated environments before production use.)*

📉 **Ransomware Trends**


Despite a rise in attacks, **ransomware payments dropped by 8% in 2025**, totaling approximately **$820 million**.


However:


• Median ransom payments increased **368%**

• Average payments reached **$60,000**

• More organizations are **refusing to pay ransom demands**


Attackers are increasingly focusing on **data theft and long-term access** rather than immediate encryption attacks.

🧠 **Final Thoughts**


This week delivered a familiar mix of progress and new challenges:


✔ Major phishing infrastructure dismantled

✔ AI assisting vulnerability discovery

⚠ More zero-day exploits in the wild

⚠ AI accelerating malware development


Cybersecurity remains a constant race between innovation and exploitation.


**Patch early. Monitor continuously. Trust nothing by default.**


Stay secure — and think twice before clicking that link.


#CyberSecurity #Infosec #ThreatIntelligence #CyberThreats #SecurityNews #Hacking #ZeroDay #Ransomware