62,289 devices have been infected with the Millenium RAT 4.* versions, according to Group-IB — a striking tally that foregrounds this week’s theme: small, permitted actions becoming decisive entry points.
Millenium RAT: architecture shift, pricing, and scope
Group-IB reports that Millenium RAT has moved from .NET to native C++ while continuing to use the Telegram Bot API for command-and-control. The malware is offered as malware-as-a-service (MaaS) by a developer known as ShinyEnigma at a price of $50 for the first month, $10 for subsequent months, or $90 for a lifetime purchase. Campaigns attributed to a cluster codenamed Y2K Operators — active since May 2025 — rely on social engineering to trick victims into executing payloads disguised as legitimate or cracked software. As of the reporting, 62,289 devices were infected with Millenium RAT 4.*; more than 16,000 of those infections occurred in March 2026 alone. Group-IB also noted a tactic where attackers backdoor popular RATs, builders, and exploit kits and then redistribute them so that would-be criminals download an already-compromised tool.
BlueHammer (CVE-2026-33825): a Defender zero-day weaponized in ransomware
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the Microsoft Defender vulnerability tracked as BlueHammer (CVE-2026-33825) — first disclosed in April 2026 by an anonymous researcher named Chaotic Eclipse (aka Nightmare-Eclipse) — was exploited in ransomware attacks. The available reporting does not identify which ransomware group exploited the flaw.
Claude Cowork sandbox escape: Armadin’s chain and Anthropic’s stance
Security research from Armadin found an attack chain affecting Claude Cowork on Windows that lets an attacker with existing local code execution plant a malicious file inside Claude Desktop's application directory and hijack a trusted process to reach the underlying VM service. Armadin said, "An attacker with local code execution could run arbitrary commands as root in Claude Cowork's sandbox without network egress restrictions." The exploit leverages two unvalidated parameters in the service interface to bypass network filtering and run root-level commands, enabling sensitive-data exfiltration to attacker-controlled infrastructure. Armadin disclosed the findings responsibly on May 29, 2026. Anthropic responded that it does not consider the issue a security vulnerability because successful exploitation requires pre-existing local code execution on the host.
Stolen AI compute and LLMjacking: misconfigured Ollama used as an offensive reasoning engine
Sysdig documented a case where a misconfigured Ollama model server was abused as the reasoning engine for an automated offensive-security pipeline called the VAPT framework. According to Sysdig, the actor wired access to the AI tool into a software pipeline that scans a target, matches it to known vulnerabilities, writes proof-of-concept exploits, and attempts intrusions — with the model making the decisions at every step. "The actor was not chatting with the model or reselling access," said Sysdig's Michael Clark. The account illustrates a variant of LLMjacking in which stolen or misconfigured LLM infrastructure is embedded into attack automation rather than used for simple chat or resale.
Apple Hide My Email, platform-aware phishing, and hijacked browser extensions
Tyler Murphy reported a vulnerability in Apple’s Hide My Email service that he said can unmask users' real addresses; Murphy told 404 Media he reported the issue to Apple over a year ago and that it remained unpatched, adding, "We don't know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable." Details were withheld to avoid enabling exploitation.
At the same time, Cofense described a shift toward platform-aware phishing that fingerprints victims by User-Agent and selectively delivers Windows-focused RATs — such as Itarian or ConnectWise via a Ninite Loader — while serving credential-harvesting pages to macOS and Android visitors. Microsoft also said it discovered and flagged a malicious Chromium extension impersonating Perplexity AI, "Search for Perplexity ai" (ID: flkebkiofojicogddingbdmcmkpbplcd), which attracted about 10,000 installs before Google removed it. Microsoft assessed the extension’s aim as search traffic interception and data collection, using Manifest Version 3 and declarativeNetRequest rules to transparently intercept Omnibox queries while preserving the appearance of legitimate results.
Browsers and toolmakers are responding: Opera announced Paste Protect to detect clipboard-rewrite attacks and warn users before harmful clipboard content can be executed, while Microsoft introduced "smarter bot protection" for Teams to identify and gate external meeting bots and plans to retire the existing CAPTCHA experience.
What this means for technologists, policymakers, and end users
- Technologists and security teams: watch for trusted-but-exposed paths — misconfigured model servers, unvalidated service parameters, and browser extension capabilities — because attackers are wiring legitimate tools into attack pipelines or abusing small permissions to pivot to larger compromises.
- Policymakers and enforcement bodies: risk and response are visible in contemporaneous actions — the State Department offering rewards up to $10 million for information on actors linked to UNC5792 and UNC4221, and the FTC fining Amazon $2.25 million over handling of identity-theft victims — underscoring that operational compromises and consumer harms are drawing regulatory attention.
- End users and small businesses: phishing remains a high-probability vector, from law-enforcement impersonation emails that drop ransomware via Proton Drive-hosted archives to Gmail-based credential-harvesting campaigns that impersonate account alerts. Vigilance about unexpected archives, credential prompts, and copied clipboard content remains essential.
"The loud part is the breach. The useful part is the quiet mistake that made it possible." Small permissions, weak checks, and misconfigured services are the recurring pattern across these incidents. The question left by this week’s thread of reports is concrete: who will treat every side door as an actual door before the next actor walks through it?




