# Today's Top Stories

FBI reports 700 ATM jackpotting incidents in 2025 resulted in $20 million in losses, with 1,900 total incidents since 2020 using the decade-old Ploutus malware. Attackers physically compromise ATMs to force cash dispensing, representing a significant physical security threat to financial institutions.

CISA updated its Known Exploited Vulnerabilities catalog to warn that CVE-2026-1731 in BeyondTrust is being exploited in active ransomware attacks. This represents an escalation from initial vulnerability disclosure to confirmed weaponization by ransomware operators.

Romanian hacker Catalin Dragomir pleaded guilty to breaching Oregon's emergency management department and faces up to 7 years in prison for obtaining information from a protected computer and aggravated identity theft. The case demonstrates continued targeting of critical government infrastructure.

Ukrainian national Oleksandr Didenko received 5 years in prison for providing North Korean IT workers with stolen US citizen identities to infiltrate American companies. Didenko pleaded guilty in November 2025 to wire fraud conspiracy and aggravated identity theft in this sophisticated state-sponsored scheme.

Three individuals including former Google engineers Samaneh Ghandali and Soroor Ghandali were indicted for allegedly stealing trade secrets from Google and other tech firms and transferring them to unauthorized locations including Iran. The case involves husband Mohammadjavad Khosravi in what appears to be state-sponsored intellectual property theft.

ESET discovered PromptSpy, the first Android malware to abuse Google's Gemini AI during execution to maintain persistence after device reboots. The malware captures lockscreen data, blocks uninstallation, and takes screenshots while leveraging generative AI to analyze on-screen elements and ensure survival.

Japanese semiconductor testing giant Advantest Corporation disclosed a ransomware attack on its corporate network that may have compromised customer and employee data. The incident affects a critical supplier in the global chip manufacturing supply chain.

Threat actors are using a sophisticated toolkit to scan for React2Shell exposure and target high-value networks for exploitation. Researchers describe the unfortunately named tool as demonstrating high operational sophistication in its targeting approach.

CISA added two RoundCube Webmail vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-49113 (deserialization flaw) and CVE-2025-68461 (cross-site scripting). Federal agencies must patch these actively exploited vulnerabilities under Binding Operational Directive 22-01.

Critical vulnerability CVE-2026-2329 (CVSS 9.3) in Grandstream GXP1600 VoIP phones allows unauthenticated remote code execution via stack-based buffer overflow. The flaw enables attackers to seize complete control of affected business phone systems without authentication.