Hey there,

It's Cipherceval — welcome to this week's Hacking News roundup from Exploit Brokers by Forgebound Research. HN Episode 61 just dropped and it's a heavy one. Let's get into it.

Palo Alto Networks' Unit 42 has unveiled a previously undocumented state-backed espionage group — designated TGR-STA-1030 — that compromised at least 70 organizations across 37 countries in a single year. That's roughly one in five nations on Earth breached by a single group. Targets include national law enforcement agencies, finance ministries, and government departments handling trade and diplomacy. They even compromised a nation's parliament.

The attack chains used phishing emails with MEGA-hosted archives deploying the Diaoyu Loader and Cobalt Strike, plus exploitation of Microsoft Exchange, SAP, and Atlassian vulnerabilities. They also developed a custom Linux kernel rootkit called ShadowGuard for persistent, stealthy access. Their activity directly correlated with geopolitical events — ramping up scanning during the US government shutdown and after the Venezuelan president's capture.

BeyondTrust has disclosed a critical vulnerability in its Remote Support and Privileged Remote Access products. CVE-2026-1731 scores a CVSS 9.9 — it's an OS command injection flaw (CWE-78) that requires no authentication, no user interaction, and no prior access. An attacker sends a crafted request and gets full operating system command execution.

Approximately 11,000 instances are exposed to the internet, with ~8,500 on-premises deployments potentially vulnerable. This was discovered using AI-enabled variant analysis by researcher Harsh Jaiswal and the Hacktron AI team. BeyondTrust has patched SaaS customers, but self-hosted instances need manual patches (BT26-02-RS or BT26-02-PRA).

Remember: BeyondTrust was previously exploited by Silk Typhoon (Chinese state-backed) to breach the US Treasury. When BeyondTrust has a vulnerability, threat actors pay attention.

Germany's BfV and BSI have issued a joint advisory about a state-sponsored campaign targeting Signal users — specifically politicians, military officials, diplomats, and journalists across Europe. No malware. No zero-days. The attackers abuse Signal's own legitimate features.

Two methods: (1) Fake "Signal Support" messages requesting your PIN, and (2) malicious QR codes disguised as group invitations that silently link the attacker's device to your account. The tactics align with Russian-linked groups Star Blizzard, UNC5792, and UNC4221. The same technique extends to WhatsApp.

CISA issued Binding Operational Directive 26-02, ordering federal civilian agencies to eliminate end-of-support edge devices — firewalls, routers, switches, WAPs, load balancers, and IoT devices that no longer receive security updates. The timeline: immediate updates, 3-month inventory, 12-month decommission, 18-month full replacement, 24-month continuous discovery.

While this technically only applies to federal agencies, CISA's acting director made it clear: unsupported devices should never remain on enterprise networks. If your edge devices can't be updated, it's time to replace them.

1. Nation-state espionage is at unprecedented scale — patch your public-facing appliances.

2. Update BeyondTrust immediately — CVE-2026-1731 is the golden goose of vulnerabilities.

3. Encryption doesn't protect you from social engineering — review your linked devices.

4. End-of-life devices are open invitations — if you can't update it, replace it.

5. Verify before you panic — ransomware groups exaggerate to maximize payouts.

🎧 Watch/Listen to the Full Episode

Catch the full breakdown on YouTube, Spotify, or Apple Podcasts — search "Exploit Brokers by Forgebound Research."

Found this valuable? Forward it to someone who touches a computer.