Telegram Mini Apps malware, cPanel is Sorry, patch wave warning - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines - May 4, 2026

Host: Steve Prentiss
Podcast: CISO Series
Episode Theme:
This episode delivers a snapshot of the day’s most pressing information security stories, focusing chiefly on novel attack methodologies, vulnerabilities driven by AI, repercussions for IT infrastructure, and the ever-evolving threat landscape.

Key Discussion Points & Insights

1. Telegram Mini Apps Spreading Android Malware

Overview (00:13):
Researchers at CTM360 uncovered a large-scale fraud operation exploiting Telegram’s Mini App feature to impersonate major brands and distribute malware.
Details:
- Operation dubbed “femit bot” leverages Telegram bots and embedded mini apps for app-like lures.
- High-profile brand impersonations: Apple, Coca-Cola, Disney, eBay, IBM, Nvidia.
- Threats: Crypto scams and Android malware distributed directly through Telegram.

2. Update: cPanel Bug & Ransomware Surge

Overview (01:10):
A critical vulnerability in cPanel and WHM, widely used for web hosting management, is being actively exploited.
Details:
- Federal agencies were ordered to remediate by Sunday following the breach's emergence.
- Shadow Server now counts at least 44,000 compromised IPs running cPanel.
- The exploit is tied to the deployment of a Go-based Linux encryptor for the “Sorry” ransomware.
- CVSS Score: 9.8 — represents extreme severity.
Quotes & Reactions:
- Benjamin Harris, CEO of Watchtower [02:18]:
  
  “Within hours of the initial cPanel advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own products... The alternative was watching their entire customer base get owned in real time.”
- Further, Harris remarks [02:40]:
  
  “Once again we’re running around with half the Internet seemingly ablaze, and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar.”

3. AI Accelerating Vulnerability Discovery & Patch Wave Warning

Overview (03:01):
AI’s surge in vulnerability research could soon inundate organizations with critical patches.
Details:
- Oli Whitehouse, CTO, UK National Cybersecurity Centre, warns that skilled attackers will find and exploit vulnerabilities at scale with AI.
- Organizations advised to prep for “the patch wave” — a period of rapid, high-volume software patching.
Memorable Quote [03:13]:

Whitehouse urges: “Prepare now for when a patch wave arrives... a rush of software updates…across an already technically debt-laden stack.”

4. "Copy Fail" Linux Vulnerability—A Decade Hidden

Overview (04:01):
Security researchers at Theori reveal a critical flaw in the Linux OS ("Copy Fail") dormant since 2017.
Details:
- Discovered with AI-powered tool Zint Code Xint.
- Positioned as a severe risk: enables privilege escalation and container escapes.
- Impacts most major Linux distributions: Ubuntu, Red Hat, Amazon Linux, SUSE.
- Root cause: The accumulation of three minor kernel changes (2011, 2015, 2017) that, together, created a critical flaw.
- Vast implication: Affects servers/cloud infrastructure globally.

5. Google Revamps Vulnerability Reward Programs

Overview (05:15):
Google overhauls bug bounty payout structures for Android and Chrome.
Details:
- AI’s role in discovering vulnerabilities prompted this move.
- Android bounties now up to $1.5M; Chrome payouts decrease.
- Focus shifts to actionable, concrete, proof-backed vulnerability submissions and suggested fixes.

6. Trellix Confirms Source Code Breach

Overview (06:01):
Trellix, a major cybersecurity firm, announces unauthorized source code access.
Details:
- No disclosed evidence that code was altered or misused.
- Unclear perpetrator or timeframe for attack.
- Highlighted as a reminder of supply chain and internal risk even for security vendors.

7. Ask.com Shuts Down After 25 Years

Overview (06:44):
Closure of Ask.com after its 25-year run in the world of search engines.
Detail:
- Ask Jeeves, launched in 1996, was considered an early precursor to AI-powered Q&A systems.
- The company discontinued the search engine as of May 1, 2020.

Notable Quotes & Memorable Moments

Benjamin Harris, Watchtower CEO [02:18, regarding cPanel response]:

“Hosting.com, Known Host and others all pulled the emergency brake because the alternative was watching their entire customer base get owned in real time.”
Benjamin Harris again [02:40]:

“Once again we’re running around with half the Internet seemingly ablaze... anticipate this new normal to become increasingly familiar.”
Oli Whitehouse, NCSC CTO [03:13]:

“Organizations need to prepare now for when a patch wave arrives.”

Timestamps for Key Segments

Telegram & Android Malware via Mini Apps: 00:13 – 01:10
cPanel Ransomware Attack Update: 01:10 – 03:01
AI Patch Wave Warning (NCSC): 03:01 – 04:01
Linux 'Copy Fail' Vulnerability: 04:01 – 05:15
Google Bug Bounty Changes: 05:15 – 06:01
Trellix Source Code Breach: 06:01 – 06:44
Ask.com Shuts Down: 06:44 – End

Summary

This episode highlights how advances in AI are both empowering attackers—by accelerating vulnerability discovery and exploitation—and forcing organizations to fundamentally rethink patch and security management. From platform-based malware on Telegram and critical Linux bugs to changes in Google’s vulnerability rewards and reminders of the fragility of even major cybersecurity vendors, the day’s headlines reinforce the need for constant vigilance, rapid response, and organizational readiness for large-scale change.

For deeper dives into each story, listeners are encouraged to visit CISOSeries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, May 4, 2026. I'm Steve Prentiss. Telegram Mini Apps Deliver Android Malware Researchers at Bahrain based CyberSecurity research firm CTM360 are warning of a large scale fraud operation that uses Telegram's Mini App feature to run crypto scams, impersonate well known brands and distribute Android malware. The platform has been named fimit bot I.e. f E M I T B o T and uses Telegram bots and embedded mini apps to create convincing app like experiences directly within the messaging platform. Some of the brands currently being impersonated include Apple, Coca Cola, Disney, ebay, IBM and Nvidia. An Update on the cPanel bug story a longer read than usual first of all, following up on this story that we first covered on Friday, federal agencies were instructed to resolve the cPanel bug by yesterday Sunday. CPanel and WHM are part of a web Hosting Control Panel suite of software deployed to manage websites and servers handling millions of domains. Experts have warned that hackers could use the bug to completely compromise a server, steal data or manipulate hosted data. Internet security watchdog Shadow Server now reports that at least 44,000 IP addresses running cPanel have since been compromised in ongoing attacks. Numerous sources have told Bleeping Computer that hackers have been exploiting the cPanel flaw since Thursday to breach servers and deploy a Go based Linux encryptor for the sorry ransomware. This bug carries a CVSS score of 9.8. Benjamin Harris, the CEO of Watchtower, said within hours of the initial cPanel advisory dropping, nearly every major hosting provider on the planet had firewalled their own customers off their own products. He continued, hosting.com, known host and others all pulled the emergency brake because the alternative was watching their entire customer base get owned in real time. And, he added finally quote Once again we're running around with half the Internet seemingly ablaze and given the increased usage of AI in vulnerability research, we anticipate this new normal to become increasingly familiar. End quote British Cyber Agency warns of looming patch wave due to speedy AI flaw discovery In a story somewhat related to the previous the Chief Technology Officer at the National Cybersecurity Centre in the uk, Oli Whitehouse, said in a blog post the the use of AI tools by sufficiently skilled and knowledgeable individuals is increasing the likelihood that vulnerabilities will be identified and exploited at scale. He encouraged all organizations to prepare now for when a patch wave arrives. That is a rush of software updates that will need to be applied across a technology stack already laden with technical debt. Huge thanks to our sponsor Vanta. Risk and regulation ramping up and customers expect proof of security just to do business Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that is V A N T A dot com. Nearly every Linux system built since 2017 vulnerable to copy fail flaw security researchers at theori that is T H E O R I are informing admins of a newly discovered security flaw that has been hiding in the Linux operating system for nearly a decade. The CVE numbered flaw is named Copy Fail, and the researchers found it using an AI powered scanning tool called Zint Code Xint. The bug allows anyone with a basic account on an affected computer to seize full administrative control. It also works as an escape route from cloud containers, meaning a compromised application running inside a supposedly isolated environment can break out and take control of the entire host server, which is a major risk given the cloud industry's dependence on Linux distributions. This bug also affects every major Linux distribution released since 2017, including Ubuntu, Red Hat, Enterprise Linux, Amazon Linux, and Suse sus. These are the systems running the majority of the world's servers and cloud infrastructure. Theory said the flaw resulted from three separate, individually unremarkable changes to the Linux kernel made in 2011, 2015 and 2017, and no one recognized the danger created by their combination for nearly a decade. Google revamps bug bounties in what seems to be a theme for this newscast. This is a major overhaul of the company's vulnerability reward programs for Android and Chrome due to the way AI tools are reshaping the field of vulnerability discovery, transforming both the speed and nature of security research. Android bounties are rising to $1.5 million, while Chrome payouts are dropping. The new goal is to incentivize actionable reports, vulnerability submissions that include concrete proof, feasible exploit demonstrations, and, ideally, suggested fixes. Trellix confirms source code breach the cybersecurity company has announced a breach that enabled unauthorized access to a portion of its source code. Spokespeople for the company did not disclose the exact nature of the data that may have been accessed by the attackers, but state that there are no indications that its source code has been affected or exploited. The company also did not share details about who may be behind this incident and for how long. The attackers had access to its systems. Trellix is owned by Symphony Technology Group and was founded in January 2022 following the merger of McAfee Enterprise and FireEye. Goodbye Jeeves Ask.com closes down do you remember Ask Jeeves? It was a search tool that was launched in 1996 with a natural language question and answer service somewhat similar to today's AI tools. However, its friendly style got quickly overshadowed by the rise of Google and its own search tool. IAC, the company that acquired Ask Jeeves in 2005, soon dropped the Jeeves moniker, using just ask Jeeves. By 2010, the scaling back had begun. A message on the ask.com website now, as IAC continues to sharpen its focus, we have made the decision to discontinue our search business, which includes Ask.com After 25 years of answering the world's questions, Ask.com officially closed on May 1, 2020. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:58]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories. Behind the headlines.
[08:09]
B
Sam.