FBI Warns Firms, Carnival Data Breach, GlobalProtect Exploits Active – Cybersecurity News [May 25, 2026]

Here’s a quick roundup of the most important cybersecurity stories from this past week, highlighting major data breaches, active exploits, state-sponsored threats, and emerging scams shaping the cybersecurity space right now. ShinyHunters continued its unprecedented rampage against corporate America, the FBI issued a rare physical-intrusion warning about law firm attacks, and new AI-powered threat groups emerged from both Russia and Iran. Here’s everything that happened.

FBI Warns Law Firms: Silent Ransom Group Is Now Showing Up in Person

Silent Ransom Group, a long-running data extortion operation, is continuing to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access to computers, the FBI warned in an alert issued May 27, 2026.

The Russia-linked extortion gang has escalated to physically walking operatives into law firm offices under the guise of IT support. The gang has already had data from more than 38 firms published on its public leak site, and researchers say the total attack count exceeds 100 with activity surging sharply in early 2026.

In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from a phishing email. Once the threat actor obtains access to the victim’s device, they minimally escalate privileges and quickly pivot to data exfiltration without any ransomware encryption. The lack of encryption makes the attack extremely stealthy and difficult to detect in real time.

Carnival Cruise Line Notifies Nearly 6 Million Customers of Data Breach

Carnival Corporation, one of the world’s largest cruise operators, confirmed a data breach weeks after the ShinyHunters hacking group claimed it had stolen millions of customer records. Carnival acknowledged a phishing incident involving a single employee account and stated that it was investigating the scope of the unauthorized activity.

Carnival began issuing formal breach notification letters on May 27, 2026, nearly six weeks after the incident was confirmed, alerting an estimated 6 million affected individuals across the United States. The company said it has determined that names, email addresses, phone numbers, dates of birth, and driver’s license and passport numbers were included in the impacted data. Carnival is offering two years of free credit monitoring for affected customers.

This marks yet another entry in Carnival’s troubling cybersecurity track record, which includes ransomware attacks and multiple phishing incidents dating back to 2019.

Palo Alto PAN-OS GlobalProtect Auth Bypass Now Actively Exploited

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), could be exploited by bad actors to set up unauthorized VPN connections by bypassing the GlobalProtect portal and gateway authentication.

CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on May 29, 2026. The practical risk is direct: a vulnerable GlobalProtect portal or gateway can let an attacker establish an unauthorized VPN connection, which can then become the starting point for internal reconnaissance, credential theft, and lateral movement.

Rapid7 MDR confirmed exploitation in multiple customer environments. Analysts observed that the Cloud Authentication Service (CAS) was disabled and authentication override cookies were enabled in compromised systems, consistent with CVE-2026-0257. A second wave of exploitation was observed on May 21, believed to originate from the same threat actor.

FortiClient EMS Flaw Exploited to Deliver Fake Patch Hiding New Credential Stealer

In May 2026, Arctic Wolf observed a cluster of malicious activity affecting endpoints managed by FortiClient Endpoint Management Server (EMS). The malicious payload was disguised as a fake Fortinet endpoint patch, but it was actually a credential stealer.

The campaign exploited CVE-2026-35616, a critical pre-authentication API access bypass with a CVSS score of 9.1. The malware called EKZ Infostealer can extract credentials from Chrome, Microsoft Edge, and Firefox, including techniques that bypass Chrome’s encrypted password storage mechanisms.

The attacker disguised the malware as an update for Fortinet endpoints and executed it through VPN scripting workflows managed by FortiClient. One telltale sign of exploitation is the presence in logs of the line “Certificate not found in request header,” followed seconds later by a certificate update entry.

Russia-Linked GREYVIBE Uses ChatGPT and Gemini to Supercharge Attacks on Ukraine

A previously undocumented Russia-linked threat group tracked as GREYVIBE has been weaponizing generative AI tools including ChatGPT, Google Gemini, and Ideogram AI across almost every stage of persistent cyberattacks against Ukrainian military, government, civilian, and business entities since at least August 2025, according to research by WithSecure.

WithSecure researchers are confident in their attribution to Russian-speaking operators in the Moscow time zone, but are less certain whether the group is cybercriminal, nation-state, or a mix of the two. Researchers warn that GREYVIBE’s extensive use of AI tools offers a glimpse into how future cybercriminal and state-aligned groups will operate.

GREYVIBE ran multiple campaigns including PhantomMail, which used spear-phishing lures impersonating Ukrainian government and emergency entities; PhantomClick, which used fake CAPTCHA pages to trick victims into executing malicious commands; and PrincessClub, which deployed fake Ukrainian adult and dating websites to deliver Android spyware and Windows RATs. Operators used fake female Telegram personas to build trust with military targets in Kharkiv before directing them to lure sites.

ChatGPhish: New Vulnerability Turns ChatGPT Into a Phishing Weapon

Cybersecurity researchers disclosed details of a vulnerability in OpenAI’s ChatGPT that leverages the AI assistant’s implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique was codenamed ChatGPhish by Permiso Security.

Researcher Andi Ahmeti submitted the vulnerability to OpenAI via Bugcrowd on April 29, 2026. After follow-up communications, the research was published on May 29, 2026. At the time of publication, Ahmeti had not received confirmation from OpenAI on whether a fix had been applied meaning the chatbot may still be vulnerable. Users should be very cautious when asking ChatGPT to summarize third-party web pages.

In a realistic attack scenario, a bad actor can append a small payload to any web page, and when a victim prompts ChatGPT to summarize that page, the attacker receives the victim’s IP address, browser User-Agent, and Referer details through the embedded malicious Markdown images.

Hackers Claim 340 Million OnlyFans User Records For Sale

Threat actors claimed they are selling 340 million OnlyFans user records including emails, usernames, and account activity metrics. If confirmed, the mega-leak could expose the real identities of OnlyFans creators and subscribers who value anonymity on the platform.

However, a closer look raises serious doubts. While the attackers present the finding as a major information exposure, technical analysis indicates the material does not stem from a new vulnerability the data appears to correspond to an aggregation of leaks from August 2025 and prior public sources. OnlyFans itself denied any breach: “According to the available information, these reports are false,” a company spokesperson told Cybernews.

Still, even recycled breach data compiled with public profile information poses real phishing and identity-linking risks to the platform’s millions of users.

FBI Warns of Fake FIFA 2026 World Cup Websites Stealing Fan Data

Threat actors are actively launching spoofing campaigns targeting FIFA-themed websites ahead of the 2026 FIFA World Cup, according to a Public Service Announcement issued by the FBI on May 27, 2026. The campaign is designed to exploit global interest in the tournament by deceiving users into interacting with fraudulent domains that closely mimic the official FIFA website, harvesting personally identifiable information including names, addresses, phone numbers, email credentials, and financial data.

Group-IB’s investigation uncovered a large fraud ecosystem including more than 4,300 fake domains impersonating FIFA websites, six separate fraud schemes, and four independent threat actor groups. At the center was a Chinese-speaking group called “GHOST STADIUM,” which operated more than 300 phishing domains designed to mimic FIFA’s official website.

The phishing kit clones FIFA’s login system by silently redirecting victims back to the real FIFA website after stealing their credentials making the interaction appear to be a successful login. Any legitimate tickets associated with the compromised account can then be resold. Fans are urged to only access www.fifa.com by typing it directly in their browser.

Fake Anthropic Websites Targeting Claude Code Users With Fileless Infostealer

A new threat intelligence report by security research firm Cyderes exposed an active credential theft campaign targeting users of Anthropic’s Claude Code tool. The attack begins with SEO poisoning when a user searches for how to install the software, they are taken to a spoofed Anthropic page. They are then instructed to open the Windows Run dialog box and paste a malicious mshta.exe command, a classic ClickFix lure that helps attackers establish hands-on keyboard execution to bypass automated sandbox analysis.

Once executed, the infostealer accesses the browser credential store to steal saved data, then connects to a command-and-control server routing directly to Russian infrastructure. Cyderes confirmed that Anthropic itself has not been compromised. Defenders are advised to block wildcard queries to.oakenfjrod.ru and monitor outbound connections from mshta.exe.

Verizon DBIR 2026: Credential Theft Surges, AI-Assisted Attacks Rise Sharply

Verizon released its 2026 Data Breach Investigations Report, providing an authoritative analysis of the latest cyber threats and data breach trends. The report’s data covers incidents between November 1, 2024, and October 31, 2025.

Threat intelligence reports in 2026 show attackers moving faster than ever some cybercriminal groups can break into networks and begin spreading laterally in under 30 seconds. AI-assisted attacks are rising sharply, and zero-day vulnerabilities are being exploited faster than security teams can respond. The DBIR reaffirmed that many of the biggest breaches of the year were not unstoppable attacks they were preventable failures rooted in skills gaps, weak identity controls, and poor third-party risk management.

CISA Flags LiteSpeed and Daemon Tools Vulnerabilities as Actively Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) added multiple new flaws to its Known Exploited Vulnerabilities catalog this week, including vulnerabilities in Daemon Tools, TanStack, and Nx Console, as well as a separate flaw in the LiteSpeed cPanel Plugin. Federal civilian agencies were issued mandatory remediation deadlines. Organizations using these tools are strongly urged to patch immediately, as CISA’s KEV additions signal confirmed in-the-wild exploitation rather than theoretical risk.