Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to the latest edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.
This week’s roundup highlights the growing convergence of cybercrime, geopolitics, and legal accountability. We examine a confirmed breach at a French government agency now tied to data sale activity, a guilty plea linked to the BlackCat ransomware ecosystem, and emerging techniques that weaponize Windows Defender itself. We also explore how lawmakers are escalating their response to ransomware attacks on hospitals, and conclude with a look at the destructive Lotus data wiper targeting Venezuela’s energy and utilities sector.
- French Government Agency Confirms Breach as Hacker Offers to Sell Data
France’s national agency responsible for issuing and managing official identity documents, Agence Nationale des Titres Sécurisés (ANTS), has disclosed a cybersecurity incident that may have exposed personal data belonging to users of its online portal.
ANTS, which operates under the French Ministry of the Interior and oversees services such as passports, driver’s licenses, and national ID cards, detected the breach on April 15, 2026. While the investigation remains ongoing, the agency confirmed that data linked to both individual and professional accounts on its platform may have been compromised. The scope of the incident, including the total number of affected individuals, has not yet been publicly disclosed.
According to ANTS, the potentially exposed information includes login identifiers, full names, email addresses, and dates of birth. In some cases, additional data such as postal addresses, places of birth, phone numbers, and unique account identifiers may also have been accessed. The agency emphasized that the compromised data does not provide direct access to its systems or user accounts. However, it acknowledged that the information could be leveraged in phishing or social engineering campaigns.
Authorities have been notified, including France’s data protection regulator (CNIL), the Paris Public Prosecutor, and the national cybersecurity agency (ANSSI). ANTS has also begun notifying individuals identified as potentially impacted and warned that any sale or misuse of the data would constitute a criminal offense.
Shortly after the disclosure, a threat actor operating under the alias “breach3d” claimed responsibility for the attack on underground forums, alleging possession of up to 19 million records. The actor stated that the dataset includes personal and account-related information, such as contact details, demographic data, and civil status. While the data has reportedly been offered for sale, there is no confirmation that it has been widely distributed.
ANTS has advised users to remain vigilant, particularly regarding unsolicited communications that appear to originate from the agency. Although no immediate action is required, heightened awareness is recommended to mitigate the risk of follow-on attacks.
- Ransomware Negotiator Pleads Guilty to BlackCat Scheme
A former ransomware negotiator has pleaded guilty to collaborating with the BlackCat/ALPHV ransomware group in a series of attacks targeting U.S. organizations in 2023, according to the U.S. Department of Justice. The case highlights an insider threat scenario in which a trusted cybersecurity professional leveraged privileged access to aid cybercriminal operations.
Angelo Martino, 41, based in Florida, admitted to working with BlackCat actors beginning in April 2023 while employed at a U.S.-based incident response firm. In his role, Martino had access to sensitive information related to ransomware negotiations. He exploited this position by sharing confidential client data, including insurance policy limits and negotiation strategies, with the attackers, enabling them to maximize ransom demands without the knowledge or consent of either his employer or the affected organizations. In return, Martino received financial compensation from the threat actors.
Martino also conspired with two other cybersecurity professionals, Ryan Goldberg and Kevin Martin, to deploy BlackCat ransomware against multiple U.S. victims between April and November 2023. In one instance, the group successfully extorted approximately $1.2 million in Bitcoin, which they then divided and laundered. Authorities have since seized roughly $10 million in assets connected to Martino, including cryptocurrency and high-value physical assets.
All three individuals have pleaded guilty to extortion-related charges and face potential sentences of up to 20 years in prison. Their respective employers confirmed cooperation with law enforcement and stated that the individuals acted in violation of company policies and ethical standards.
The case underscores the risks associated with insider threats in cybersecurity, particularly when individuals have access to highly sensitive operational and financial data. Industry experts emphasize the importance of enforcing strict separation of duties within incident response processes. Specifically, dividing responsibilities between negotiation, payment handling, and remediation can reduce the risk of conflicts of interest and limit opportunities for abuse.
Additionally, the incident reinforces the need for organizations to apply zero trust principles not only to systems but also to third-party service providers. Even trusted cybersecurity partners should operate under least-privilege access models, with clear oversight and controls in place.
- Exploits Turn Windows Defender Into Attacker Tool
Threat actors are actively leveraging a set of publicly available proof-of-concept (PoC) exploits to manipulate Microsoft Defender’s core protection mechanisms, effectively turning the security platform against the environments it is designed to secure. These exploits, known as BlueHammer, RedSun, and UnDefend, target weaknesses in Defender’s privileged workflows, enabling attackers to escalate privileges and degrade detection capabilities once initial access is achieved.
BlueHammer exploits a time-of-check to time-of-use (TOCTOU) flaw in Defender’s signature update process (tracked as CVE-2026-33825). By abusing a race condition during file remediation, attackers can redirect file operations and gain SYSTEM-level access without relying on kernel exploits or memory corruption. Microsoft addressed this vulnerability in its April 2026 security updates, but the remaining techniques extend beyond that patch.
RedSun operates in a similar manner but targets a different component, Defender’s TieringEngineService. It can be triggered using an EICAR test string, a benign marker commonly used to validate antivirus functionality. When Defender attempts remediation, the exploit hijacks the process and executes attacker-controlled code with SYSTEM privileges. Notably, RedSun has been observed working even on fully patched systems, highlighting a broader issue in how Defender handles privileged file operations.
The third exploit, UnDefend, is designed to be deployed post-compromise. Rather than triggering obvious failures, it subtly interferes with Defender’s update mechanisms, preventing the platform from receiving current threat intelligence while continuing to report a healthy status. This allows attackers to persist undetected while gradually weakening endpoint defenses.
Security researchers have observed these exploits being used in targeted, hands-on attacks. Adversaries are staging binaries in low-profile directories such as Downloads or Pictures and using lightly modified PoC code to evade detection. The techniques themselves are not highly complex, but they are effective, demonstrating how moderately skilled attackers can weaponize publicly available research once they gain a foothold.
Fundamentally, these exploits expose systemic weaknesses in Defender’s trust model. Each technique abuses how the platform performs privileged file operations without sufficiently validating execution paths. As a result, Defender, operating within the system’s trust boundary, can be manipulated into executing malicious actions on behalf of the attacker.
While exploitation is straightforward once access is obtained, the primary barrier remains initial entry. Observed incidents often began with compromised VPN credentials lacking multi-factor authentication. From there, escalation to SYSTEM-level access becomes trivial.
Mitigation efforts should focus on both patching and hardening. Organizations are advised to apply Microsoft’s April 2026 updates, enforce multi-factor authentication across all remote access points, restrict execution from user-writable directories, and implement independent detection layers that do not rely solely on endpoint security agents.
- Lawmakers Ponder Terrorism Designations and Homicide Charges Over Hospital Ransomware Attacks
U.S. lawmakers are increasingly considering stronger legal consequences for ransomware attacks targeting healthcare organizations, reflecting growing concern over the real-world impact of such incidents. During a recent House Homeland Security Committee hearing, policymakers explored whether these attacks should be treated as more severe crimes, including potential classification as acts of terrorism or, in extreme cases, grounds for homicide charges when loss of life can be linked to an attack.
Cynthia Kaiser, a former senior FBI cyber official and now with Halcyon’s ransomware research center, proposed both approaches. She argued that existing legal frameworks may already support harsher penalties but have not yet been fully applied in this context. Designating ransomware attacks as terrorism could enable broader enforcement measures, including sanctions and travel restrictions, while clearer Department of Justice guidance could open the door to prosecuting cases involving patient deaths.
The discussion reflects a sharp rise in ransomware incidents targeting healthcare. According to FBI data cited during the hearing, attacks against the sector nearly doubled, increasing from 238 in 2024 to 460 in 2025, making healthcare the most frequently targeted industry. The operational disruptions caused by these attacks, ranging from system outages to delayed care, have heightened concerns about patient safety.
Some lawmakers expressed strong support for more aggressive deterrence. Representative Michael Guest emphasized that penalties should reflect the severity of targeting critical healthcare infrastructure, particularly in light of recent attacks that forced clinic closures in his home state of Mississippi.
The idea of linking ransomware to terrorism is not new but has gained renewed traction. Previous legislative efforts and policy discussions have examined this connection, though formal implementation has been limited. At the same time, research continues to underscore the potential human cost: a 2023 study suggested ransomware attacks on hospitals may have contributed to patient deaths, while a 2020 case in Germany prompted a negligent homicide investigation, though no charges were ultimately filed.
These proposals align with broader shifts in U.S. cyber policy toward a more assertive stance against threat actors. As ransomware groups continue to target critical services, lawmakers appear increasingly willing to explore legal frameworks that better reflect the potential consequences of these attacks.
- New Lotus Data Wiper Used Against Venezuelan Energy, Utility Firms
Cybersecurity researchers have identified a previously undocumented data-wiping malware, dubbed *Lotus*, used in targeted attacks against energy and utilities organizations in Venezuela. Unlike ransomware, the malware appears to have no financial motive; instead, it is engineered for maximum destruction, rendering compromised systems completely unrecoverable.
Analysis by Kaspersky indicates that the attack chain is deliberate and methodical. Initial access is followed by the execution of preparatory batch scripts designed to weaken system defenses, disrupt normal operations, and coordinate activity across networked environments. These scripts disable services, lock out users, terminate sessions, and sever network connectivity, effectively isolating systems prior to the destructive phase.
Once the environment is destabilized, the attackers begin preliminary wiping actions using legitimate system utilities. Tools such as *diskpart*, *robocopy*, and *fsutil* are leveraged to overwrite data, fill available disk space, and hinder recovery efforts. This staged approach ensures that by the time the primary payload is deployed, restoration options are already significantly degraded.
The final payload, Lotus, operates at a low level, interacting directly with physical drives. It removes recovery mechanisms, deletes restore points, clears filesystem activity logs, and overwrites disk sectors rather than just logical files. The malware also repeatedly cycles through wiping routines to ensure data destruction is comprehensive and irreversible.
The campaign’s timing suggests a potential link to regional geopolitical tensions in late 2025, including disruptions affecting critical infrastructure such as the state-owned oil company Petróleos de Venezuela (PDVSA), although no definitive attribution has been established.
From a defensive standpoint, the activity highlights several early warning indicators, including unusual service manipulation, widespread account changes, network interface shutdowns, and unexpected use of administrative utilities. As with other destructive malware campaigns, maintaining validated offline backups remains one of the most effective safeguards against total data loss.
References:
https://www.darkreading.com/insider-threats/ransomware-negotiator-pleads-guilty-blackcat-scheme
https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool
