US Cyber Command Flags Election Threats

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, U.S. Cyber Command warned of likely foreign interference in upcoming elections, medical device maker Stryker discussed the financial impact of its hack, a convicted Vastaamo hacker sought a final appeal and French authorities arrested a prolific data thief tied to multiple breaches. Swiss police dismantled a Black Axe fraud network, while a China-linked “Spamouflage” campaign targeted Tibetan elections. Meanwhile, active exploitation of ConnectWise and Windows flaws raised fresh enterprise risks, new malware campaigns hit Minecraft players and a critical Hugging Face vulnerability exposed systems to remote code execution.

See Also: Why Cyberattackers Love ‘Living Off the Land’

Foreign adversaries are likely to interfere in the U.S. midterm elections, the head Cyber Command and the National Security Agency testified before the Senate Armed Services Committee Tuesday.

Army Gen. Joshua Rudd said foreign interference attempts are “reasonable to expect based on what we’ve seen in the past.” The warning underscores persistent concern inside U.S. cyber leadership that countries including Russia, China and Iran are focused on undermining confidence in democratic processes through digital means.

The Election Security Group – a Cyber Command and NSA task force active since 2018 – previously coordinated with the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and other agencies on election defense, including offensive cyber operations. In the weeks before the 2024 presidential election, Cyber Command operators targeted servers used by at least two Russian companies spreading propaganda into swing states. The operation disrupted but did not halt the influence activity before Election Day.

Rudd is the second consecutive Cyber Command and NSA chief to face questions about election security. His predecessor, Gen. Tim Haugh, was fired by the Trump administration in April 2025 after far-right activist Laura Loomer publicly called for his removal.

Russian influence networks behind 2024 troll farm operations have continued producing content, with one network setting up more than 200 fake websites since March 2025. Officials said adversaries have not shifted to fundamentally new tactics, but are continuing to rely on a mix of cyber intrusions and disinformation efforts that have proven effective in past election cycles.

The Trump administration has been skeptical of efforts to secure election from cybersecurity risk, scaling back engagement with states. The White House budget proposal for the coming federal fiscal, which begins in November, would completely the CISA election security program.

The March 11 cyberattack on Stryker by Iranian hacktivist – which disrupted the medical device maker’s manufacturing and distribution operations for three weeks – had a “big impact” on the company’s first quarter results, company executives told investors and Wall Street analysts on Thursday.

But Stryker expects that its finances will “normalize” for the remainder of the year and has not changed its full year guidance. Company leaders told analysts Stryker was unable to provide its “usual level of details” for its quarterly results due to the disruption to various product lines and other related factors (see: Stryker Hack Affects First Quarter Results.)

Some Stryker product lines were impacted more than others by the attack’s disruption. Certain made-to-order med-surgical products that are customized couldn’t be manufactured during the system-wide outage, but those products are on their way, company executives said.

Stryker wasn’t able to ship certain products for three weeks. The company’s manufacturing and other affected operations were fully restored by the first week of April. The attack wiped more than 40,000 laptops and other devices. The company “got the threat actor out quickly” and was able to recover “100%” of its data through backups, said Kevin Lobo, Stryker CEO.

Stryker’s consolidated net sales of $6.0 billion increased 2.6% in the quarter. Organic net sales increased 2.4% in the quarter including 2.1% from increased unit volume and 0.3% from higher prices. Net earnings of $745 million increased 13.9% in the quarter.

The manufacturer expects to make up for lost sales in the remainder of the year. “Nothing’s changed for the year,” Lobo said. “Despite the cyberattack our business remains poised for strong yearly performance.”

Convicted hacker Julius Aleksanteri Kivimäki filed for leave to appeal his sentence with Finland’s Supreme Court, Ilta-Sanomat reported. The Helsinki Court of Appeal confirmed the application arrived just before end of office hours on Monday, the final day for filing (see: Finnish Psychotherapy Center Hacker Gets 7 Years).

Judges found Kivimäki’s breach of the Vastaamo psychotherapy center was a planned, financially motivated act targeting a “particularly vulnerable” victim pool and warranted the seven-year maximum. They took one month off the sentence, citing compensation agreements Kivimäki reached with numerous victims (see: Finnish Hacker Kivimaki Found Guilty in Vastaamo Hack ).

Kivimäki’s lawyer, Peter Jaari, who signaled the move was likely immediately after February’s sentencing, said Kivimäki left Finland in late autumn and has not disclosed his whereabouts.

French police arrested a suspected data thief operating under the alias “HexDex,” capping months-long investigation into breaches targeting government systems, sports associations and private firms.

Authorities detained the 21-year-old in Western France on April 20, just as he was preparing to leak additional stolen data online, according to French news daily 01net. The suspect acknowledged using the HexDex alias and has since been charged with six offenses, four of which carry an “organized gang” aggravator under French law. Authorities seized his devices and took control of associated forum accounts.

The case traces back to December 2025, when prosecutors began receiving roughly 100 reports of data exfiltration incidents tied to the same online persona. Investigators say HexDex systematically compromised a wide range of organizations, including approximately 15 French sports federations, government agencies, hotel chains, trade unions, cultural institutions and charities, monetizing stolen data on cybercrime forums such as BreachForums and DarkForums.

One of the most significant alleged breaches hit the French Ministry of Education, exposing personal data tied to approximately 243,000 employees through a trainee management system (see: Breach of French Education Platform Impacts 243,000 Staff).

Other impacted systems reportedly include a national firearms registry, a police training platform and multiple public sector portals.

Swiss and German police arrested 10 suspected members of the Black Axe criminal network in a coordinated operation targeting romance scams and money laundering, Europol announced Tuesday.

The investigation, led by the Zurich Cantonal Police and public prosecutors, focused on individuals accused of running online fraud schemes that defrauded victims of several million Swiss francs. Investigators say the suspects used romance scams to build trust with victims and then routed fraudulently obtained funds through mule accounts to obscure money flows.

Those arrested include an alleged senior figure identified by Europol as the Black Axe “regional head” for Southern Europe. Europol previously identified Black Axe as a Nigeria-linked organized crime network involved in cyber-enabled fraud, including phishing and business email compromise, alongside other criminal activities such as drug trafficking, human trafficking, kidnapping and armed robbery.

Evidence seized during the raids includes digital devices and financial records. The arrests follow earlier Europol-supported operations against Black Axe networks in Europe, including a separate crackdown in Spain that targeted dozens of members involved in fraud and money laundering, according to Europol.

A China-linked disinformation network sought to undermine the Tibetan parliament-in-exile elections, deploying coordinated activity to question the legitimacy of the vote and attack key leaders, found research from Digital Forensic Research Lab.

The campaign, linked to the long-running “Spamouflage” influence operation, targeted Tibetans across social media platforms ahead of the April 26 vote to elect members of the 45-seat parliament. Researchers identified 90 Facebook profiles and 13 Instagram accounts tied to the operation.

DRFLab found the network pushed narratives critical of the Central Tibetan Administration and its leadership, including re-elected Sikyong Penpa Tsering – who obtained a second term in February – while amplifying claims that the electoral process lacked legitimacy.

The campaign deployed artificial intelligence-generated imagery but failed to generate meaningful engagement, with researchers noting that the network relied on ordinary-looking profiles with limited reach rather than established pages with larger followings. The interference attempt coincided with a globally distributed election involving more than 90,000 Tibetan voters across over 30 countries – a process widely framed by officials as a reaffirmation of Tibetan democratic identity in exile.

The activity is part of a broader information operation that has previously targeted political discourse in countries including the United States, Taiwan, Japan and the Philippines (see: China Is Using AI to Influence Elections, Microsoft Warns).

Attackers are actively exploiting a high-severity flaw in a path traversal flaw in ConnectWise ScreenConnect, along with a separate medium-severity Microsoft Windows Shell vulnerability that enables network spoofing and can facilitate lateral movement across enterprise environments.

The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities catalog.

The ScreenConnct flaw, tracked as CVE-2024-1708, is a path traversal weakness in the widely used remote access and support tool that has become a recurrent target for attackers. The flaw has frequently been chained with a companion authentication bypass vulnerability, CVE-2024-1709, enabling threat actors to fully bypass authentication before exploiting the path traversal to execute arbitrary code – potentially leading to full system compromise and ransomware deployment.

The Windows flaw, CVE-2026-32202, is a protection mechanism failure in the Windows Shell that allows attackers to coerce victim machines into authenticating with an attacker-controlled server, exposing NTLMv2 hashes without any user interaction beyond opening a folder. The vulnerability stems from an incomplete patch for an earlier Windows Shell flaw, CVE-2026-21510, which the Russian threat group APT28 exploited in attacks targeting Ukraine and EU countries beginning in December 2025.

A Brazil-linked threat campaign is targeting Minecraft players with a new information-stealing malware, found ZenoX.

The malware, dubbed LofyStealer, is distributed as a trojanized Minecraft cheat called “Slinky.” It uses the game’s official icon to appear legitimate and entice users into execution. The campaign relies on social engineering, targeting players actively seeking mods or hacks.

Researchers say LofyStealer is delivered through a multi-stage infection chain beginning with a Node.js-based loader, compiled via GitHub Actions and packaged with the Vercel pkg tool, bundled with legitimate libraries such as V8 and OpenSSL to evade detection and bypass sandbox upload limits. The loader then decrypts and injects a native C++ second-stage payload – chromelevator.exe – directly into victim browser processes via direct syscalls to the Windows kernel.

Once executed, the malware harvests sensitive data from eight browsers including Chrome, Edge, Brave, Opera GX and Firefox. It also targets five categories of data: cookies, passwords, session tokens, payment cards and IBANs. Stolen data is compressed via a hidden PowerShell command, Base64-encoded and exfiltrated via HTTP POST to the C2 server, identified in the binary by the User-Agent string “GrabBot/1.0.”

The activity has been attributed to a threat actor tracked as LofyGang, a group previously linked to stealer campaigns distributed via npm packages and social platforms. It has a track record of targeting gaming communities to maximize infection rates through widely shared tools.

A critical vulnerability in Hugging Face’s LeRobot framework is giving attackers a straightforward path to remote code execution, security researcher Valentin Lobstein, who goes by the handle “chocapikk,” wrote in a blogpost.

Tracked as CVE-2026-25874, the flaw stems from the framework’s use of Python’s pickle module to deserialize data received over the network. In LeRobot’s design, a gRPC-based inference server accepts input from remote clients and processes it using pickle.loads() – a function that will execute embedded code if the payload is malicious.

Lobstein found that the deserialization happens before any validation checks are applied. In typical deployments, the service is exposed over unauthenticated, unencrypted gRPC connections, often bound to all interfaces to support distributed AI workloads. The result is a network-reachable endpoint that effectively behaves like an open remote shell.

LeRobot is used to run machine learning policies for robotics systems, frequently relying on remote GPU-backed servers. That architecture increases exposure, especially in environments where services are reachable across internal or even public networks. An attacker who can connect to the vulnerable port can deliver a malicious payload and take control of the underlying system.

Other Stories From This Week

With additional reporting by ISMG’s Marianne Marianne Kolbasuk McGee in the Boston exurbs.