Exploits in the Wild: Qualcomm 0-Day, AirSnitch Breaches, and the Rise of AI-Coded Malware

If you thought cybercrime was slowing down, this week’s headlines say otherwise. From a Qualcomm zero-day exploited in the wild to a Wi-Fi attack that shreds conventional defenses, and AI-powered hackers flooding networks with “vibe-coded” malware, defenders barely had time to breathe. But amid the madness, some wins emerged - takedowns of major phishing and data-leak operations - showing that the battle for the digital front lines is far from over.

Hardware 0-Days and Exploit Chains
The week’s most alarming technical story: a high-severity flaw in Qualcomm chips - found in millions of Android devices - was confirmed as exploited in the wild. Tracked as CVE-2026-21385, this buffer over-read bug allows attackers to corrupt memory and potentially hijack devices for code execution. While Google says exploitation is currently limited and targeted, the lack of public details keeps defenders on edge.

Meanwhile, Apple users aren’t immune. Google revealed a sprawling exploit kit, dubbed Coruna, targeting iOS devices from versions 13.0 to 17.2.1. Coruna’s journey - from a surveillance vendor to Russian espionage operators, and finally to Chinese cybercriminals hunting crypto wallets - shows how advanced exploit chains now circulate in a thriving underground market, morphing with each new owner.

Wi-Fi Under Siege: AirSnitch Unleashed
Think your Wi-Fi is safe because of client isolation? Think again. Academics demonstrated AirSnitch, an attack that abuses weaknesses in client isolation, group keys, and network switches to let a malicious user eavesdrop or inject traffic - even on “protected” networks. The method bypasses typical isolation at the Ethernet layer by tricking gateways and manipulating switches, restoring adversary-in-the-middle capabilities. The takeaway: insider threats and malicious guests are a real risk, even in supposedly segmented environments.

AI Malware and Phishing-as-a-Service
On the malware front, the Pakistan-linked Transparent Tribe group is now using AI tools to churn out “vibe-coded” malware - binaries written in obscure languages like Nim and Zig, designed to evade traditional detection. This marks a shift: not necessarily more sophisticated, but vastly more prolific, as AI enables attackers to mass-produce unique payloads.

Law enforcement scored rare points by taking down Tycoon2FA, a top adversary-in-the-middle phishing service, and LeakBase, a notorious data-trade forum. But history shows these disruptions are often short-lived, with criminals migrating to new platforms - often encrypted messaging apps or alternative forums.

Leakage and Infrastructure Weaknesses
The problem of exposed secrets remains endemic: a joint study found over a million private keys leaked in public code repositories, including over 2,600 valid TLS certificates - some protecting Fortune 500 firms and government agencies. Remediation is possible, but only after tireless manual outreach and bug reporting.

This week also saw ransomware actors adopting stealthier “living-off-the-land” tactics, blending malicious activity with legitimate cloud operations, and a new Kubernetes RBAC bypass that exposes clusters to privilege escalation. As always, the list of critical vulnerabilities - spanning Firefox, Cisco, Chrome, and more - continues to grow.

In a week where attackers innovated and defenders hustled to keep up, the scoreboard is as messy as ever. The arms race continues - so patch fast, stay paranoid, and remember: in cyber, there’s always another Monday.

WIKICROOK

• 0: A zero-day vulnerability is an undisclosed software flaw that attackers can exploit before the vendor releases a fix, posing serious security risks.
• Client Isolation: Client isolation stops devices on the same network from communicating directly, increasing security in public Wi-Fi or shared environments.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• Living: Living off the Land means attackers use trusted system tools (LOLBins) for malicious actions, making their activities stealthy and hard to detect.
• Exploit Chain: An exploit chain is a series of linked vulnerabilities that attackers use together to breach a system, bypassing security through multiple steps.