This week’s top security threats and defensive actions.
🚨 Today’s Menu (30-second skim)
- Telegram Mini Apps: Fraud operation using crypto scams and Android malware — 1.8B users affected
- QR Code Phishing: Doubled in Q1 2026 — bypasses email scanners, hits mobile devices
- cPanel CVE-2026-41940: Critical auth bypass under active attack — websites at risk
📱 Telegram Mini Apps Weaponized for Crypto Scams & Malware
The Threat:
Security researchers uncovered FEMITBOT, a large-scale fraud operation abusing Telegram’s Mini App feature to deliver convincing phishing experiences directly within the messaging app.
How it works: Threat actors deploy bots that launch phishing pages inside Telegram’s WebView, making them appear as native app features. Victims see fake investment dashboards with countdown timers and “earnings,” then are prompted to deposit money or complete referral tasks—classic advance-fee scams.
Impersonation targets: Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, MoonPay, YouKu, BBC, and CineTV.
Mobile malware angle: Some Mini Apps also distribute Android APKs (outside Google Play) impersonating major brands.
Why it’s dangerous: The in-app WebView makes phishing appear as part of Telegram itself—users don’t see external URLs or typical phishing red flags. Plus, Telegram’s trusted reputation lowers user suspicion.
3 Actions:
- Briefing: Train employees on Telegram Mini App phishing—fake investment dashboards = scam signals
- Mobile policy: Enforce MDM policies that block APK sideloading on corporate/BYOD Android devices
- Brand monitoring: Add Telegram bot/Mini App monitoring to your threat intelligence program
Source: CISO Whisperer / CTM360 Researchers, May 4, 2026
🔲 QR Code Phishing Explosion: 146% Surge in Q1 2026
The Threat:
Microsoft Threat Intelligence reported QR code phishing attacks more than doubled in Q1 2026, growing from 7.6 million in January to 18.7 million in March.
Why threat actors love it: QR codes bypass text-based email scanning. Users scan with unmanaged mobile devices → redirected directly to phishing sites with zero URL visibility.
Delivery methods:
- 70% embedded in PDF attachments (dominant method)
- 24% in Word documents (.docx)
- New trend: QR codes directly in email body (surged 336% in March alone)
Latest wrinkle: By March, QR codes embedded directly in email bodies hit 5% of attacks—no attachment needed, just a scanned image.
Defensive actions:
- Enable Safe Attachments in Defender for Office 365 (scans before user opens)
- Educate users: “Never scan QR codes in unexpected emails.” Legitimate vendors use direct links.
- Block PDF/DOC attachments from untrusted senders if possible
- Use Threat Explorer to hunt for similar QR-based campaigns
Source: Microsoft Threat Intelligence, Q1 2026 Email Threat Landscape Report, April 30
⚙️ Critical cPanel Flaw (CVE-2026-41940) Under Active Attack
The Threat:
A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM) is being actively exploited in the wild.
CVE-2026-41940 impact:
- Remote attackers gain elevated control of the control panel
- Complete website wipes reported
- Backup deletions and full infrastructure takeovers
Who’s affected: Any organization using cPanel/WHM without the latest patches.
Immediate actions:
- Priority 1: Apply cPanel/WHM security patches immediately (check vendor advisories)
- Isolate control panels: Restrict WHM/cPanel access to VPN or allowlisted IPs only
- Monitor logs: Check for unauthorized authentication attempts or control panel access
- Verify backups: Ensure recent backups exist and are isolated from live systems
Source: The Hacker News Weekly Recap, May 4, 2026
👏 Grandma’s Firewall
Your action item this week:
If you use cPanel/WHM to manage websites, patch it now. If you’re a manager, check with IT: “Are we running the latest cPanel version?”
For everyone: never scan QR codes from unexpected emails or Slack messages. Legitimate vendors send actual clickable links. If it’s an invoice or “urgent action required” with a QR code? Assume it’s a phishing test or worse.
One more thing: If you use Telegram for work, treat Mini Apps with suspicion. Fake investment offers? Immediate block.
Human In[Security] is a weekly security roundup for busy people and their parents. Questions? Reach out.
© 2026 Human In[Security]. All rights reserved.
![Human In[Security] Die-cut stickers](https://humaninsecurity.com/wp-content/uploads/2026/01/die-cut-stickers-satin-6x6-front-697d1d26150e0-300x300.jpg)
![Human Network In[]Security Cotton Heritage MC1082 I Men's Premium Short Sleeve Tee](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-mc1082-i-mens-premium-short-sleeve-tee-vintage-white-front-697d1df2a58b4-300x300.jpg)
![Official Human In[Security] Unisex Hoodie](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-m2580-i-unisex-premium-pullover-hoodie-carolina-blue-front-697d24c26e85b-300x300.jpg)