🔴 The FBI’s warning that ransomware criminals are now physically walking into law firm offices pretending to be IT support

This is a scary one.

The Silent Ransom Group has been targeting US law firms since 2023 using phone-based social engineering. So, calling employees, impersonating IT support, and convincing them to open a remote desktop session. What’s new is when the phone call doesn’t work, they now send a person to visit. BleepingComputer

The FBI issued a Flash Alert on Tuesday, its highest severity designation, confirming active in-person intrusions as of Spring 2026. The operative walks into reception posing as an IT technician, talks their way to a workstation, plugs in a USB drive, copies the data, and leaves.

Over 100 attacks confirmed. 38 firms have already had their data leaked publicly after refusing to pay. The most high-profile victim is a firm with over $1.5 billion in annual revenue. The Register

Time to disable your clients’ exposed USB ports on workstations in reception areas or open-plan offices??

🟡 Microsoft's May patch broke domain controller lookups… but only if your server hostname is exactly 15 characters long

This is the most comically specific Windows bug in recent memory.

Microsoft confirmed on May 26 that KB5087537, part of this month’s Patch Tuesday, causes domain controller lookup failures on Windows Server 2016 systems… but only where the server hostname is exactly 15 characters long. BleepingComputer

When affected, DCLocator calls return ERROR_INVALID_PARAMETER, meaning applications, scripts, and administrative tools can’t locate a domain controller at all. It looks like a DNS problem, or a firewall problem, or a replication problem… until someone checks the hostname length.

No fix timeline from Microsoft yet. The suggested workaround is to rename the server to a hostname of a different length.

🟢 CrowdStrike and Google dismantled a botnet that was hiding inside a blockchain. Yes, really

Yesterday’s Glassworm botnet takedown is worth knowing about. Not because it directly affects most MSPs, but because of how the good guys had to approach it.

Glassworm has been targeting software developers since October 2025, hiding malware inside VS Code extensions, npm packages, PyPI libraries, and GitHub repositories. The clever part: its operators built four separate command-and-control channels specifically designed to survive takedowns. Including one that encoded instructions inside Solana blockchain transactions, which are immutable and can’t be deleted or seized by anyone. BleepingComputer

CrowdStrike, Google, and the Shadowserver Foundation had to hit all four channels simultaneously on Tuesday at 14:00 UTC… because taking out three of four would have left the botnet operational.

OK, that’s Thursday done. We’ll be back in your inbox tomorrow morning for the final time this week. Have a terrific day.