SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering

Switzerland's National Cyber Security Centre reported a higher-than-usual volume of a dual-path Microsoft 365 / OneDrive-for-Business phishing campaign in its Week 25 review (NCSC-CH, 2026-06-23). In the malware-delivery variant the email carries a ZIP "audio" attachment that, when run, installs an infostealer harvesting browser credentials, session cookies and wallet data; in the credential-harvest variant a fake Microsoft login page with a simulated audio player ("Play voicemail as guest") captures the M365 username and password. NCSC-CH notes that a compromised mailbox is then used to read live business email and run chain-phishing and BEC fraud from a recognised sender replying inside an existing thread (T1114.003, T1098), and that stolen credentials are frequently resold and resurface in targeted follow-up attacks weeks later. Why it matters to us: Swiss public-sector staff are direct recipients. The discriminator is mechanical — legitimate voicemail notifications deliver .wav/.mp3, never a ZIP. Phishing-resistant MFA (FIDO2 / certificate-based Conditional Access) defeats the credential-theft path even when the lure succeeds; hunt M365 audit logs for inbox-rule and forwarding-rule creation within minutes of a sign-in from a new country/ASN.

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).

NCSC-CH's Week 24 Wochenrückblick flagged a hybrid physical-plus-digital social-engineering campaign in French-speaking Switzerland: attackers drop fake Swiss Post collection-notice ("Avis de passage") letters into letterboxes, closely mimicking official branding, with a QR code leading to a phishing site that harvests identity and credit-card data (NCSC-CH, 2026-06-16). The physical-delivery vector defeats email-gateway controls entirely. Public-sector organisations in French-speaking cantons should brief staff on the physical-QR lure, since the Swiss Post brand is frequently abused and a letterbox-delivered QR bypasses every email-based phishing control.

A coordinated operation led by the US Secret Service, IRS-CI, Europol and Eurojust — with participation from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland and the United Kingdom — dismantled AudiA6 on 11 June, a crypto-laundering service trusted by ransomware operations since 2021 (US Secret Service, 2026-06-11). Two men resident in Batumi, Georgia — Ruslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25) — were arrested and charged in the Eastern District of Pennsylvania with conspiracy to launder monetary instruments and sting money laundering. Blockchain analysis traced roughly 10,333 BTC (~$389.7 M at transaction-time value) through AudiA6 wallets, with ~393 BTC directly attributable to darknet markets, ransomware crews and cybercrime services; the service charged 3–10 % commission and returned "cleaned" funds within about an hour through chains of fraudulent exchange accounts opened with stolen identities. Europol links AudiA6 to more than 15 international cybercrime investigations and reports infrastructure seizures in the US, Iceland, Germany and France, alongside the seizure of the Dark2Web forum where the service advertised (Europol, 2026-06-11).

Why it matters to us: the takedown removes a monetisation layer used by ransomware groups that target EU and Swiss organisations, and seized transaction records may retrospectively attribute earlier ransom payments — IR teams with open extortion cases should watch for law-enforcement follow-up requests.

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.

On 2026-06-01 Switzerland's National Cyber Security Centre published a pre-event advisory warning that the G7 summit in Évian (France, 15–17 June) is a high-value target and that it "expects disruptive maneuvers in cyberspace again" (NCSC Switzerland, 2026-06-01). Although the summit sits on French soil, most delegations transit Geneva Airport and lodge on the Swiss side (Geneva, Vaud, Valais), putting Swiss federal and cantonal administrations, conference-linked suppliers, and Swiss telecom operators in the blast radius. An independently published threat map for the event frames the expected activity against the template of the 2024 Bürgenstock summit, when the pro-Russia hacktivist collective NoName057(16) ran DDoS waves against Swiss federal sites and conference-linked organisations on each summit day; the same map additionally flags state intelligence collection against hotel and telecom infrastructure, rogue-base-station cellular interception, and social-engineering against event staff as plausible vectors (ZENDATA Cybersecurity, 2026-05-03). The NCSC advisory itself recommends generic protective measures and DDoS preparedness for organisations linked to the event.

Why it matters to us: Organisations operating in the Geneva–Vaud corridor and Swiss federal/cantonal SOCs should pre-stage DDoS mitigation playbooks now, review MFA on customer-facing identity providers, rotate administrative credentials before the event window, and brief travelling staff on mobile-device physical security; hunt for anomalous authentication spikes from the summit region and unexpected reattachment events in MDM/MDM-adjacent telemetry around 15–17 June.

The Apereo Foundation released CAS version 7.3.7.1 on 2026-05-27 fixing an unspecified vulnerability in the OpenID Connect identity-provider component of its Central Authentication Service. Apereo scoped the disclosure to deployments where CAS acts as an OIDC IdP (no explicit statement about non-OIDC deployments, but the scoping suggests SAML / Kerberos-only configurations are out of scope of this specific defect). The reporters are Artur Stoecklin and David Roth at Coop (Switzerland), who reported the issue to the Apereo team via the YesWeHack bug-bounty platform — a direct CH-discovered identity-infrastructure issue rather than a vendor-only disclosure. CERT-FR / ANSSI issued advisory CERTFR-2026-AVI-0654 on 2026-05-28 framing the impact as "un problème de sécurité non spécifié par l'éditeur" and recommending immediate patching. Full technical details are withheld pending the standard security grace window. Apereo CAS is the dominant open-source SSO platform in European higher education and is also deployed across Swiss federal and cantonal administrations.

Why it matters to us: CH-relevant identity infrastructure with an EU-wide deployment footprint and a CH-sourced disclosure. Until technical detail is public, prioritise upgrade to the fixed version 7.3.7.1 on any CAS instance acting as an OIDC IdP and monitor OIDC token-issuance logs for unexpected client_id values, anomalous sub claims and tokens granted to unregistered clients.

Resolving the open W21 compliance question. The EU's 20th Russia sanctions package introduced — effective 25 May 2026 — a prohibition on providing managed security services (cybersecurity risk management, incident handling, penetration testing, security audits and related consulting) to the Russian government and Russian-established entities, extending to Russian subsidiaries of EU-incorporated companies absent a national-competent-authority licence. No European Commission interpretive guidance on the MSS scope had been published by end-May, so a conservative reading still applies. The Swiss answer is now confirmed: Switzerland's 22 May adoption covered the listings only — the substantive measures, including the MSS prohibition, were deferred (reporting points to a summer timeline). The practical consequence is a temporary CH/EU asymmetry: an EU-incorporated MSSP is already barred from servicing a Russian-established client, while the equivalent Swiss obligation is not yet in domestic force. Cross-border CH firms with EU entities should govern to the stricter EU line now rather than the Swiss timeline, and re-confirm no EDR/SIEM/connector service is operated under contract with a Russian-established entity.

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

On 2026-05-15 a malicious validator node drained approximately $11M in protocol-owned funds from THORChain, a Switzerland-based decentralised cross-chain liquidity protocol founded in 2018, across Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP (The Record, 2026-05-15; TRM Labs, 2026-05-15). The leading technical hypothesis — reported by Chainalysis, PeckShield and Cyvers via CryptoTimes's post-mortem synthesis on 2026-05-17 — is a GG20 Threshold Signature Scheme (TSS) implementation flaw: a node identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q joined the active validator set days before the attack, gradually leaked vault key shards during keygen and signing rounds, reconstructed sufficient key material offline, and then forged outbound vault signatures without triggering the protocol's quorum checks. CryptoTimes records verbatim: "the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago." Chainalysis shared an on-chain analysis thread on 2026-05-16 linking attacker-controlled wallets to weeks of preparatory infrastructure staging through Monero and Hyperliquid before the vault drain. TRM Labs traced the proceeds to a two-address cluster within hours but has not attributed the exploit to any specific actor as of disclosure; historical THORChain laundering activity has been dominated by North Korean operators (Lazarus Group, including the $1.5B Bybit and ~$300M KelpDAO thefts per TRM Labs), but no Lazarus attribution is confirmed for this event. The Record reports user balances were not directly drained. Why it matters to us: the relevance to a Swiss / EU public-sector SOC is the technique class, not the cryptocurrency context. Any organisation operating MPC-custody, threshold-signing, or cross-chain bridge validator infrastructure — including FINMA-supervised digital-asset custodians, EU MiCA-regulated DeFi platforms, and any internal HSM-replacement projects that have moved to MPC-TSS — should audit node-admission controls, keygen/signing-round integrity, and whether newly-joined nodes can participate in signing quorums before completing a full security review. The TSSHOCK vulnerability class — CVE-2023-33241 (Fireblocks GG18/GG20 Paillier-ZK-proof flaw) and related GG20/ECDSA-MPC research — showed that malformed or missing zero-knowledge proofs during GG18/GG20 keygen can leak private-key shards across multiple rounds; the THORChain exploit is the second large-scale production demonstration of that theoretical class.

A malicious validator node drained approximately $11M in protocol-owned funds from THORChain — a Switzerland-based decentralised cross-chain liquidity protocol — across nine chains on 2026-05-15, covered 2026-05-18. Notable for this audience only as a Swiss-nexus financial-infrastructure incident; the root cause is a threshold-signature (GG20) vault-control failure rather than a defender-actionable enterprise TTP.

The single most defender-relevant regulatory change of the window. Council Regulation (EU) 2026/506 introduces a prohibition on providing "managed security services" — defined to include incident handling, penetration testing, security audits and security consulting/technical-support advice — to the Government of Russia and to entities legally established in Russia, effective 25 May 2026. The prohibition reaches EU-incorporated MSSPs supplying Russian subsidiaries absent a national-competent-authority licence; no European Commission interpretive guidance on scope had been published as of 24 May, so law-firm analyses advise a conservative reading. Switzerland's EAER adopted most of the 20th-package measures effective 22 May (115 individuals/entities asset-frozen, 20 Russian banks and 7 third-country intermediaries under transaction ban, RUBx / digital-ruble transactions prohibited from 26 May), deferring some energy/trade provisions; whether the Swiss transposition includes the managed-security-services prohibition specifically requires SECO confirmation. What defenders must do differently: any EU or Swiss SOC, IR firm, or pentest provider with a Russian-law-entity client must have wound those engagements down by 25 May, and should verify no security tooling (EDR agents, SIEM forwarders, ticketing/connector integrations) is being operated or serviced under a contract with a Russian-established entity.

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.

Published 2026-05-15. Vendor-agnostic survey of 5,000 IT and security leaders across 17 countries (Q1 2026 fieldwork). The defender-relevant findings beyond the headline 71% identity-breach figure: (a) identity-to-ransomware pipeline dominant — 67% of ransomware victims attributed their ransomware incident directly to a prior identity attack, establishing identity-protocol abuse as the operationally dominant initial-access pattern; (b) non-human identity (NHI) mismanagement is the leading root cause — service accounts, API keys, AI-agent identities outnumber human identities by ratios up to 100:1 in surveyed organisations, weak NHI lifecycle management was the root cause in 41% of successful identity breaches, only 34% of organisations regularly audit NHI accounts; (c) Switzerland records the highest identity-breach incidence globally in the survey period; the daily 2026-05-15 also reported energy as the hardest-hit sector (Sophos blog; Help Net Security — Sophos 2026 identity-breach costs report; daily 2026-05-15).

The synthesis lens the daily did not have room for: the Sophos data corroborates the W19 Mandiant M-Trends finding that identity-rooted intrusions dominate IR-case data, and it converges with the Verizon DBIR 2026 finding (below) that stolen credentials remain the most common initial-access vector. The composite picture: for Swiss federal / cantonal estates with high service-account density and no NHI lifecycle governance, the NHI inventory + lifecycle gap is the single highest-leverage control deficit disclosed in this week's research output. The Sophos data is the empirical basis for prioritising NHI governance over endpoint-EDR upgrades, where budget pressure forces a choice. Detection focus: anomalous service-account Kerberos TGS requests (T1558.003 Kerberoasting), unusual OAuth token grants from CI/CD service identities, API key usage from unexpected source IPs or geographies.

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

The Swiss NCSC published a formal signed BACS assessment on 1 May 2026 titled "Use of AI in vulnerability management" (NCSC Switzerland Im Fokus, 2026-05-01). The assessment characterises AI as "highly significant for cybersecurity" with an asymmetric dual-use risk: while AI-based detection tools accelerate vulnerability identification for defenders, the NCSC observes that the same technology "is making hackers' work much easier," particularly in malware-development efficiency. The key NCSC finding is that the actual scale of fully autonomous AI-driven cyberattacks remains unclear — defenders should not treat AI-augmented detection as a solved problem justifying reduced investment in foundational controls. The NCSC recommends prioritising: continuous patching discipline, strong access management and privileged-access controls, staff security awareness, and regular structured security reviews. What defenders need to do differently: in ISG-covered Swiss entities a BACS position paper carries supervisory weight under the NCS implementation framework; CISO functions should document how their AI-security tool deployments are complemented by (not substituting for) the NCSC's foundational-controls baseline. This is a measured regulatory pushback against vendor claims that AI-powered detection can replace security fundamentals. Single-source national-CERT carve-out applies.

ebas.ch — the Swiss banking-sector and Lucerne University of Applied Sciences (HSLU) e-banking awareness portal — reported on 2026-05-07 that SMS-blaster fraud is establishing itself in Switzerland. A portable device (concealable in a vehicle or backpack) broadcasts as a rogue base station with strong signals that force nearby smartphones within several hundred metres to attach and to downgrade from 4G/5G to 2G. The 2G network lacks mutual authentication between handset and base station, allowing the operator to inject SMS directly into the victim's handset — entirely bypassing the mobile carrier's SMSC, where anti-phishing and anti-spam filters are applied (ebas.ch, 2026-05-07). The lure SMS impersonates authorities, banks or courier services, directing victims to credential-harvesting pages. A brief unexpected RAT downgrade from 4G/5G to 2G on a managed handset, in the absence of corresponding carrier outage signal, is the technical fingerprint of a rogue base station in proximity — although ebas.ch does not report observed victim handset-side telemetry as part of its disclosure.

Why it matters to us: Federal employees and contractors using government-issued or BYOD mobile devices are exposed to the same proximity-targeted lure that no carrier filter can stop. SMS-blaster activity is invisible to enterprise mobile threat-defence (MTD) products that rely on link reputation alone — the lure arrives via SMS, but the device-side signal is a sudden 4G/5G → 2G → 4G/5G transition that some EDR-MDM stacks (Intune mobile telemetry, Jamf Protect) can surface. Suggest disabling 2G on managed Android estates where MDM supports the setting (Android 12+ via setAllowedNetworkTypesForReason / Enterprise restrictions); iOS Lockdown Mode disables 2G but is impractical for routine federal use. Map smishing-lure handling to existing IR runbooks. Mapped to T1566 Phishing at the technique level — the smishing variant delivered via a rogue base station bypasses operator-side SMS filtering by attacking the radio-link delivery channel, not by manipulating data in flight to its intended endpoint. ebas.ch is the only source for the Swiss-localised signal — see § 7 [SINGLE-SOURCE-OTHER] notice.