[APAC] Australian and Thai police disclosed a Cambodian scam-compound script used to impersonate AFP officers, move victims into encrypted video calls, and extract banking details under a fake “surveillance protocol.” The release identifies logos, staged signage, victim-verification steps, confidentiality demands, and about 300 potential Australian victims, giving investigators concrete social-engineering artefacts to compare with device, call, chat, and payment evidence. (Source: Australian Federal Police, 08-06-2026)

[AMER/EMEA] Meta accused NSO Group of renewed WhatsApp-linked spearphishing despite a U.S. court injunction, saying user reports led investigators to malicious links, test accounts, and groups later removed from the platform. The case matters because the indicators connect legal orders, platform telemetry, user reporting, and spyware targeting patterns, helping investigators preserve cross-platform evidence before infrastructure or accounts disappear. (Source: CyberScoop, 08-06-2026)

[AMER] Researchers reported that the Pink cybercrime group is targeting corporate data through vishing and cloud-account theft, extending tactics associated with the broader Com ecosystem into extortion-focused intrusions. Investigators should prioritise voice-call records, identity-provider logs, SaaS session artefacts, mailbox rules, and cloud-storage access histories to reconstruct whether social engineering preceded data staging or theft. (Source: SC World, 08-06-2026)

[GLOBAL] A Magecart campaign abused Google Tag Manager and Stripe API infrastructure to load skimming code and store stolen payment-card data inside attacker-controlled Stripe customer metadata. The technique complicates investigations because traffic moves through trusted payment and analytics domains, making localStorage artefacts, GTM container changes, checkout-page scripts, Stripe customer objects, and CSP exceptions critical sources of evidence. (Source: BleepingComputer, 04-06-2026)

[GLOBAL] Dashlane disclosed that fewer than 20 personal-plan users had encrypted vaults downloaded after an external brute-force campaign attempted to break two-factor protections and register new devices. The small victim count still gives investigators a useful model for analysing authentication throttling, temporary suspensions, device-enrolment trails, encrypted vault access, and the limits of “encrypted-but-exfiltrated” evidence handling. (Source: The Hacker News, 02-06-2026)

[GLOBAL] The Miasma supply-chain worm compromised Red Hat npm packages, using credential theft and repository propagation behaviours that echo recent self-replicating developer-ecosystem intrusions. For investigators, the priority is rapid correlation of npm publish events, maintainer tokens, GitHub workflow logs, package-lock histories, developer endpoints, and downstream dependency trees to determine exposure scope before polluted packages are cached or mirrored. (Source: The Hacker News, 08-06-2026)

[GLOBAL] Gogs patched a critical argument-injection zero-day that could allow authenticated users on default-configured internet-facing instances to compromise servers, read private repositories, steal credentials, and alter source code. Investigators should review new-account creation, repository ownership changes, rebase-merge settings, process execution, Git hooks, secrets exposure, and source-integrity evidence across collaboration servers that may have accepted untrusted registrations. (Source: BleepingComputer, 08-06-2026)

[GLOBAL] Researchers detailed a UniFi OS Server exploit chain combining access-control, path-traversal, and command-injection flaws to gain unauthenticated root access on affected management appliances. Because those systems can govern network devices, cameras, doors, and identity-linked controls, investigations need appliance logs, reverse-proxy request normalisation artefacts, package-update traces, sudo execution records, and downstream configuration changes. (Source: BleepingComputer, 08-06-2026)

[EMEA] Turkish authorities detained 357 suspects across 18 provinces in cybercrime raids targeting alleged online fraud, illegal betting, and criminal money-flow activity. The scale highlights the investigative value of coordinated seizure planning, account mapping, device triage, payment-rail reconstruction, and province-level suspect-link analysis when cyber-enabled fraud networks span multiple operational cells. (Source: Daily Sabah, 08-06-2026)

[AMER/APAC] The U.S. Justice Department’s Scam Center Strike Force said a government-and-industry disruption week disabled more than 1.4 million scam accounts, interrupted infrastructure, froze over $3.8 million in cryptocurrency, and supported seven arrests in Thailand. The operation shows how shared indicators, platform-abuse reports, hosting data, crypto-tracing records, and foreign-police referrals can be fused into a victim-centred disruption record. (Source: U.S. Department of Justice, 03-06-2026)

[EMEA] The European Commission advanced a technology-sovereignty package covering semiconductors, cloud, AI, open source, and digital energy systems to reduce dependence on U.S. and Chinese suppliers. For investigators, sovereignty rules can change where logs, cloud workloads, encryption controls, and lawful-access processes reside, affecting preservation orders, jurisdictional analysis, and cross-border evidence collection. (Source: The Record, 05-06-2026)

[GLOBAL] ISO published updated ISO/IEC 27017 guidance for information security controls applicable to cloud-service provision and cloud-service use, aligning cloud-specific controls with ISO/IEC 27002. The update is relevant to evidence readiness because cloud control ownership, tenant responsibilities, logging expectations, and provider obligations influence how investigators prove access, retention, segregation, and chain-of-custody. (Source: ISO, 02-06-2026)