Ransomware Affiliates Jailed, Critical Flaws Exploited, and Sophisticated Phishing Attacks

Introduction

Cybersecurity continues to present complex challenges for organizations and security professionals. Recent events show the persistent nature of cyber threats, from insider collusion with ransomware groups to mass exploitation of critical software vulnerabilities. The current environment requires strong defense, integrating advanced intelligence with proactive security measures.

This report summarizes key developments in recent weeks. It focuses on events such as the sentencing of individuals aiding the ALPHV (BlackCat) ransomware operation, the widespread exploitation of a critical cPanel flaw by "Sorry" ransomware, and the addition of a serious Linux privilege escalation bug (CVE-2026-31431) to the Known Exploited Vulnerabilities catalog. We also cover sophisticated phishing campaigns using legitimate platforms like Google AppSheet and Microsoft Azure.

These incidents demonstrate an increase in attacker sophistication. Attackers often combine social engineering with technical exploits and abuse trusted services. Understanding these tactics is essential for maintaining effective breach detection and defense strategies.

Individuals Jailed for Aiding ALPHV (BlackCat) Ransomware Operations

Two US cybersecurity experts have received prison sentences for involvement with the ALPHV (BlackCat) ransomware group. This case marks a significant legal action against individuals who exploited their professional knowledge for illicit gain. The sentencing, announced on April 30, 2026, reflects an effort to deter insider threats within the cybersecurity sector.

Ryan Goldberg, 40, and Kevin Martin, 36, each received four-year prison sentences. Both operated as affiliates for the ALPHV (BlackCat) gang throughout 2023. Goldberg, an incident response manager, and Martin, a ransomware negotiator, used their access and understanding of victim recovery processes to facilitate attacks. They used a Ransomware-as-a-Service (RaaS) model, using BlackCat's infrastructure and sharing 20% of their illicit proceeds with the ransomware developers.

The group targeted over 1,000 victims worldwide, including engineering firms and medical centers. In one instance, they leaked private patient data from a doctor's office to coerce payment. A third suspect, Angelo Martino, 41, who also acted as a professional negotiator, pleaded guilty to providing sensitive information to hackers for inflated ransom demands and awaits sentencing on July 9.

Financial Impact and Operation Disruption

The criminal operation generated substantial illicit revenue. Goldberg, Martin, and Martino collectively obtained approximately $1.2 million in Bitcoin from a single victim. This shows the financial motivations driving such ransomware operations.

Their activities were disrupted in late 2023 when the FBI intervened, compromising the BlackCat network. Investigators developed a decryption tool that allowed hundreds of victims to recover their data without making ransom payments. This intervention prevented an estimated $99 million from reaching the hackers. Following the disruption, Goldberg fled, traveling through 10 countries before the FBI apprehended him in Mexico City. Organizations can use real-time ransomware intelligence and dark web monitoring service capabilities to identify and counter such threats, often before they impact operations.

Critical cPanel Flaw CVE-2026-41940 Mass-Exploited by "Sorry" Ransomware

A critical authentication bypass vulnerability in cPanel and WHM, CVE-2026-41940, is being actively exploited in widespread attacks. This flaw allows unauthorized access to web hosting control panels, leading to data encryption by a new ransomware variant dubbed "Sorry." Mass exploitation highlights the importance of immediate patching for critical infrastructure software.

An emergency update for WHM and cPanel was released this week to address CVE-2026-41940. This vulnerability, actively exploited as a zero-day since late February, grants attackers the ability to bypass authentication and gain control over server and website management interfaces. The security watchdog Shadowserver reported that at least 44,000 IP addresses running cPanel have been compromised as a result of these ongoing attacks.

Exploiting the cPanel flaw, attackers deploy a Go-based Linux encryptor named "Sorry" ransomware. This ransomware appends the ".sorry" extension to all encrypted files. The encryption process uses the ChaCha20 stream cipher, with the encryption key protected by an embedded RSA-2048 public key. According to ransomware expert Rivitna, decryption without the corresponding private RSA-2048 key is not possible.

"Sorry" Ransomware Communication

Victims of the "Sorry" ransomware find a ransom note named README.md in each folder containing encrypted files. This note instructs them to contact the threat actor via a specific Tox ID, which is consistently provided across all campaigns: 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724. This method of communication for ransom negotiation is common among ransomware groups.

This "Sorry" ransomware campaign is distinct from a 2018 ransomware incident that also used a ".sorry" extension but involved a different encryptor (HiddenTear). Organizations must immediately install available security updates for cPanel and WHM to prevent these live ransomware API attacks and protect against data theft. Proactive supply-chain risk monitoring is essential to identify and mitigate vulnerabilities in critical software components.

CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-31431, a local privilege escalation (LPE) flaw impacting various Linux distributions, to its Known Exploited Vulnerabilities (KEV) catalog. This addition, made on Friday, May 3, 2026, means the vulnerability is under active exploitation and poses an immediate threat. Organizations using Linux environments should prioritize patching and mitigation efforts.

Tracked as Copy Fail by Theori and Xint, CVE-2026-31431 is a nine-year-old logic bug within the Linux kernel's authentication cryptographic template. It enables an unprivileged local user to reliably gain root access using a small, 732-byte Python-based exploit. The flaw was introduced through a series of individually harmless changes to the Linux kernel in 2011, 2015, and 2017, and impacts Linux distributions shipped since 2017. Fixes are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

This vulnerability operates by corrupting the kernel's in-memory page cache of any readable file, including setuid binaries. Google-owned Wiz explained that modifying the page cache effectively alters binaries at execution time without touching disk. This mechanism allows attackers to inject code into privileged binaries, such as /usr/bin/su, thereby gaining root privileges.

Implications of CVE-2026-31431 for Cloud and Containerized Environments

The widespread use of Linux in cloud and containerized environments, including Docker, LXC, and Kubernetes, means CVE-2026-31431 has significant implications. Kaspersky highlighted that the vulnerability presents a serious risk to these environments. This is because containers often grant processes access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel by default.

Kaspersky noted that Copy Fail poses a risk of breaching container isolation and achieving control over the physical machine. The exploitation process is not complex, avoiding techniques like race conditions or memory address guessing, which lowers the barrier for potential attackers. Detecting the attack is challenging because it uses legitimate system calls, making it difficult to differentiate from normal application behavior. A fully functional exploit proof-of-concept (PoC) is available, with Go and Rust versions detected in open-source repositories. Microsoft Defender Security Research Team observed preliminary testing activity, anticipating increased threat actor exploitation.

The attack vector is local (AV:L) and requires low privileges with no user interaction. While not remotely exploitable in isolation, CVE-2026-31431 becomes highly impactful when chained with an initial access vector, such as Secure Shell (SSH) access, malicious CI job execution, or container footholds. Microsoft detailed a possible attack route: reconnaissance of vulnerable Linux hosts or containers, deployment of a Python trigger, execution from a low-privilege context, a controlled 4-byte overwrite in the kernel page cache, and subsequent escalation to UID 0 for full root privileges. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by May 15, 2026. For those unable to patch immediately, disabling the affected feature, implementing network isolation, and applying access controls are recommended.

Google AppSheet Exploited in 30,000-User Facebook Phishing Operation

Cybersecurity researchers at Guardio Labs have uncovered a large-scale phishing operation, code-named AccountDumpling, that exploits Google's own infrastructure to hijack Facebook Business accounts. This sophisticated campaign has compromised over 30,000 users globally by abusing Google AppSheet's notification system and Google Drive. The use of legitimate services to deliver malicious content demonstrates a strategy aimed at bypassing conventional security filters.

The attackers use Google AppSheets-a no-code tool designed for business automation-to send phishing emails from official Google servers, specifically noreply@appsheet.bounces.google.com and appsheet.bounces.google.com. This allows the emails to pass authentication checks like SPF, DKIM, and DMARC, increasing their credibility. Phishing lures frequently involve Meta-related themes, such as fake copyright complaints or warnings about account disablement. An email from April 2026 included "Case ID: 6480258166" and threatened permanent disablement within 24 hours.

The AccountDumpling operation uses multiple attack clusters to target different victim profiles. These include:

  • Cluster A (Netlify Clones): Attackers use HTTrack to replicate the Facebook Help Centre, hosting these fake sites on Netlify to steal passwords and government IDs.
  • Cluster B (The Reward Trap): This cluster uses social engineering, such as promises of Blue Badge verification, alongside zero-font tactics like Cyrillic homoglyphs and invisible Unicode hair spaces to evade spam filters.
  • Cluster C (Live Control): This advanced method involves a Google Drive-hosted PDF that, when clicked, uses Socket IO and WebSockets to activate a live operator panel. This enables real-time interaction with victims to solicit two-factor authentication (2FA) codes.
  • Cluster D: This cluster involves fake job recruitment schemes for brands like Adobe, Apple, and Coca-Cola, redirecting victims to private WhatsApp chats.

Attribution and Impact of the AccountDumpling Operation

Further investigation attributes the AccountDumpling operation to Vietnamese-linked actors. A Canva-generated PDF file associated with the attack contained the name Phạm Tài Tân in its metadata. This individual is reportedly linked to a business that assists with recovering locked Facebook accounts, suggesting a connection to the illicit market for compromised credentials.

Stolen data from these phishing kits is sent to Telegram bots, specifically @haixuancau_bot and @globalglobalglobalbot_bot, operated by users known as "Big Bosss" and "@mansinblack." While the attack is global, 68.6% of the victims in the main dataset were from the United States, followed by the UK, Canada, and Italy. Guardio Labs characterizes this as a "professional supply chain," where one group acquires accounts and another monetizes them through resale or fraud. A cyber threat intelligence platform with telegram threat monitoring and brand leak alerting can provide early warning against such sophisticated phishing campaigns.

ConsentFix v3 Attacks Target Azure with Automated OAuth Abuse

A new attack vector, ConsentFix v3, is being distributed on hacker forums, presenting an automated method for targeting Microsoft Azure environments through OAuth abuse. This iteration builds upon previous ConsentFix versions, improving scalability and efficiency in hijacking Microsoft accounts, even when protected by Multi-Factor Authentication (MFA).

The initial ConsentFix version, introduced by Push Security in December 2025, used a variation of ClickFix for OAuth phishing. Victims were socially engineered into completing a legitimate Microsoft login via the Azure CLI, then tricked into pasting a localhost URL containing an OAuth authorization code. This allowed attackers to obtain tokens and hijack accounts without requiring passwords, bypassing MFA. ConsentFix v2, developed by researcher John Hammond, refined this by replacing manual copy/paste with a drag-and-drop mechanism for the localhost URL, streamlining the phishing flow.

ConsentFix v3 retains the core strategy of abusing the OAuth2 authorization code flow and targeting pre-trusted, first-party Microsoft applications. Its key improvement is the incorporation of automation and scalability into the attack process. The attack sequence typically begins with reconnaissance to identify valid Azure tenant IDs and gather employee details (names, roles, email addresses) for targeted impersonation. Attackers then establish multiple accounts across various services, including Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream, to support phishing, hosting, data gathering, and exfiltration operations.

Pipedream's Role in ConsentFix v3 Attacks

Pipedream, a free-to-use serverless integration platform, is central to automating ConsentFix v3 attacks. It serves three critical functions: acting as the webhook endpoint for receiving the victim's authorization code, serving as the automation engine to immediately exchange that code for a refresh token via Microsoft's API, and functioning as a central collector that makes captured tokens available to the attackers in real-time.

Attackers deploy a phishing page, often hosted on Cloudflare Pages, that mimics a legitimate Microsoft/Azure interface. This page initiates a genuine OAuth flow through Microsoft's login endpoint. When a victim interacts with the page, they are redirected to a localhost URL containing an OAuth authorization code, which they are then tricked into pasting or dragging back into the phishing page. This action triggers the data exfiltration pipeline, sending the captured URL to a Pipedream webhook, where automation instantly exchanges the authorization code for tokens. Phishing emails are often highly personalized, generated from harvested data, and may embed malicious links within a PDF hosted on DocSend to enhance credibility and evade spam filters. In the post-exploitation phase, the acquired tokens are imported into Specter Portal, enabling attackers to interact with compromised Microsoft environments and access resources such as email and files, governed by the token's permissions. Mitigating ConsentFix risks is complex due to the architectural trust in first-party apps and Family of Client IDs (FOCI). However, administrators can implement token binding to trusted devices, establish behavioral detection rules, and apply app authentication restrictions. Credential Intelligence solutions are essential to detect and respond to these types of advanced phishing attacks.

Technical Takeaways

  • The jailing of ALPHV (BlackCat) affiliates Ryan Goldberg and Kevin Martin for four years each, following their involvement in Ransomware-as-a-Service (RaaS) operations that extorted approximately $1.2 million in Bitcoin from victims globally, shows legal enforcement actions against insider threats and illicit collaboration.
  • A critical cPanel authentication bypass flaw, CVE-2026-41940, is undergoing mass exploitation by the "Sorry" ransomware, which deploys a Go-based Linux encryptor using ChaCha20 and RSA-2048 encryption to compromise at least 44,000 IP addresses.
  • CISA added CVE-2026-31431 (Copy Fail) to its KEV catalog, indicating active exploitation of this nine-year-old Linux kernel local privilege escalation bug that allows unprivileged users to gain root access by corrupting the kernel's page cache. This poses a significant threat to cloud and containerized environments.
  • The AccountDumpling phishing operation has compromised over 30,000 Facebook Business accounts by exploiting Google AppSheet and Google Drive, using multiple sophisticated clusters including live operator panels via Socket IO/WebSockets and Telegram bots for data exfiltration.
  • ConsentFix v3 attacks automate OAuth abuse against Microsoft Azure, using services like Pipedream and Cloudflare Pages to bypass MFA and obtain refresh tokens, enabling unauthorized access to compromised Microsoft environments.