Executive Summary
This past week saw active exploitation of critical vulnerabilities, widespread data exfiltration, and ongoing ransomware operations across multiple sectors.
Key developments
- Palo Alto Networks PAN-OS RCE: An actively exploited remote code execution vulnerability in PAN-OS software allows root access to vulnerable network security devices. Related analysis on a Palo Alto Networks Captive Portal Exploit details similar high-impact vulnerabilities.
- Linux Kernel Exploitation: The "Copy Fail" (CVE-2026-31431) and "DirtyFrag" Linux kernel vulnerabilities are under active exploitation, enabling local privilege escalation on affected systems. Context is available in the
Copy FailLinux Vulnerability report. - Educational Data Breach: ShinyHunters claimed an Instructure Canvas breach, involving school login defacements and 3.65 TB of data theft from an estimated 275 million users.
- Malware Certificate Misuse: Actors coerced DigiCert into issuing certificates for signing malware, allowing malicious software to appear legitimate.
Business Impact
Active exploitation of vulnerabilities in network security devices and core operating systems creates opportunities for unauthorized access, data exfiltration, disruption, and identity theft. Large-scale data breaches create significant risks for identity theft and targeted campaigns. Misuse of digital certificates affects software integrity and complicates detection processes.
Trends and changes vs last week
Ransomware groups conducted various operations, including data theft and encryption. Geopolitical cyber activity remained steady. An increased adversary interest in misusing AI tooling and developer communities through malicious packages was observed. Exploitation of critical vulnerabilities in enterprise web environments and edge devices for initial access grew.
Outlook
Active exploitation of critical vulnerabilities in network devices and operating systems will likely continue. Ransomware activity from groups like The_Gentleman and Qilin will likely continue, with further context on recent ransomware activity available. Activity targeting AI infrastructure and developer tools is also expected to grow.
Key Threat Intelligence Highlights
This week saw several key developments:
A critical Remote Code Execution (RCE) vulnerability in Palo Alto Networks PAN-OS software is actively exploited. This gives adversaries root access to affected devices, allowing complete system compromise and potential espionage. Organizations using these firewalls face an immediate risk and must apply available patches without delay.
The cybercrime group ShinyHunters increased its attacks against the Canvas learning management system, using school login page defacements. This tactic tricks students and faculty into divulging credentials, which could lead to widespread data breaches and academic disruption. Such attacks present a significant danger to educational institutions and their digital systems.
Two newly discovered Linux kernel vulnerabilities, Copy-Fail and DirtyFrag, show subtle page cache manipulation flaws. These can lead to local privilege escalation via arbitrary kernel writes (Copy-Fail) or expose sensitive data from other processes or the kernel (DirtyFrag). Timely system updates are critical for Linux security.
CISA has required federal agencies to patch critical Ivanti Connect Secure vulnerabilities within four days, as these authentication bypass and command injection flaws are under active exploitation. The zero-day exploits grant attackers complete control over vulnerable gateways. This poses a serious risk of network intrusion and data compromise, making it an urgent security concern for government systems.
Hackers used a weakness at DigiCert to obtain fraudulent code-signing certificates, which they then used to sign malware. This threat enables malicious software to bypass initial security checks by appearing legitimate, thereby weakening trust in digital signatures and showing a critical flaw affecting software integrity globally.
Additional Threat Intelligence Context
CVE-2026-0300 (CVSS: None, VERY CRITICAL) - Active exploitation of a critical unauthenticated Remote Code Execution (RCE) vulnerability in Palo Alto PAN-OS User-ID Authentication Portal (), enabling root-level takeover of internet-exposed firewalls.
Available Exploits:
- CVE-2026-0300 Exploit
- CVE-2026-0300 Exploit
- CVE-2026-0300 Exploit
- CVE-2026-0300 Exploit
- CVE-2026-0300 Exploit
Analysis: # CVE Analysis Report: CVE-2026-0300
GitHub Link:
- Title: CVE-2026-0300 Safe Checker
- CVE: CVE-2026-0300 (CVSS: None, VERY CRITICAL)
- CVSS Score: None
- CVSS Severity: VERY CRITICAL
Based on the analysis:
- Complexity Score: Easy
- Remote/Local: Remote
- Authenticated/Unauthenticated: Unauthenticated
- Privilege Required: None
Risk Score: 100/100
_Based on ease of use, potential impact, how widely it ...
Widespread availability of extensive government (Iraq Ministry of Finance, 117M Chinese COVID vaccination records) and medical (Ascension Health, Saludsa) datasets on breach forums, creating significant risks for identity fraud and targeted operations.
Large-scale data breach and extortion campaign by ShinyHunters against Instructure Canvas LMS, disrupting learning for thousands of institutions and exposing an estimated 275 million users' data (3.65 TB).
CVE-2026-31431 (CVSS: None, CRITICAL) - Active exploitation of critical Linux kernel privilege escalation vulnerabilities, including 'DirtyFrag' (, CVE-2026-43284), allowing local root access through page-cache corruption, with public Proof-of-Concepts available.
Available Exploits:
- CVE-2026-31431 Exploit
- CVE-2026-31431 Exploit
- CVE-2026-31431 Exploit
- CVE-2026-31431 Exploit
- CVE-2026-31431 Exploit
Analysis: # CVE Analysis Report: CVE-2026-31431
GitHub Link:
- Title: 732 Bytes to Root PoC
- CVE: CVE-2026-31431 (CVSS: None, CRITICAL)
- CVSS Score: None
- CVSS Severity: CRITICAL
Based on the analysis:
- Complexity Score: Easy
- Remote/Local: Local
- Authenticated/Unauthenticated: Unauthenticated
- Privilege Required: User
Risk Score: 95/100
_Based on ease of use, potential impact, how widely it could spread, and ...
Supply chain attacks targeting developer communities and user-facing software, such as the malicious 'noon-contracts' npm package stealing cloud/SSH credentials and the official JDownloader site distributing a Python Remote Access Trojan.
CVE-2026-4670 - Critical authentication bypass (, CVSS 9.8) in MOVEit Automation, enabling remote unauthenticated access to workflows and data transfers, and active exploitation of Ivanti EPMM RCE (CVE-2026-6973).
Active ransomware operations by groups like Lynx, Leak_Bazaar, Lapsus, Medusa Locker, and M3rx, targeting a wide range of sectors globally, often using data theft and remote access tools.
CVE-2026-7482 (CVSS: 9.1, CRITICAL) - Vulnerabilities impacting AI infrastructure, such as 'Bleeding Llama' (), enabling unauthenticated heap memory leakage from Ollama AI model servers, potentially exposing API keys and sensitive data.
Available Exploits:
- CVE-2026-7482 Exploit
- CVE-2026-7482 Exploit
- CVE-2026-7482 Exploit
Analysis: # CVE Analysis Report: CVE-2026-7482
GitHub Link:
- Title: Ollama GGUF Heap OOB PoC
- CVE: CVE-2026-7482 (CVSS: 9.1, CRITICAL)
- CVSS Score: 9.1
- CVSS Severity: CRITICAL
Based on the analysis:
- Complexity Score: Easy
- Remote/Local: Remote
- Authenticated/Unauthenticated: Unauthenticated
- Privilege Required: None
Risk Score: 100/100
_Based on ease of use, potential impact, how widely it could spread, a...
The PCPJack cloud worm, actively spreading across cloud and on-premises environments by linking multiple CVEs to steal credentials and gain persistent access.
Ransomware Activity Overview
Ransomware groups such as Lynx, Leak_Bazaar, Lapsus, Medusa Locker, M3rx, and Stormous remained active, targeting a broad spectrum of sectors including engineering, manufacturing, industrial services, financial technology, education, non-profit care, healthcare, and oil and gas across North America, Europe, Asia, the Middle East, Australia, and Africa. Observed tactics include M3rx utilizing a Go-based payload with AES-CTR for encryption and X25519 for key exchange, alongside PowerShell for self-deletion. RansomHub infrastructure was also observed. Groups often prioritize data theft and remote access, with encryption sometimes serving as a decoy, and continued use of commodity C2s. Extensive data breaches include the sale of 680,504 Ascension Health patient records with SSNs and an additional 1.1 million unnamed US patient profiles, Saludsa (Ecuador) records, the full database of Iraq's Ministry of Finance, and 117 million Chinese COVID vaccination records, all advertised on major forums. The Instructure Canvas breach, claimed by ShinyHunters, alone involved 3.65 TB of data from an estimated 275 million users. Geopolitical cyber activity included Keymous claiming disruptions against Moroccan government portals, RipperSec coordinating DDoS attacks against Israeli and South Korean entities, and Cyber Islamic Resistance conducting defacements and intrusions against Israeli firms. The exploitation of the Palo Alto PAN-OS zero-day is attributed to a likely state-linked actor. Campaigns like MacSync, a macOS infostealer delivered via Google Ads and Claude.ai shared chats, and the 'noon-contracts' npm malicious package show an increased adversary interest in misusing AI tooling and developer communities. Reports also described intrusions with operational technology (OT) implications, such as AI-assisted reconnaissance at a water utility and claims of access to a Gulf-region traffic system.
During the reporting period, 226 total victims were identified across 38 active ransomware groups. The top 5 most active groups accounted for 117 victims.
Top 5 Ransomware Groups
The_Gentelman - 37 victim(s)
- Notable victims: Arcelik, Arizona professional painting, C2o architects, Chx express, Clark fixture technologies (and 32 more)
Qilin - 31 victim(s)
- Notable victims: Advanced laundry systems, Ahorramas, Asphalt specialists, Bmtp, Cad-it uk (and 26 more)
Medusa Locker - 22 victim(s)
- Notable victims: Académie de montpellier / csjm
demo, Actionaid / tacosa
demo, Atencio engineering, Bandeirante supermercados, Bapamai (and 17 more)
SafePay - 15 victim(s)
- Notable victims: Bootstransport.ca, Dahlgrenscement.se, Ettp.be, Fital-treppenlifte.de, Gingerichtrucking.com (and 10 more)
Akira - 12 victim(s)
- Notable victims: Abi and ideal tape, Clinical registry solutions, Elia law firm, Grau gmbh, Greenwoods dental centre (and 7 more)
Deep Web
Deep Web Activity Overview
Deep web channels this week show persistent and changing illicit data commerce, focusing on government, financial, and extensive personally identifiable information (PII) databases. Several large-scale data breaches, including sensitive government and critical infrastructure data, were advertised for sale or ransom. This indicates varied motivations and capabilities among malicious actors. The reported incidents span multiple geographies, from North America and South America to Asia and Africa, showing that cybercriminal operations have a global reach.
Notable Breach Incidents and Data Leaks
What major data leaks appeared on deep web forums this week?
This week, several substantial data leaks appeared on deep web forums, including claimed breaches of the U.S. National Security Agency (NSA), Chinese military research institutes, Iran's nuclear program data, extensive Venezuelan government citizen databases, and large financial and telecommunications datasets from Brazil and the U.S.
- U.S. National Security Agency (NSA) Data (34 GB): A user named 'NsaBroker' claimed to have breached the NSA, offering 34 GB of confidential data for sale with a minimum price of $10,000. The data purportedly includes personal and professional emails, classified private documents, and reports, such as a "NSA Report on Russia Spearphishing.pdf." The actor stated the data was acquired between February and April 2026 through an "investigative process" involving other hacking entities. The data is offered exclusively to a single buyer.
- Chinese Military, Rocket Force, Foreign Affairs, Cyberforce Test Data+Reports: A user named 'mosad' advertised the sale of "Fresh Chinese PLA data." The listing specified data from several critical military and research areas, including the Cyberspace Force Technology Research Institute, Rocket Force, Middle East and African Affairs Analysis Division, Institute of Satellite Early Warning Technology, Institute of Shipborne Electromagnetic Systems, and the Institute of Biological and Medical Engineering. The actor expressed interest in selling to "organisations like thinktanks" and accepted various cryptocurrencies and escrow.
- Iran Nuclear Program Data (77.56 GB): Ransom Demand
A user named 'NormalLeVrai' posted a ransom demand targeting Iran, threatening to release 77.56 GB of data related to the country's nuclear program if €5,000 was not paid by May 15th. The data is described as containing archives of the Iranian nuclear program, a "Nuclear Iranian Database" split into 35 parts, structured JSON files, and other related documents including an Iranian budget table and insurance data. The actor also claimed to have defaced Iranian websites and extracted their databases.
- Venezuelan Government Databases (SAIME, SAREN, Carnet Fronterizo): Terabytes of Data
The 'L4TAMFUCKERS' team, represented by 'GordonFreeman', announced "OPERATION HECATOMBE VENEZUELA," claiming to have breached SAIME (identity and immigration), SAREN (civil registry), and CARNET FRONTERIZO (border pass) systems. The breach used API vulnerabilities such as IDOR/BOLA and API chaining, leading to the exfiltration of terabytes of data. Specifically, 12.5 million birth certificates (nearly 6 TB) from SAREN, biographical metadata of 35 million people from SAIME (IDs, full names, professions, registration dates), and 92,000 detailed records from Carnet Fronterizo (Foreign ID numbers, emails, passwords, full names, DOB, phone numbers) were compromised.
- Brazil Credilink.com.br Financial Credit Protection Services (243 Million Records)
A user named 'Blastoize' posted data allegedly from Credilink.com.br, a financial credit protection service in Brazil. The leak includes 243 million records, with a 12 million record sample provided. The data fields are extensive, including CPF (Brazilian individual taxpayer registry), full name, address details, date of birth, mother's name, gender, email, federal revenue status, corporate roles, vehicle information (make, model, year for up to 5 vehicles), presumed income, and income bracket. The data is available for purchase.
- Exploit for Law Enforcement Disclosure Data: "The Ghost Disclosure Exploit"
A user named 'convince' offered a "private method for requesting law enforcement disclosure data from any major social platform without ever needing a law enforcement email." Priced at $300, this exploit claims to use a "massive logic flaw" to submit requests and pull subscriber archives and private logs directly from social platform portals, verifying as an official agent using the department's public infrastructure. The offering also includes "forged court orders and seizure warrants for domain suspensions."
- Burkina Faso Government Biometric Passport & CNIB Database (60,500 Records)
A user 'smiro662' advertised a "HIGH VALUE" leak of biometric passport and CNIB (National Individual Biometric Card) data from Burkina Faso. The dataset contains 58,547 verified records with data fields such as full name, DOB, address, phone, email, along with high-resolution passport scans (JPG 300dpi avg) and CNIB copies (front/back). The data collection is stated to be recent (2024-2025) and totals over 30 GB.
- AT&T Database (70 Million Records): Re-leak
The user 'ShinyHunters', a well-known actor, re-uploaded and fixed a previous link for an AT&T database from 2021. The database contains 73.48 million lines (this incident is typically claimed to involve 70 million unique records). It includes sensitive PII such as names, addresses, phone numbers, and for a substantial portion (29 million records), Social Security Numbers (SSN) and Dates of Birth (DOB). This re-release makes a previously accessible, highly sensitive dataset readily available again.
- China Union Pay Chinese Leak (170 Million Rows)
A user 'hulky' offered a large database of China Union Pay customer data, totaling 171 million rows (duplicates removed per phone number). The data fields include phone number, name, account number, National ID, ID province/city, general province/city, carrier, sex, and birthday.
Nature and Scope of Breaches
The breaches observed this week cover many data types and affect a broad population.
- Governmental and Classified Information: Data from the U.S. NSA, Chinese military institutions, and Iran's nuclear program represents a direct compromise of national security interests. Such data could include intelligence, operational details, strategic plans, and personal information of government personnel. The volume of the NSA data (34 GB) and Iran nuclear data (77.56 GB) indicates significant data extraction.
- Massive PII Exposure: The Venezuelan government breach (SAIME, SAREN, Carnet Fronterizo) involves fundamental citizen identity data (birth certificates, biographical metadata, border pass details including passwords) for tens of millions of people, totaling terabytes of information. Similarly, the Brazil Credilink data (243 million records) and China Union Pay data (171 million records) expose vast quantities of financial PII, credit information, and demographic details. The AT&T re-leak affects 70 million individuals, with a large portion including SSN and DOB.
- Biometric Data: The Burkina Faso breach stands out for exposing biometric passport scans and CNIB copies for over 60,000 individuals, alongside standard PII. This type of data carries an especially high risk for identity theft and forgery.
- Exploit Sales: The "Ghost Disclosure Exploit" is not a data leak itself but an offering of a method to obtain sensitive law enforcement disclosure data from social platforms. This tool could enable malicious actors to carry out various forms of social engineering, targeted attacks, or surveillance, even without the need for traditional verified credentials.
- Data Volume and Sensitivity: The sizes of the datasets range from tens of thousands of records (Burkina Faso) to hundreds of millions (Brazil, China Union Pay, AT&T), and from tens of gigabytes to several terabytes. The sensitivity varies from basic biographical data to classified government documents, financial records, SSNs, and biometric identifiers.
Patterns or Trends in the Breach Data
Several patterns appeared from this week's deep web activity:
- Government Entities as Primary Targets: There is a clear pattern of targeting government organizations across different nations (US, China, Iran, Venezuela, Burkina Faso). This indicates motivations beyond purely financial gain, including espionage, geopolitical disruption, and hacktivism.
- Financial and Telecommunications Sectors Remain Vulnerable: The breaches involving Brazil's Credilink and AT&T show the ongoing susceptibility of large organizations holding extensive customer data in the financial and telecommunications sectors. The repeated appearance of such data shows continued value for cybercriminals.
- API Exploitation as an Attack Vector: The Venezuelan government breach mentioned "API exploitation," "IDOR / BOLA," and "API chaining" as attack methods. This shows reliance on misconfigured or poorly secured APIs as a pathway to access and exfiltrate large databases.
- Resurgence of Older Leaks: The re-upload of the 2021 AT&T database by ShinyHunters shows that older, previously leaked data continues to be re-circulated or made more accessible on deep web forums, extending its lifespan and potential for misuse.
- Monetization Diversity: Actors use various monetization strategies. Some offer direct sales at specified prices (NSA, China Military, Credilink, China Union Pay), others issue ransom demands with a deadline (Iran Nuclear), and some make data freely available (AT&T re-leak). The sale of exploits to acquire data, like "The Ghost Disclosure Exploit," forms a market for tools rather than just the data itself.
- High-Value Data Points: There is a steady demand for data containing national identifiers (SSN, CPF, National ID), dates of birth, and, increasingly, biometric information, because of their usefulness in identity theft and fraud.
- Geopolitical Motivations: The explicit mention of "What's happening in Israel and Iran is simply unacceptable, so I'm going to expose both countries to the public" by 'NormalLeVrai' suggests a hacktivist or politically motivated element in some breaches, linking cyber operations to real-world geopolitical events.
Potential Impact
The potential consequences of the deep web data exposures this week are severe and widespread:
- National Security Compromise: The alleged breaches of the NSA and Chinese military data could give foreign adversaries or non-state actors intelligence, operational insights, or strategic advantages, potentially impacting national defense and international relations. The Iran nuclear program data, if authentic, could be used for geopolitical leverage or to further understand the nation's nuclear capabilities.
- Widespread Identity Theft and Fraud: The massive PII leaks from Venezuela, Brazil, and AT&T (especially with SSN/DOB) create many opportunities for large-scale identity theft. Adversaries can use this data for account takeovers, fraudulent loan applications, new credit lines, tax fraud, and other financial crimes against affected individuals.
- Targeted Attacks and Espionage: The detailed data, including addresses, phone numbers, and professional information (e.g., CBO for Brazil), can be used for personalized phishing campaigns, social engineering attacks, or even physical targeting of individuals. This is especially concerning for government officials, military personnel, or those involved in sensitive sectors.
- Financial Exploitation: Financial data, combined with other PII from Credilink and China Union Pay, can lead directly to financial fraud, unauthorized transactions, or extortion.
- Exploitation of Vulnerabilities: The "Ghost Disclosure Exploit" offering shows that cybercriminals are actively developing and selling tools to bypass security controls on major social platforms to obtain sensitive user data. This points to a wider risk for individuals whose data is held by these platforms, even without direct breaches of the platforms themselves.
- Erosion of Trust and Stability: Breaches of government identity systems (Venezuela, Burkina Faso) and critical infrastructure (telecommunications, financial services) can weaken public trust in institutions and cause societal instability, particularly in regions already facing economic or political challenges.
- Supply Chain Risks: Compromised data from government employees or critical sector personnel can create paths for further attacks against associated organizations, causing supply chain vulnerabilities.
- Long-Term Impact of Biometric Data Exposure: The exposure of biometric data from Burkina Faso has long-term implications, as this information cannot be easily changed. It creates paths for persistent identity fraud and complex impersonation schemes.
Sources
- PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
- ShinyHunters escalates Canvas attacks with school login defacements
- Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild
- CISA gives feds four days to patch Ivanti flaw exploited as zero-day
- Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware