Recent Cybersecurity Threats: Zero-Click Exploits, Supply Chain Attacks, and Data-Destroying Ransomware

Introduction

The cybersecurity field presents complex challenges. Recent incidents show the ingenuity of threat actors and the critical need for proactive defense. Organizations face many sophisticated attacks, from stealthy zero-click exploits to widespread supply chain compromises. Understanding these methods is fundamental for developing effective protective measures.

Recent disclosures detail several significant threats: an actively exploited Windows Shell vulnerability, widespread credential theft through malicious npm packages, and the weaponization of a critical cPanel flaw. A new ransomware variant has also emerged with a design flaw that irreversibly destroys victim data, making ransom payments futile. Analyzing these incidents shows current attack methodologies and their implications.

This overview provides a factual summary of these critical cybersecurity events. It aims to inform security professionals and business leaders about the technical specifics and broader impact of these threats. PurpleOps, a cyber threat intelligence platform, gathers and analyzes such information to help organizations anticipate and mitigate risks.

APT28's Zero-Click Windows Shell Exploit (CVE-2026-32202)

A zero-click Windows Shell vulnerability, CVE-2026-32202, has been actively exploited by the Russian state-linked threat group APT28 (also known as Fancy Bear, Forest Blizzard, or Pawn Storm). This flaw originated from an incomplete patch for CVE-2026-21510, a Windows Shell SmartScreen bypass vulnerability Microsoft addressed in February 2026. Microsoft confirmed active exploitation and released a complete fix in its April 2026 Patch Tuesday updates.

CERT-UA initially observed the attack campaign in December 2025, targeting organizations in Ukraine and several EU countries. Akamai researchers confirmed and analyzed the exploit chain in January 2026, showing how it works. This threat shows the ongoing geopolitical motivations behind some of the most advanced cyber operations.

The attack involves a specially crafted malicious LNK (Windows Shortcut) file that exploits the Windows Shell namespace parsing mechanism. The shortcut's LinkTargetIDList structure is manipulated to mimic legitimate Control Panel objects. It includes a Control Panel CLSID, an "all control panel items" reference, and a malicious _IDCONTROLW entry pointing to an attacker-controlled UNC path. This path hosts a rogue CPL (Control Panel applet) file. For more details on this technique, see PurpleOps's analysis of a similar threat in our article on the Windows LNK zero-day.

When Windows Explorer parses the LNK file, it resolves the UNC path and attempts to load the remote DLL as a Control Panel component. This process bypasses standard SmartScreen and Mark of the Web (MotW) protections. The attack was chained with CVE-2026-21513, an MSHTML exploit, allowing APT28 to establish a stealthy infection path with minimal user interaction. Our blog post on CVE-2026-21513 and APT28's MSHTML exploitation provides further technical context.

Microsoft's original February patch introduced a new COM object called ControlPanelLinkSite and added a 0x08000000 fMask flag. This change was intended to force the execution chain through ShellExecute trust verification and SmartScreen validation. While this blocked remote code execution by preventing unsigned or untrusted CPL files from executing, a residual issue remained.

Akamai's PatchDiff-AI analysis revealed that before ShellExecute verification, Windows Explorer invokes CControlPanelFolder::GetUIObjectOf to render folder contents. During this process, the PathFileExistsW function attempts to resolve the malicious UNC path. This automatically triggers an outbound SMB authentication request as soon as the folder is opened, even if the file is never clicked. This type of reconnaissance is typical of state-sponsored espionage, as discussed in our piece on APT28's Office flaw espionage.

This behavior allows attackers to capture the victim's Net-NTLMv2 hash through an automatic authentication handshake. This enables NTLM relay attacks or offline credential cracking without user interaction, creating a serious credential theft vector despite its medium CVSS score. Organizations should deploy Microsoft's April 2026 security updates and monitor for suspicious outbound SMB traffic.

npm Supply Chain Attacks: Credential Theft and RAT Deployment

Recent activity in the npm ecosystem reveals multiple malicious packages designed for credential theft and supply chain escalation. One example is npm-global-util, published by the maintainer raya4321 on April 29, 2026. This package runs a shell script on preinstall that exfiltrates system credentials, cloud tokens, and environment secrets to attacker-controlled webhook.site endpoints.

The maintainer raya4321 published 16 malicious packages between April 27 and April 29, 2026. These packages often use Apple-branded names like apple-internal-telemetry-service or apple-infra-gcp-leak, suggesting a targeted campaign against Apple developer environments or CI/CD pipelines. This activity demonstrates a specific focus on supply-chain risk.

The npm-global-util package's ms_audit.sh script iterated through several versions, each improving its reconnaissance and credential harvest. Early versions focused on system identity and cloud metadata probing, while later versions targeted sensitive file extraction (PDF, private keys, ZIP files) using keyword-based searches (e.g., "secret", "password"). The attacker also hunted for database URL patterns and cloud storage buckets.

A bundled second-stage script, pwn.sh, aimed for supply chain escalation. If an npm publish token was found, the script downloaded apple-app-store-server-library, modified its README.md to include a "Proof of Concept by Frank" message, bumped the version, and republished it using the victim's credentials. This shows how malicious packages can masquerade as legitimate tools and cause brand leaks.

Another malicious npm package is node-env-resolve, which user0001 published and was identified on May 3, 2026. This package, disguised as a "lightweight environment configuration resolver," installs a full Remote Access Trojan (RAT). It has seen 1,293 downloads in the last 30 days across its 10 versions.

The postinstall hook in node-env-resolve copies the RAT agent into a hidden directory (e.g., %APPDATA%\node-gyp-cache on Windows, ~/.node-gyp-cache on macOS/Linux). It then establishes persistence through registry Run keys, VBScript launchers, LaunchAgents plist files, or autostart desktop entries, requiring no elevated privileges. The agent connects to a C2 server at hxxp://152.67.0.53:8471.

The RAT toolkit, identified as OtterCookie, allows remote operators to:

  • Stream JPEG-compressed screenshots at up to 4 FPS.
  • Control the mouse and inject keyboard input.
  • Capture microphone and system audio via ffmpeg.
  • Extract browser history from Chrome, Edge, and Firefox SQLite databases, even when locked.
  • Browse the filesystem, read text files, and download binaries.
  • Write and delete files within the user profile.
  • Zip and exfiltrate entire folders.
  • Push arbitrary files from the operator to the victim.
  • Execute a remote self-uninstall command (agent:kill).

This toolkit's dependencies match those used in North Korea's DPRK/Lazarus-linked Contagious Interview campaign, suggesting potential attribution to state-sponsored actors. The C2 infrastructure 152.67.x.x belongs to Oracle Cloud APAC, suggesting possible infrastructure rotation. The incident also shows the relevance of monitoring Telegram threats, as related packages have been observed hijacking Telegram accounts.

Weaponization of cPanel Vulnerability (CVE-2026-41940)

A vulnerability in cPanel and WebHost Manager (WHM), CVE-2026-41940, has been actively weaponized by a previously unknown threat actor. This flaw allows an authentication bypass, enabling remote attackers to gain elevated control of the control panel. Ctrl-Alt-Intel detected the activity on May 2, 2026.

Attack efforts have originated from the IP address 95.111.250[.]175. Targets include government and military entities in Southeast Asia, specifically the Philippines (.mil.ph and .ph) and Laos (*.gov.la). A smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S. have also been targeted. This shows a broad attack surface and the need for complete breach detection.

The attackers used publicly-available proof-of-concepts (PoCs) to exploit CVE-2026-41940. Before these cPanel attacks, the threat actor used a separate custom exploit chain against an Indonesian defense sector training portal. This involved authenticated SQL injection and remote code execution, showing the attacker had prior access to valid credentials for the portal.

The custom script used hard-coded credentials and defeated the portal's CAPTCHA by reading the expected value from the server-issued session cookie. After authentication and CAPTCHA bypass, the actor exploited a document-management function, injecting SQL into the document name field when posting to the save endpoint.

Further analysis revealed the threat actor uses the AdapdixC2 command-and-control (C2) framework to remotely manage compromised endpoints. Tools such as OpenVPN and Ligolo were also deployed to maintain persistent access to internal victim networks. This allowed the actor to pivot into internal networks and exfiltrate a large volume of Chinese railway-sector documents.

Within 24 hours of public disclosure, Censys reported evidence of the cPanel vulnerability being weaponized by multiple third-parties. These included the deployment of Mirai botnet variants and a ransomware strain named Sorry. Data from the Shadowserver Foundation showed at least 44,000 IP addresses likely compromised via CVE-2026-41940 engaging in scanning and brute-force attacks against honeypots on April 30, 2026, though this figure decreased to 3,540 by May 3.

What are the implications of the VECT 2.0 ransomware's flaws?

VECT 2.0 ransomware contains coding errors that cause irreversible data destruction, making file recovery impossible even if a ransom is paid. Detected in December 2025 and expanded by February 2026 to target Windows, Linux, and ESXi systems, VECT 2.0 is a Ransomware-as-a-Service (RaaS) operation.

Check Point Research (CPR) and Halcyon's findings indicate that for files larger than 128 KB, the ransomware generates four separate encryption keys but accidentally overwrites and deletes the first three. This flaw means full recovery is impossible for victims and even for the attackers themselves, effectively turning the ransomware into a wiper. This scenario shows the strong need for real-time ransomware intelligence to understand evolving threats.

Beyond the key management error, Halcyon's analysis identified other flaws. The Full encryption mode is defective due to a memory error, limiting encryption to files smaller than 32 KB and largely skipping most data. The ransomware also ignores settings for fast, medium, or secure encryption modes, parsing them but failing to apply them.

A thread scheduler error causes the malware to attempt hundreds of tasks simultaneously, overwhelming the system and slowing down the attack rather than accelerating it. Also, the attackers' attempt to hide instructions using XOR string obfuscation failed due to mathematical errors, exposing their operational details in plain text.

The Windows variant of VECT 2.0 specifically targets files by adding a .vect extension and forces applications like Excel.exe, Winword.exe, and Outlook.exe to close to facilitate data access. Despite these technical shortcomings, the group has claimed victims through partnerships, including with TeamPCP.

In March 2026, VECT 2.0 was distributed via malicious code hidden within popular developer tools such as Trivy, Checkmarx KICS, LiteLLM, and Telnyx. The group also conducted underground forum intelligence activities, inviting BreachForums members to join their network by providing access keys. The availability of live ransomware API feeds can help track such developments.

Technical Takeaways

  • CVE-2026-32202 (Windows Shell vulnerability) allows APT28 to capture Net-NTLMv2 hashes via zero-click SMB authentication requests when parsing a malicious LNK file.
  • Malicious npm packages like npm-global-util and node-env-resolve execute preinstall/postinstall scripts for credential harvesting and RAT deployment, with node-env-resolve installing the OtterCookie RAT toolkit linked to DPRK.
  • CVE-2026-41940 (cPanel/WHM authentication bypass) is actively exploited by a new threat actor, using public PoCs to gain control of web hosting environments and deploy C2 frameworks like AdapdixC2.
  • VECT 2.0 ransomware contains a flaw that irrevocably destroys files larger than 128 KB due to encryption key overwrites, making data recovery impossible, even after ransom payment.
  • Attackers are using supply chain vectors in developer ecosystems and exploiting known vulnerabilities rapidly post-disclosure, showing a need for continuous monitoring of supply-chain risk and prompt patching.