Threat Intelligence Briefing on Critical Vulns, Ransomware, Leaks

Executive Summary

CTI reporting for this period shows persistent and evolving cyber adversary activity affecting various sectors globally.

Key Developments

  • PAN-OS GlobalProtect Vulnerability Exploitation: A critical authentication bypass vulnerability (CVE-2026-0257) affecting Palo Alto GlobalProtect VPNs has been under active exploitation. This directly affects organizations using affected versions, allowing unauthorized network access.
  • TrapDoor Supply Chain Attack: A supply chain campaign, TrapDoor, spread credential-stealing malware through popular software package registries (npm, PyPI, CratesIO, and other platforms). This affects software development pipelines and any organization consuming dependencies from these platforms, risking developer account compromise and intellectual property exposure.
  • Botnet Dismantlement: Dutch authorities disrupted a large botnet with approximately 17 million infected devices worldwide. This action diminishes global cybercrime infrastructure, potentially reducing various large-scale malicious operations.
  • Evolving Ransomware Tactics: Ransomware actors used an in-person tactic to steal sensitive data from a law firm. This shows a rare, evolving method of data exfiltration, combining physical intrusion with cyber extortion. It affects organizations with high-value, sensitive data.

Business Impact

The reported activities collectively risk core business functions. Widespread exploitation of internet-facing infrastructure can lead to unauthorized access and data exfiltration from network perimeters. Supply chain compromises threaten software integrity; this affects development processes and deployed applications. Data exposure incidents cause reputational damage, regulatory scrutiny, subsequent financial fraud, and other issues against affected entities or individuals. Ransomware operations cause operational disruption across sectors like healthcare, education, and technology.

Notable Trends and Changes vs Last Week

Consistent patterns include widespread exploitation of internet-facing systems and increased data exposure incidents. Ransomware operations maintained a broad targeting scope, frequently using double extortion methods. A specific change this week is the confirmed active exploitation of the Palo Alto GlobalProtect vulnerability, requiring urgent attention to network perimeter security. In-person data theft tactics also represent a shift in adversary operational methods beyond purely remote cyber means.

Outlook

Over the next seven days, active exploitation of newly disclosed critical vulnerabilities, particularly those affecting internet-facing infrastructure, will likely remain prevalent. Ransomware groups are expected to sustain their operational tempo, employing various extortion schemes. Supply chain integrity challenges will likely persist as adversaries seek to inject malicious code into widely used software components. Geopolitical and hacktivist cyber activities targeting critical infrastructure and specific sectors will also likely remain active.

Key Threat Intelligence Highlights

This week saw several key developments:

Dutch authorities, collaborating with international partners, dismantled a botnet that had compromised 17 million devices globally. This malicious network facilitated cybercrimes such as distributed denial-of-service attacks and data theft. The operation sets back criminal operations, protecting users and showing effective cross-border cooperation.

An actively exploited authentication bypass (CVE-2026-0257) exists in Palo Alto Networks' PAN-OS GlobalProtect portal and gateway. This critical flaw allows unauthenticated attackers to execute arbitrary code. Organizations must apply patches immediately to protect their systems.

The TrapDoor supply chain attack distributes credential-stealing malware by compromising package managers such as npm, PyPI, CratesIO, and other common platforms. This operation targets developers to steal their account credentials, potentially compromising numerous downstream software projects. Its broad presence across these repositories poses a security challenge for the open-source ecosystem.

Ransomware actors are escalating tactics by incorporating physical intrusions. Individuals recently gained on-site access to a law firm to directly exfiltrate sensitive client data. This development shows increased attacker boldness and sophistication, requiring organizations to broaden security measures beyond digital perimeters.

A severe flaw in the Langroid library allows Remote Code Execution (RCE) via prompt injection. This enables adversaries to trick AI applications into running arbitrary code on the underlying system. This poses a grave danger to tools built with Langroid. The vulnerability means attackers could gain full control over affected systems.

Additional Threat Intelligence Context

CVE-2026-8732: CVSS: 9.8 (CRITICAL) - Active exploitation of WP Maps Pro () allows unauthenticated administrator account creation on WordPress sites.

Available Exploits:

  • CVE-2026-8732 Exploit
  • CVE-2026-8732 Exploit
  • CVE-2026-8732 Exploit

Analysis: # CVE Analysis Report: CVE-2026-8732

GitHub Link:

  • Title: WP Google Map Pro CVE-2026-8732 PoC
  • CVE: CVE-2026-8732 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Ease of use, potential impact, and widespread availability contribute to this score.

CVE-2026-0257: CVSS: None (CRITICAL) - Widespread exploitation of Palo Alto Networks PAN-OS GlobalProtect authentication bypass (), allows unauthorized VPN access and is listed in CISA KEV.

Available Exploits:

  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit

Analysis: # CVE Analysis Report: CVE-2026-0257

GitHub Link:

  • Title: PAN-OS GlobalProtect Auth Bypass Detection PoC
  • CVE: CVE-2026-0257 (CVSS: None, CRITICAL)
  • CVSS Score: None
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

Ease of use and potential impact contribute to this score.

CVE-2026-35616: CVSS: 9.8 (VERY CRITICAL) - Active exploitation of a pre-authentication API bypass in FortiClient EMS () delivers EKZ Infostealer and allows unauthenticated administrative actions.

Available Exploits:

  • CVE-2026-35616 Exploit
  • CVE-2026-35616 Exploit
  • CVE-2026-35616 Exploit
  • CVE-2026-35616 Exploit
  • CVE-2026-35616 Exploit

Analysis: # CVE Analysis Report: CVE-2026-35616

GitHub Link:

  • Title: FortiClient EMS Safe Detector (CVE-2026-35616)
  • CVE: CVE-2026-35616 (CVSS: 9.8, VERY CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: VERY CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Ease of use and potential impact contribute to this score.

Critical Gogs (0.14.2 and 0.15.0+dev) remote code execution zero-day (CVSS 9.4) due to an argument injection flaw, exploitable by unauthenticated internet users due to default open registration.

CVE-2026-48172: CVSS: None (VERY CRITICAL) - Active exploitation of LiteSpeed cPanel user-end plugin Redis RCE (), allows unauthenticated escalation to root on shared hosting servers and prompted a CISA BOD.

Available Exploits:

  • CVE-2026-48172 Exploit
  • CVE-2026-48172 Exploit
  • CVE-2026-48172 Exploit

Analysis: # CVE Analysis Report: CVE-2026-48172

GitHub Link:

  • Title: CVE-2026-48172 PoC Template
  • CVE: CVE-2026-48172 (CVSS: None, VERY CRITICAL)
  • CVSS Score: None
  • CVSS Severity: VERY CRITICAL

Based on the analysis:

  • Complexity Score: NA
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 75/100

Ease of use, potential impact, and widespread availability contribute to this score.

Critical Windows DNS Client remote code execution (CVSS 9.8) with three observed active exploits, alongside public zero-days (BlueHammer, RedSun, UnDefend) in Windows Defender/BitLocker.

CVE-2026-41089: Active exploitation of Netlogon RCE () on Windows domain controllers.

CVE-2026-0257: CVSS: None (CRITICAL) - Publicly available exploit code and reported exploitation for a FreeBSD kernel stack buffer overflow () that leads to local privilege escalation.

Available Exploits:

  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit

Analysis: # CVE Analysis Report: CVE-2026-0257

GitHub Link:

  • Title: PAN-OS GlobalProtect Auth Bypass Detection PoC
  • CVE: CVE-2026-0257 (CVSS: None, CRITICAL)
  • CVSS Score: None
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

Ease of use and potential impact contribute to this score.

Widespread campaigns target the npm ecosystem through dependency confusion and deployment of RAT packages, like the forge-jsxy family, for credential theft and persistent access.

CVE-2026-39987: CVSS: None (CRITICAL) - Pre-authenticated RCE in Marimo notebook service () has been observed in targeted intrusions for credential harvesting from cloud environments.

Available Exploits:

  • CVE-2026-39987 Exploit
  • CVE-2026-39987 Exploit
  • CVE-2026-39987 Exploit
  • CVE-2026-39987 Exploit
  • CVE-2026-39987 Exploit

Analysis: # CVE Analysis Report: CVE-2026-39987

GitHub Link:

  • Title: CVE-2026-39987 version detector (Marimo)
  • CVE: CVE-2026-39987 (CVSS: None, CRITICAL)
  • CVSS Score: None
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

Ease of use, potential impact, and widespread availability contribute to this score.

Extensive exposure of identity, genetic, and messaging data through major breaches affecting entities such as Charter Communications (4.9M accounts), 23andMe (6.9M customers), and massive Telegram user datasets (claimed 1.2B records).

DDoS attacks, such as the one claimed by "Infrastructure Destruction Squad" against Ukrainian OPW Fuel Management Systems, disrupting remote visibility and control of fuel infrastructure.

Ransomware Activity Overview

Ransomware groups like Krybit, CMD, Lapsus, Bravox, Gunra, and Stormous are actively targeting healthcare, education, insurance, AI startups, entertainment, and smaller tech/service providers across multiple continents. These operations commonly employ double extortion tactics, use leak sites, and gain initial access through RDP/VPS resale, initial access broker offerings, and web application exploitation. Data breach activity includes a claimed 1TB exfiltration from the Israeli Holocaust victims welfare center by the Handala group, an unverified claim of 10+ petabytes from China NSCC Supercomputing Center, and widespread sales of AT&T Mobile, Salesforce, HCA Healthcare, and various government/telecom datasets. Geopolitical cyber activity features Infrastructure Destruction Squad claiming a network takedown at Noi Bai International Airport via old MikroTik RouterOS exploitation and performing DDoS actions against Ukrainian industrial control systems. The TRK25 group promotes an advanced SCADA industrial exploitation framework. Hacktivist actions are observed from pro-Palestinian, pro-Russian, and Indonesian groups, among others. The broader cybercrime ecosystem shows extensive advertising of offensive services, tools, and training bundles. Concerns exist about malicious npm packages and residential-proxy botnet takedowns. Underground markets also display a supply of government, financial, and telecom databases from regions like Asia, the Middle East, Europe, and the Americas. They also trade forged court orders and services for domain suspension to assist fraud and takedown operations.

During the reporting period, 170 total victims were identified across 36 active ransomware groups. The top 5 most active groups accounted for 74 victims.

Top 5 Ransomware Groups

DragonForce - 37 victim(s)

  • Notable victims: Allianceadjustment.com, Arsenalscaffold.com, Businessrecord.com, Delbrook capital advisors, Dentonfirm.com (and 32 more)

LockBit - 10 victim(s)

  • Notable victims: columbiaorthogroup.com, groupe-mbm.com, grupodetoni.com.br, gu, hgs-wt.at (and 5 more)

Akira - 9 victim(s)

  • Notable victims: Alpine aerotech, General doors, Gone fishin' marine, Gs yuasa lithium power, Interstate roofing (and 4 more)

Everest - 9 victim(s)

  • Notable victims: Advanced psychiatry associates, Akm, Asopagos s.a., L&p aesthetics, Sidra kuwait hospital (and 4 more)

Medusa Locker - 9 victim(s)

  • Notable victims: Baeaoai, Baeaxai, Bakaxah, Dadolighting

demo, Dolrad (and 4 more)

Deep Web

Deep Web Observations

This week's deep web activity revealed extensive data exposures across multiple sectors and geographies, with a concentration on governmental, military, and critical financial institutions. Threat actors posted or offered for sale vast datasets containing sensitive national defense information, full financial and personal records of citizens, and internal law enforcement intelligence. The trend shows a continued pursuit of high-value targets for strategic and financial exploitation.

What major data leaks appeared on deep web forums this week?

Several large-scale data leaks emerged this week. The compromise of a Chinese supercomputing network and the National Credit Information Center of Vietnam stood out for their scale and sensitivity. Other incidents involved national law enforcement agencies, a major telecommunications provider, and a customer support platform for a widely used communication service.

  • China National Supercomputing Center (NSCC) Breach: A 10+ petabyte dataset, described as direct exfiltration from China's supercomputing network, was advertised. This collection includes years of raw simulation data, design files, satellite telemetry, and classified research from national defense contractors (AVIC Aviation Industry and COMAC). The leak also contains employee personal data, including Chinese ID card scans with names and addresses.
  • National Credit Information Center of Vietnam (CIC) Exposure: Over 160 million records from Vietnam's national credit information center were put up for sale. This extensive database contains detailed personal identifying information (PII) like full names, dates of birth, national ID cards (CCCD, CMND), passport numbers, driving license numbers, military IDs, student IDs, addresses, phone numbers, and email addresses. Financial details are present, like loan data, various balance types (e.g., loan, bad debt, credit card), outstanding debt figures, and credit card numbers. Company information and audit logs complete this financial dataset.
  • Charter Communications, Inc. Customer Data: A dataset comprising over 42 million records of PII from Charter Communications, a major US telecommunications company, was released. The actor claimed this release happened after unsuccessful negotiations.
  • DIRANDRO: Peruvian National Police Data: A database containing approximately 300,000 folders, totaling 7.8 GB, from DIRANDRO (the Drug Enforcement Directorate of the Peruvian National Police) was offered. This compromise includes personal identification data (full names, national ID, police identification codes) for police/military personnel, demographic information, family details, precise residential addresses, and civil registry data. Police intervention data is present, including narratives of incidents, exact geographic coordinates of events, descriptions of seized illicit substances, and images of national ID documents (DNI).
  • Argentine Government Institutions Compilation: A 650 GB compilation of databases from multiple Argentine government institutions was made available. Entities affected include GDEBA, IOMA, Buenos Aires City Police, AFIP (tax authority), BCRA (central bank), and the Federal Police. The data includes emails, passwords, phone numbers, document numbers, biometric photos, ranks, credit scores, and confidential PDF documents. The actor mentioned targeting numerous other Latin American government institutions.
  • Philippines Land Transportation Office (LTO) Data: Over 14 million records from the Philippines' Land Transportation Office were listed, including PII like full names, addresses, dates of birth, sex, civil status, nationality, weight, height, and blood type. The breach includes over 14 million user images, with the actor claiming to possess proof of concept (0day) for the LTO system.
  • Discord Data through Zendesk: A 1.6 TB dataset pertaining to Discord users, allegedly sourced from Zendesk (a customer support platform), was advertised. This data includes user email addresses, Discord usernames, phone numbers, support ticket/chat logs, IP addresses, the last four digits of credit cards, and images of ID cards or passports for age verification for approximately 70,000 users.
  • Russian GRU Advanced Weapons Report Leak: A document titled "Top Secret GRU Advanced Weapons Report 2025" was freely distributed on a forum, purportedly originating from Russia's Main Intelligence Directorate.

What is the nature and scope of these breaches?

The nature of these breaches ranges from direct exfiltration of highly classified state secrets and critical infrastructure data to widespread compromises of sensitive personal and financial information affecting millions of individuals. The scope often involves full datasets, including identity documents, financial records, and operational intelligence. This enables various downstream malicious activities.

The NSCC breach compromises state-sponsored research and development. It provides adversaries with access to advanced military and aerospace designs that could accelerate their own programs or reveal strategic vulnerabilities. The scale of 10+ petabytes signifies a deep, sustained infiltration.

The National Credit Information Center of Vietnam and Charter Communications breaches show the monetization of large-scale PII and financial data. These datasets offer a foundation for identity theft, financial fraud, targeted social engineering campaigns, and account takeovers due to the individual and corporate financial attributes present.

The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions.

The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft.

The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering.

Beyond data leaks, one item offered initial access broker (IAB) services to an APAC Telecom target and an Eastern Europe B2B platform. This included verified network configurations, dynamic application behaviors, and pre-authentication session bypass payloads, alongside internal metadata. This kind of offering provides a foothold for subsequent, more damaging attacks, rather than a direct data leak.

A recurring pattern in this week's data involves targeting national critical infrastructure and government entities, particularly those holding vast amounts of citizen data or sensitive state intelligence. There is a persistent market for full PII and financial records, often affecting entire populations within a given country.

  • Government and Critical Infrastructure as Prime Targets: Many observed incidents pertain to government agencies (Argentina, Peru, Philippines) or entities integral to national operations (China's supercomputing, Vietnam's credit bureau). These targets are attractive for espionage, strategic advantage, large-scale data harvesting, or disruption.
  • Large-Scale PII and Financial Data Exploitation: Multiple breaches involved millions of individual records, including detailed PII, financial histories, and identity document images. This indicates an enduring demand for datasets suitable for identity theft, fraud, account takeovers, and other illicit activities on a massive scale.
  • Geographic Diversity of Victims: The affected organizations span multiple continents, including Asia (China, Vietnam, Philippines), North America (USA), and South America (Argentina, Peru). This global distribution shows the ubiquitous nature of deep web activities.
  • Mixed Actor Sophistication: While established and reputable actors like ShinyHunters continue to conduct large-volume breaches, several new or low-reputation users are also surfacing with access to sensitive government and classified data, suggesting a broad base of actors or the fragmentation of capabilities.
  • Initial Access as a Commodity: The sale of pre-authenticated access to corporate networks suggests a sub-economy where initial entry points are prepared and sold, enabling other threat actors to execute various follow-on attacks without needing to establish their own initial foothold.
  • Broad Data Spectrum: The compromised data is diverse, ranging from advanced military research and blueprints to individual credit scores, criminal intervention records, and customer support interactions, reflecting varied motivations among threat actors-from state-sponsored espionage to common cybercrime.

What is the potential impact of these deep web breaches?

The potential impact of this week's deep web breaches is broad, extending from national security repercussions to widespread individual financial and personal harms, and a general erosion of trust in institutions.

The exposure of 10+ petabytes of classified military and aerospace research from China's NSCC could compromise national security. Such detailed data, including schematics for advanced satellites and defense simulations, provides foreign adversaries with intelligence that could accelerate their own technological advancements, expose vulnerabilities in existing systems, or inform counter-intelligence strategies. This intellectual property loss has long-term strategic implications. Similarly, the Russian GRU Advanced Weapons Report could reveal classified defense strategies and capabilities, offering tactical advantages to opposing forces.

For individuals, the 160 million records from the National Credit Information Center of Vietnam and the 42 million PII records from Charter Communications create an expansive surface for identity theft, sophisticated financial fraud, and targeted scams. Detailed financial histories combined with personal identifiers empower malicious actors to open fraudulent accounts, obtain loans, or impersonate victims with high success rates. Including credit card numbers, even partial, reduces the effort for carding schemes.

The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions.

The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft.

The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering.

The initial access broker (IAB) services serve as precursors to future destructive events. By providing verified entry points into critical infrastructure, these sales allow other actors to deploy ransomware, conduct long-term espionage, or orchestrate sabotage. This escalates the scope and severity of potential future incidents.

In summary, this week's deep web activity shows a persistent and evolving threat where sensitive national and personal data is continuously sought, acquired, and traded. This has far-reaching consequences for state security, economic stability, individual privacy, and public trust.

Sources

  1. Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices
  2. PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
  3. TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
  4. Ransomware Actors Show Up In Person to Steal Law Firm Data
  5. Critical Langroid Vulnerability Allows RCE via Prompt Injection