DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
ABB B&R Automation Runtime contains a critical Improper Resource Locking vulnerability (CVE-2025-3450) within its System Diagnostics Manager (SDM) component. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted message over the network to delete data, resulting in a denial-of-service condition that halts the affected system node.
Eppendorf BioFlo 320 bioreactors are affected by a critical vulnerability (CVE-2026-7251, CVSS 9.8) involving a hard-coded password in the VNC server. If VNC is enabled, remote attackers can exploit this flaw to gain full control over the bioreactor's user interface and data. Eppendorf has released a software update (Version 5.0) that permanently removes VNC functionality to mitigate the risk.
Threat actors behind the ClearFake campaign are leveraging EtherHiding to host malicious JavaScript payloads within BNB Smart Chain testnet smart contracts, bypassing traditional URL-based blocking. The attack chain begins with a compromised watering hole site and uses a ClickFix social engineering overlay to trick Windows and macOS users into executing malicious commands. This leads to the deployment of SectopRAT and ACRStealer via WebDAV DLL loading and DLL sideloading, enabling extensive credential and browser session theft.
A supply chain attack dubbed 'megalodon' compromises GitHub Action YAML configurations by injecting base64-encoded malicious scripts to exfiltrate repository data. Analysis of the C2 infrastructure, identified as the NEXUS Listener framework, links this activity to a prior campaign that exploited CVE-2026-41940 in cPanel servers to deploy cryptominers and steal high-value cloud credentials.
The Canadian Centre for Cyber Security issued two advisories concerning control systems. Moxa addressed multiple Linux kernel vulnerabilities (Copy Fail and Dirty Frag) across various product series, while ABB mitigated a concurrent connection handling issue in its PPT30 OPC-UA Server.
ABB Ability Camera Connect versions 1.5.0.14 and earlier contain multiple critical and high-severity vulnerabilities due to an outdated bundled VLC media player component. These flaws, including buffer overflows and integer underflows, could allow an attacker to execute arbitrary code or cause a denial of service via crafted media files. The risk is significantly reduced as the application is typically deployed in isolated, air-gapped ICS environments.
ABB LVS MConfig versions 1.4.9.21 and prior contain a high-severity vulnerability (CVE-2025-9970) where user credentials are stored in cleartext in application memory. An attacker with local or physical access to the host machine can export a memory dump during runtime to extract these passwords, potentially allowing unauthorized modification of low voltage switchgear components.
ABB Terra AC wallbox EV chargers are affected by a heap-based buffer overflow vulnerability (CVE-2025-5517, CVSS 6.8) due to improper length validation of OCPP fields. An attacker who hijacks the OCPP backend or intercepts unencrypted HTTP traffic can send crafted messages to execute arbitrary code, alter firmware, or cause a denial of service.
During March-April 2026, threat actors increasingly deployed commercial AI models for real-time offensive operations, including automated intelligence analysis, BEC drafting, and vulnerability exploitation. Key developments include the weaponization of agentic configuration files for persistent jailbreaks, the rise of AI-integrated PhaaS platforms like EvilTokens, and the mass harvesting of AI provider credentials. Furthermore, AI capabilities are compressing the vulnerability patch window, allowing attackers to weaponize newly disclosed CVEs within hours.
In May 2026, ANY.RUN observed a surge in sophisticated phishing and malware campaigns utilizing fileless execution, browser-based credential theft, and legitimate workflow abuse. Key threats included Agent Tesla credential harvesting, ClickFix fileless malware, BlobPhish in-memory page generation, and phishing-to-RMM chains bypassing traditional MFA via real-time OTP interception.
The Canadian Centre for Cyber Security released a daily advisory digest summarizing security updates from IBM, Roundcube, Dell, Ubuntu, CISA (ICS), Red Hat, and cPanel. Organizations are strongly encouraged to review the respective vendor advisories and apply available patches to mitigate potential vulnerabilities across enterprise, cloud, and industrial control systems.
This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
A critical ViewState deserialization vulnerability (CVE-2026-5426) in the KnowledgeDeliver LMS allows unauthenticated remote code execution due to shared ASP.NET machine keys across deployments. Threat actors are actively exploiting this flaw to deploy the BLUEBEAM in-memory web shell and modify application JavaScript, ultimately distributing targeted Cobalt Strike BEACON payloads to end-users visiting the compromised sites.
Chinese-language Phishing-as-a-Service (PhaaS) platforms are evolving to utilize real-time interception and AI-driven automation to bypass MFA and tokenize stolen payment data into digital wallets. Threat actors leverage encrypted messaging protocols like RCS and iMessage for delivery, while platforms like YY Lai Yu provide highly localized, dynamic phishing infrastructure to target global consumers.
Volexity has released updates to its Golang reverse engineering tooling to address the growing trend of Go-based malware and obfuscation techniques like Garble. The release introduces GoStringExtractor, a plugin for IDA Pro and Ghidra that organizes unterminated Go string tables, and updates GoResolver to recover runtime type information (RTTI), significantly enhancing static analysis capabilities.
The China-aligned threat actor UTA0388 is leveraging Large Language Models (LLMs) to conduct highly tailored, rapport-building spear-phishing campaigns targeting organizations in North America, Asia, and Europe. These campaigns deliver GOVERSHELL, a custom backdoor deployed via DLL search order hijacking, which has undergone rapid, non-iterative development across five variants to evade detection and establish persistent C2.
Russian threat actor UTA0355 is conducting targeted phishing campaigns against foreign policy and government professionals by spoofing European security conferences. The attackers use rapport-building techniques and out-of-band messaging to trick victims into authorizing malicious Microsoft 365 OAuth applications and Device Code workflows, granting unauthorized access to their accounts.
CVE-2026-31431, dubbed Copy Fail, is a critical local privilege escalation vulnerability in the Linux kernel affecting distributions released since 2017. By abusing the AF_ALG socket interface and the authencesn cryptographic template, an attacker can perform a controlled write into the in-memory page cache of setuid binaries, gaining root access without altering on-disk files.
CVE-2026-31431, also known as Dirty Frag or Copy Fail, is a Linux kernel local privilege escalation vulnerability that allows attackers to write to read-only memory regions via page-cache abuse. Active exploitation was observed prior to the public embargo break, with threat actors deploying ELF binaries, Python scripts, and malicious PyPI packages to achieve root access, notably including adoption by the Multiverze trojan family.
Threat actors are executing account takeover campaigns by distributing malware disguised as video games via compromised Discord accounts. Upon gaining initial access to a victim's Google account, attackers abuse the Family Link parental control feature by changing the victim's age to under 13 and assigning a malicious parent account. This allows the attackers to reset the password, bypass 2-Step Verification, lock the legitimate user out completely, and demand a ransom for account recovery.
