DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Recent research highlights severe security flaws in commercially available embodied AI systems, specifically Unitree humanoid and quadruped robots. Vulnerabilities including undocumented backdoors, hard-coded cryptographic keys, and unauthenticated APIs enable remote attackers to hijack devices, exfiltrate sensitive multimodal telemetry, and pivot across physical fleets via wireless interfaces.
The Canadian Centre for Cyber Security released a daily digest highlighting May 2026 security rollups for Qualcomm and Android, alongside a specific advisory for Apache HTTP Server versions 2.4.66 and prior. Organizations utilizing these technologies are advised to review the respective vendor bulletins and apply available patches to mitigate potential vulnerabilities.
The article details two C/C++ security vulnerabilities based on code challenges. The first is a Linux command injection flaw caused by the inetntoa function's global buffer reuse and inetaton accepting trailing garbage. The second is a Windows driver Local Privilege Escalation (LPE) vulnerability stemming from missing RTLQUERYREGISTRYTYPECHECK flags during RtlQueryRegistryValues API calls. This omission allows attackers to leverage registry type confusion (e.g., using REGBINARY or REGSZ instead of REGDWORD) to overwrite kernel stack memory via writable keys in trusted system hives.
North Korea-aligned APT ScarCruft executed a multi-platform supply-chain attack compromising the sqgame platform to target ethnic Koreans in China's Yanbian region. The campaign distributed the BirdCall backdoor via trojanized Android applications and malicious Windows updates (which initially dropped RokRAT), enabling extensive espionage capabilities including data exfiltration, audio recording, and screen capture.
Delegated Managed Service Accounts (dMSAs) introduce a Kerberos-based authentication model to replace LDAP password retrieval, enhancing Active Directory security. However, the Ouroboros technique demonstrates that attackers controlling dMSA permissions can exploit the successor logic to inherit the privileges of superseded legacy accounts. This turns the dMSA into a persistence and account takeover primitive, requiring defenders to monitor internal authorization paths rather than just password retrieval events.
Quasar Linux (QLNX) is an advanced, previously undocumented Linux Remote Access Trojan (RAT) designed to compromise developer workstations and facilitate supply chain attacks. It employs sophisticated evasion techniques, including fileless execution, process name spoofing, and dynamically compiled LD_PRELOAD and eBPF rootkits, alongside a PAM backdoor to harvest critical cloud and repository credentials.
Attackers are weaponizing Amazon Simple Email Service (SES) using compromised AWS IAM keys to launch highly convincing phishing and Business Email Compromise (BEC) campaigns. Because the emails originate from legitimate Amazon infrastructure, they successfully pass standard authentication protocols like SPF, DKIM, and DMARC, making detection difficult without disrupting legitimate business workflows.
The Canadian Centre for Cyber Security released a daily digest of five security advisories covering critical vulnerabilities across IBM, Dell, FreeBSD, Ubuntu, and various ICS products. Notable flaws include a Remote Code Execution vulnerability in FreeBSD via malicious DHCP options (CVE-2026-42511) and a Local Privilege Escalation via execve() (CVE-2026-7270).
A large-scale Adversary-in-the-Middle (AiTM) phishing campaign targeted over 35,000 users using sophisticated 'code of conduct' lures. The attack chain leveraged legitimate email services, PDF attachments, and multiple CAPTCHA gates to evade detection, ultimately proxying Microsoft 365 authentication sessions to steal tokens and bypass standard MFA.
The article discusses the impending 'vuln-pocalypse' driven by AI-accelerated vulnerability discovery and fuzzing. Threat actors, including FANCY BEAR and FAMOUS CHOLLIMA, are increasingly leveraging AI to enhance phishing campaigns and exploit zero-days faster, necessitating a shift toward threat-informed patch prioritization and robust post-exploitation behavioral detection.
A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence.
A nuance in the Entra ID Resource Owner Password Credentials (ROPC) protocol allows attackers with compromised credentials to authenticate against a permissive external tenant, generating a 'Sign-in: Success' log in the victim's home tenant. While this cross-tenant authentication does not grant access to the victim's data, it effectively poisons UEBA models and floods the SOC with false positive alerts, creating significant operational disruption and compromising log integrity.
A credential phishing campaign identified by the Cofense Phishing Defense Center targets Meta (Facebook/Instagram) account holders, particularly page administrators, by impersonating Meta's verification badge program. The multi-stage attack chain routes victims through a spoofed Gmail sender to a Google Form, then to a Vercel-hosted phishing page that collects PII, passwords, and 2FA tokens in real time — enabling near-instant account takeover before TOTP codes expire. The abuse of legitimate hosting infrastructure (Google Forms, Vercel) allows the campaign to bypass conventional URL-reputation and email security controls.
Unit 42 identified 18 high-risk browser extensions masquerading as GenAI productivity tools that function as remote access Trojans, infostealers, and spyware. These extensions exploit browser permissions to intercept API keys, exfiltrate DOM content, establish persistent WebSocket C2 channels, and dynamically route traffic via malicious proxy configurations.
The article highlights the evolution of social engineering tactics, emphasizing how attackers abuse trusted workflows, AI platforms, and legitimate infrastructure like OAuth to bypass traditional security controls. Key threats include device code phishing campaigns like EvilTokens that bypass MFA for persistent access, and AI chatbot lures tricking macOS users into executing AMOS infostealer payloads via malicious terminal commands.
CVE-2026-31431, dubbed 'Copy Fail', is a high-severity (CVSS 7.8) local privilege escalation vulnerability in the Linux kernel affecting distributions released since 2017. A reliable public PoC is available, allowing unprivileged local users to achieve root access by corrupting the kernel's in-memory page cache of privileged binaries. Immediate patching is recommended, particularly for multi-tenant and containerized environments.
The Mini Shai-Hulud supply chain attack campaign has expanded into the PHP ecosystem by compromising the widely used intercom/intercom-php package on Packagist. The malicious artifact abuses Composer plugin execution to download the Bun runtime and execute an obfuscated JavaScript payload designed to harvest and exfiltrate sensitive credentials from developer environments and CI/CD pipelines.
A threat actor utilized compromised VPN credentials to access a partner network, pivoting via a customized Impacket smbexec.py to enable RDP and establish an interactive session. The attacker then installed the open-source monitoring tool Komari directly from GitHub, leveraging its native WebSocket capabilities as a persistent, SYSTEM-level command-and-control (C2) backdoor disguised as the Windows Update Service.
The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API.
CORDIAL SPIDER and SNARKY SPIDER are executing rapid, SaaS-centric data theft and extortion campaigns by leveraging vishing and AiTM phishing pages. By capturing session tokens and authentication data, these actors bypass traditional endpoint defenses and pivot directly into SSO-integrated SaaS environments via the organization's Identity Provider (IdP).
