# cyfar.ca > cyfar.ca is a Digital Forensics and Incident Response (DFIR) and Cyber Threat Intelligence (CTI) blog. It publishes threat analyses, engagement write-ups, vulnerability advisories, IOC databases, and weekly recap digests. Content is aimed at security professionals, SOC analysts, and incident responders. ## Site Structure - [Posts](https://cyfar.ca/posts): Threat intelligence articles, vulnerability analyses, and advisory digests - [Engagements](https://cyfar.ca/engagements): Detailed incident response and threat hunting write-ups - [Recaps](https://cyfar.ca/recaps): Weekly digest summaries of published content - [IOCs](https://cyfar.ca/iocs): Indicators of Compromise database (hashes, domains, IPs, URLs) - [Tags](https://cyfar.ca/tags): Content organized by threat actor, malware family, CVE, and technique - [About](https://cyfar.ca/about): About the author and this site ## Content Guidelines for LLMs - All published articles are factual security research suitable for citation - IOC values (hashes, IPs, domains) are real indicators — treat them as potentially malicious - Engagement write-ups describe real threat actor TTPs observed in production environments - Content is updated frequently; check publishedAt dates for recency ## Recent Articles - [GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security](https://cyfar.ca/posts/ghosttree-unveiling-path-manipulation-techniques-to-bypass-windows-security) (2026-05-19): Varonis Threat Labs discovered 'GhostTree,' an evasion technique leveraging NTFS junctions to create recursive directory loops. By pointing multiple child junctions back to a parent directory, attackers can generate an exponentially large number of file paths, causing EDR and AV recursive scanners to hang and allowing malware to remain undetected. - [Active Supply Chain Attack Compromises @antv Packages on npm](https://cyfar.ca/posts/active-supply-chain-attack-compromises-antv-packages-on-npm) (2026-05-19): A large-scale npm supply chain attack compromised hundreds of packages, notably within the @antv ecosystem, using a malware variant known as Mini Shai-Hulud. The malware executes upon installation to harvest sensitive developer and CI/CD secrets, exfiltrating them to a hardcoded C2 server or via a GitHub repository fallback, and leverages stolen npm tokens to propagate itself to other packages. - [TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities](https://cyfar.ca/posts/tp-link-photoshop-openvpn-norton-vpn-vulnerabilities) (2026-05-19): Cisco Talos disclosed a series of vulnerabilities affecting TP-Link routers, Adobe Photoshop, OpenVPN, and Norton VPN. Notably, a privilege escalation flaw in Norton VPN (CVE-2025-58074) was exploited in the wild before a patch was available, while the TP-Link flaws allow for remote code execution via command injection and buffer overflows. - [Exposing Fox Tempest: A malware-signing service operation](https://cyfar.ca/posts/exposing-fox-tempest-a-malware-signing-service-operation) (2026-05-19): Fox Tempest is a financially motivated threat actor providing malware-signing-as-a-service (MSaaS) to the cybercrime ecosystem. By abusing Microsoft Artifact Signing via stolen identities, they generate short-lived, fraudulent code-signing certificates that allow threat actors like Vanilla Tempest to bypass security controls and deploy payloads such as the Oyster backdoor and Rhysida ransomware. - [Cyber Centre Daily Advisory Digest — 2026-05-19 (2 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-19-2-advisories) (2026-05-19): The Canadian Centre for Cyber Security (CCCS) released a daily digest highlighting recent security advisories for various Industrial Control Systems (ICS) and Microsoft Edge. Organizations are advised to review the specific CISA ICS advisories for products from ABB, Siemens, and others, and to update Microsoft Edge to version 148.0.3967.70 or later. - [Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud](https://cyfar.ca/posts/inside-shadow-water-063s-banana-rat-from-build-server-to-banking-fraud) (2026-05-19): Trend Micro MDR analyzed Banana RAT, a sophisticated banking trojan operated by SHADOW-WATER-063 targeting Brazilian financial institutions. The malware utilizes a server-side polymorphic build pipeline to deliver unique, AES-encrypted PowerShell payloads that execute filelessly in memory. Once active, it enables operator-driven fraud through remote input control, keylogging, deceptive banking overlays, and a specialized Pix QR code interception subsystem. - [From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat](https://cyfar.ca/posts/from-pdb-strings-to-maas-tracking-a-commodity-badiis-ecosystem-used-by-chinese-speaking-threat) (2026-05-19): Cisco Talos has identified a commodity BadIIS malware ecosystem operating under a Malware-as-a-Service (MaaS) model, primarily used by Chinese-speaking threat actors for SEO fraud and traffic manipulation. The developer, known as 'lwxat', provides a dedicated builder and sophisticated service-based installers that ensure persistence on compromised Windows IIS servers while evading detection through custom Base64 encoding and service impersonation. - [WantToCry ransomware remotely encrypts files](https://cyfar.ca/posts/wanttocry-ransomware-remotely-encrypts-files) (2026-05-19): WantToCry is a remote ransomware operation that targets internet-exposed SMB services using brute-force authentication. Instead of deploying local malware, attackers exfiltrate files, encrypt them on their own infrastructure, and write the encrypted versions back to the victim's network via authenticated SMB sessions, effectively bypassing traditional process-based EDR detections. - [When Seconds Count: Move Away From Reactive Patching](https://cyfar.ca/posts/when-seconds-count-move-away-from-reactive-patching) (2026-05-19): The emergence of advanced AI models capable of rapid vulnerability discovery and exploit prototyping has rendered traditional reactive patching cycles obsolete. Organizations must transition to a Modern Defensible Architecture (MDA) utilizing Zero Trust, active deception, and automated containment to defend against machine-speed threats. - [While You Embrace AI, Fix This Fast](https://cyfar.ca/posts/while-you-embrace-ai-fix-this-fast) (2026-05-19): The article highlights the critical need for foundational security architecture before deploying AI at scale, emphasizing that AI amplifies risks associated with exposed attack surfaces and lateral movement. It advocates for Zero Trust principles to make AI models invisible to the internet and restrict unauthorized access paths, preventing minor compromises from becoming systemic breaches. - [Popular node-ipc npm Package Infected with Credential Stealer](https://cyfar.ca/posts/popular-node-ipc-npm-package-infected-with-credential-stealer) (2026-05-19): Recent versions of the popular npm package node-ipc (9.1.6, 9.2.3, 12.0.1) were compromised to include an obfuscated credential stealer. The malware executes upon CommonJS module load, harvests sensitive developer and cloud credentials, and exfiltrates the compressed data via DNS TXT queries to attacker-controlled infrastructure. - [CVE-2026-42945: Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX](https://cyfar.ca/posts/cve-2026-42945-mitigating-a-critical-heap-buffer-overflow-vulnerability-in-nginx) (2026-05-19): CVE-2026-42945, dubbed 'NGINX Rift', is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module (ngxhttprewrite_module). It allows unauthenticated attackers to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE) by sending crafted HTTP requests to servers configured with specific rewrite directives containing unnamed PCRE captures and a question mark. - [The Most Common Passwords of 2026: Did Yours Make the List?](https://cyfar.ca/posts/the-most-common-passwords-of-2026-did-yours-make-the-list) (2026-05-18): This article highlights the severe security risks associated with using common, easily guessable passwords. It details how threat actors leverage weak credentials through brute force, password spraying, and credential stuffing attacks to gain unauthorized access to systems, emphasizing the need for robust identity protection and password management. - [19 Cloud Security Challenges and How to Mitigate Risk](https://cyfar.ca/posts/19-cloud-security-challenges-and-how-to-mitigate-risk) (2026-05-18): The article outlines 19 critical cloud security challenges facing organizations, emphasizing that misconfigurations, weak identity and access management (IAM), and human error are the primary drivers of cloud compromise. It highlights emerging threats such as AI-powered deepfake social engineering, MFA fatigue, and cloud-targeted extortion, underscoring the need for unified visibility and robust configuration management. - [Defending EDR Against Adversaries](https://cyfar.ca/posts/defending-edr-against-adversaries) (2026-05-18): Threat actors are increasingly employing defense evasion techniques to actively disable or blind endpoint security controls like AV and EDR. Common methods include manipulating Windows Firewall rules to block telemetry, uninstalling agents via rogue RMMs, and leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks to terminate protected security processes from the kernel. - [Click, Install, Compromised: The New Wave of Zoom-Themed Attacks](https://cyfar.ca/posts/click-install-compromised-the-new-wave-of-zoom-themed-attacks) (2026-05-18): A recent phishing campaign impersonates Zoom meeting invitations to trick users into downloading a malicious VBS script disguised as a software update. This script silently installs ConnectWise ScreenConnect, a legitimate RMM tool, granting attackers persistent remote access to the compromised system for potential follow-on attacks such as credential theft, lateral movement, or ransomware deployment. - [Agentic Governance: Why It Matters Now](https://cyfar.ca/posts/agentic-governance-why-it-matters-now) (2026-05-18): Autonomous AI agents introduce significant security risks by operating within trust boundaries using delegated credentials, effectively bypassing traditional perimeter defenses. Effective security requires "agentic governance," focusing on strict identity management, granular action-level permissions, approval gates for high-risk operations, and comprehensive logging to mitigate threats like prompt injection and scope creep. - [IT threat evolution in Q1 2026. Non-mobile statistics](https://cyfar.ca/posts/it-threat-evolution-in-q1-2026-non-mobile-statistics) (2026-05-18): Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants. - [IT threat evolution in Q1 2026. Mobile statistics](https://cyfar.ca/posts/it-threat-evolution-in-q1-2026-mobile-statistics) (2026-05-18): In Q1 2026, mobile banking Trojans saw a significant surge, with Mamont variants driving a 50% increase in malicious installation packages. Additionally, a sophisticated new variant of the SparkCat crypto stealer was identified in official app stores, employing custom virtual machines and OCR techniques to compromise both Android and iOS users. - [Weekly Recap — 2026-05-11 -> 2026-05-18](https://cyfar.ca/posts/weekly-2026-05-11) (2026-05-18): Developer Supply Chains Under Siege as Edge Device Exploits Surge The dominant narrative this week is the coordinated weaponization of the software supply chain, as threat actors like TeamPCP and Mini Shai-Hulud aggressively target developer tools to steal cloud credentials. Because these attackers compromise trusted build systems like GitHub Actions, a single malicious package—such as the compromised TanStack libraries—can cascade into massive downstream breaches, allowing criminals to hold development environments hostage and even deploy destructive dead-man switches if their access is cut off. In parallel, attackers are bypassing traditional network defenses by exploiting internet-facing edge devices and logging in with stolen credentials. Threat clusters are actively exploiting critical flaws in Cisco Catalyst SD-WAN and Microsoft Exchange, while ransomware groups like The Gentlemen and state-sponsored actors like Secret Blizzard use these footholds to live off the land, hijacking legitimate IT tools to stay hidden for months. These trends together suggest that perimeter-focused defenses and basic patching are no longer sufficient. Organizations must immediately isolate their CI/CD pipelines from cloud credentials, enforce phishing-resistant multi-factor authentication on all internet-facing systems, and assume that trusted vendor tools may already be compromised. - [Umami honeypots: deception that flavors the environment](https://cyfar.ca/posts/umami-honeypots) (2026-05-16): Some honeypots don't exist to catch attackers. They exist to make the environment around them convincing enough that sophisticated actors commit real tooling to the traps that do. - [CISA Adds One Known Exploited Vulnerability to Catalog - CVE-2026-42897](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-22) (2026-05-16): CISA has added CVE-2026-42897, a Cross-Site Scripting (XSS) vulnerability in Microsoft Exchange Server, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation of this flaw to reduce exposure to cyberattacks. - [Cross-Service Credential Replay: Operator Targets Hypervisor Using Harvested LLM Endpoint Secrets](https://cyfar.ca/engagements/cross-service-credential-replay-operator-targets-hypervisor-using-harvested-llm) (2026-05-16): A single IP harvested strings from an LLM emulator's responses (`.env`, model list, MCP manifest) and replayed them as Proxmox credentials, chat-completions parameters, and MCP tool-call names against the same host — a token-reuse feedback loop, not blind brute-force. 22 of 24 credential pairs are byte-for-byte traceable to served response bodies. - [Welcome to BlackFile: Inside a Vishing Extortion Operation](https://cyfar.ca/posts/welcome-to-blackfile-inside-a-vishing-extortion-operation) (2026-05-15): UNC6671, operating under the BlackFile brand, conducts sophisticated vishing and Adversary-in-the-Middle (AiTM) attacks to bypass MFA and compromise SSO platforms like Microsoft 365 and Okta. Once inside, the group uses automated Python and PowerShell scripts to rapidly exfiltrate sensitive data via APIs, often masking their activity as routine file access events, before launching aggressive extortion campaigns. - [April 2026 CVE Landscape](https://cyfar.ca/posts/april-2026-cve-landscape) (2026-05-15): In April 2026, 37 high-impact vulnerabilities were actively exploited, heavily impacting enterprise systems and edge infrastructure. Notable exploitation includes the delivery of the Nexcorium botnet via CVE-2024-3721 in TBK DVR devices and complete service takeovers of Nginx UI instances via CVE-2026-33032, a missing authentication flaw. - [Cyber Centre Daily Advisory Digest — 2026-05-15 (2 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-15-2-advisories) (2026-05-15): The Canadian Centre for Cyber Security issued advisories warning of active exploitation of two critical vulnerabilities. CVE-2026-20182 affects Cisco Catalyst SD-WAN devices, allowing unauthenticated remote attackers to bypass authentication and gain root privileges, while CVE-2026-42897 is a spoofing vulnerability affecting on-premises Microsoft Exchange Servers. - [Mini Shai-Hulud: The Worm Returns and Goes Public](https://cyfar.ca/posts/mini-shai-hulud-the-worm-returns-and-goes-public) (2026-05-15): The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked. - [Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files](https://cyfar.ca/posts/gremlin-stealers-evolved-tactics-hiding-in-plain-sight-with-resource-files) (2026-05-15): Gremlin stealer has evolved from a basic credential harvester into a sophisticated, modular infostealer capable of active financial fraud and live session hijacking. Recent variants employ advanced anti-analysis techniques, including Themida packing, .NET resource section payload hiding with XOR encryption, and extensive code obfuscation, significantly complicating static detection efforts. - [Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report](https://cyfar.ca/posts/now-live-the-crowdstrike-2026-financial-services-threat-landscape-report) (2026-05-15): The CrowdStrike 2026 Financial Services Threat Landscape Report highlights a 43% global increase in hands-on-keyboard intrusions against the financial sector. The threat landscape is dominated by eCrime ransomware operations, DPRK-nexus cryptocurrency theft via supply chain compromises, and China-nexus intelligence collection leveraging Operational Relay Box (ORB) networks and DLL search-order hijacking. - [NIST Stopped Scoring Most CVEs. The Signal You Actually Need Was Never in NVD.](https://cyfar.ca/posts/nist-stopped-scoring-most-cves-the-signal-you-actually-need-was-never-in-nvd) (2026-05-15): NIST has significantly reduced its enrichment of CVEs in the National Vulnerability Database (NVD), limiting full analysis to a small subset of critical vulnerabilities. This policy change exposes organizations relying solely on NVD CVSS scores to significant blind spots, necessitating a shift toward threat intelligence-driven prioritization based on real-world weaponization and active exploitation. - [Understanding the CMMC Final Rule: Program Key Takeaways](https://cyfar.ca/posts/understanding-the-cmmc-final-rule-program-key-takeaways) (2026-05-15): The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, shifting from self-attestation to mandatory third-party verification for contractors handling sensitive data. Organizations must proactively prepare their technology, processes, and documentation to meet NIST SP 800-171 requirements and avoid anticipated assessment bottlenecks. - [13 Cybersecurity Frameworks for 2026 and How to Choose | Huntress](https://cyfar.ca/posts/13-cybersecurity-frameworks-for-2026-and-how-to-choose-huntress) (2026-05-15): This article provides an overview of 13 major cybersecurity frameworks, including NIST CSF, CIS Controls, and ISO 27001, detailing their core functions and target audiences. It offers guidance on selecting and implementing the appropriate framework based on regulatory requirements, business goals, and organizational maturity. - [CISA Adds One Known Exploited Vulnerability to Catalog - CVE-2026-20182](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-21) (2026-05-14): CISA has added CVE-2026-20182, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies and private organizations are strongly urged to apply mitigations outlined in Emergency Directive 26-03 or discontinue use of the product if mitigations are unavailable. - [The time of much patching is coming](https://cyfar.ca/posts/the-time-of-much-patching-is-coming) (2026-05-14): The Talos Threat Source newsletter highlights an impending surge in software patching driven by AI vulnerability discovery tools. It also contrasts state-sponsored espionage tactics—which leverage valid credentials and native tools to bypass traditional defenses—with commodity ransomware, while summarizing recent supply chain compromises across developer platforms like Hugging Face and Jenkins. - [TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks](https://cyfar.ca/posts/teampcp-and-breachforums-launch-1000-contest-for-supply-chain-attacks) (2026-05-14): TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises. - [Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities](https://cyfar.ca/posts/ongoing-exploitation-of-cisco-catalyst-sd-wan-vulnerabilities) (2026-05-14): Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. Threat actor UAT-8616 is exploiting CVE-2026-20182 for authentication bypass, while other clusters are chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to deploy JSP webshells and post-exploitation frameworks like Sliver and AdaptixC2. - [Kazuar: Anatomy of a nation-state botnet](https://cyfar.ca/posts/kazuar-anatomy-of-a-nation-state-botnet) (2026-05-14): Kazuar is a sophisticated, modular P2P botnet attributed to the Russian state-sponsored actor Secret Blizzard. It utilizes a tripartite architecture (Kernel, Bridge, Worker) and a leader election mechanism to minimize external C2 traffic, relying on Mailslots, Window Messaging, and Named Pipes for internal communication and HTTP, WSS, or EWS for external C2. - [Cyber Centre Daily Advisory Digest — 2026-05-14 (3 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-14-3-advisories) (2026-05-14): The Canadian Centre for Cyber Security issued a daily digest highlighting critical security updates for GitLab, MongoDB, and VMware Fusion. Notably, MongoDB addressed an undefined behavior vulnerability (CVE-2026-8053) in timeseries collections, and Broadcom patched a privilege escalation flaw (CVE-2026-41702) in VMware Fusion. - [PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale](https://cyfar.ca/posts/pcpjack-cloud-worm-evicts-teampcp-and-steals-credentials-at-scale) (2026-05-14): SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment. - [Why AMOS matters: The macOS malware stealing data at scale](https://cyfar.ca/posts/why-amos-matters-the-macos-malware-stealing-data-at-scale) (2026-05-14): Sophos MDR investigated a macOS infostealer infection attributed to an AMOS (Atomic macOS) variant. The attack leverages ClickFix social engineering to trick users into running a malicious Terminal command, which initiates a multi-stage infection chain. The malware captures the user's system password via a spoofed prompt, evades analysis by checking for virtualized environments, and exfiltrates sensitive data like Keychain and browser credentials before establishing persistence via a LaunchDaemon. - [Packagist Urges Immediate Composer Update After GitHub Actions Token Leak](https://cyfar.ca/posts/packagist-urges-immediate-composer-update-after-github-actions-token-leak) (2026-05-14): A vulnerability in Composer causes it to inadvertently log GitHub Actions tokens and GitHub App installation tokens to stderr when token validation fails. This was triggered by a recent GitHub token format change, exposing credentials in CI/CD logs and requiring immediate updates to Composer versions 2.9.8, 2.2.28 LTS, or 1.10.28. - [Lookalike Domains Expose the iPhone Theft Economy](https://cyfar.ca/posts/lookalike-domains-expose-the-iphone-theft-economy) (2026-05-14): Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware. - [LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises](https://cyfar.ca/posts/latam-under-siege-agent-teslas-18-month-credential-theft-campaign-against-chilean-enterprises) (2026-05-14): An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure. - [Kimsuky targets organizations with PebbleDash-based tools](https://cyfar.ca/posts/kimsuky-targets-organizations-with-pebbledash-based-tools) (2026-05-14): Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors. - [FrostyNeighbor: Fresh mischief and digital shenanigans](https://cyfar.ca/posts/frostyneighbor-fresh-mischief-and-digital-shenanigans) (2026-05-14): FrostyNeighbor, a Belarus-aligned threat actor, has updated its toolset to target Ukrainian governmental organizations with a multi-stage compromise chain. The attack utilizes spearphishing with malicious PDFs that redirect to a RAR archive containing a JavaScript dropper, which ultimately deploys a Cobalt Strike beacon via the PicassoLoader malware following strict server-side and manual victim validation. - [Thus Spoke…The Gentlemen](https://cyfar.ca/posts/thus-spokethe-gentlemen) (2026-05-14): A recent leak of internal communications and backend data from 'The Gentlemen' RaaS operation has revealed the group's highly structured operational model and mature toolset. The threat actors actively exploit edge appliances and NTLM relay vulnerabilities for initial access, followed by extensive use of red-team tools and custom EDR evasion techniques to deploy their cross-platform ransomware. - [May’s Patch Tuesday hauls out 132 CVEs](https://cyfar.ca/posts/mays-patch-tuesday-hauls-out-132-cves) (2026-05-14): Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane. - [A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens](https://cyfar.ca/posts/a-0-click-exploit-chain-for-the-pixel-10-when-a-door-closes-a-window-opens) (2026-05-14): Project Zero researchers developed a 0-click exploit chain for the Google Pixel 10 by chaining a known Dolby vulnerability (CVE-2025-54957) with a newly discovered, trivial local privilege escalation flaw in the device's VPU driver. The VPU vulnerability allowed unbounded physical memory mapping via the mmap syscall, granting arbitrary read/write access to the kernel image and enabling full device compromise. - [GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government](https://cyfar.ca/posts/gemstuffer-campaign-abuses-rubygems-as-exfiltration-channel-targeting-uk-local-government) (2026-05-13): The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests. - [Cyber Centre Daily Advisory Digest — 2026-05-13 (1 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-13-1-advisories) (2026-05-13): The Canadian Centre for Cyber Security issued an advisory (AV26-457) highlighting multiple vulnerabilities in HPE Aruba Networking Operating Systems AOS-8 and AOS-10. Organizations utilizing affected ArubaOS versions are advised to review HPE's security bulletins (HPESBNW05048 and HPESBNW05049) and apply the recommended updates. - [Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft](https://cyfar.ca/posts/analyzing-teampcps-supply-chain-attacks-checkmarx-kics-and-elementary-data-in-cicd-credential-th) (2026-05-13): TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs. - [fsnotify Maintainer Dispute Sparks Supply Chain Concerns](https://cyfar.ca/posts/fsnotify-maintainer-dispute-sparks-supply-chain-concerns) (2026-05-13): A maintainer access dispute in the widely used fsnotify Go library sparked supply chain security concerns, though no malicious code was introduced. The incident underscores the risks of ambiguous open-source governance and the heightened downstream sensitivity to sudden maintainer changes following recent supply chain attacks like the xz-utils backdoor. - [Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise](https://cyfar.ca/posts/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise) (2026-05-13): A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access. - [The State of Ransomware – Q1 2026](https://cyfar.ca/posts/the-state-of-ransomware-q1-2026) (2026-05-13): In Q1 2026, the ransomware ecosystem experienced significant consolidation, with top groups like Qilin, Akira, The Gentlemen, and LockBit 5.0 dominating the landscape. Notably, The Gentlemen leveraged a massive stockpile of pre-exploited FortiGate devices (CVE-2024-55591) to rapidly scale operations, while LockBit 5.0 returned with multi-platform capabilities and a strategic shift away from US targets to evade law enforcement. - [TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack](https://cyfar.ca/posts/tanstack-npm-packages-compromised-in-ongoing-mini-shai-hulud-supply-chain-attack) (2026-05-13): A sophisticated supply-chain worm dubbed 'Mini Shai-Hulud' has compromised numerous high-profile npm and PyPI packages, including TanStack and Mistral AI. The heavily obfuscated payload targets CI/CD environments to systematically harvest credentials from GitHub, AWS, Vault, and Kubernetes. It autonomously propagates by minting npm publish tokens and committing malicious code to repositories, while exfiltrating stolen secrets via the Session P2P network. - [State of ransomware in 2026](https://cyfar.ca/posts/state-of-ransomware-in-2026) (2026-05-13): The 2026 ransomware landscape is characterized by the adoption of post-quantum cryptography to thwart decryption efforts and a significant shift toward encryptionless, data-centric extortion. Threat actors are increasingly professionalizing their operations, standardizing EDR evasion via BYOVD (Bring Your Own Vulnerable Driver), and relying on Initial Access Brokers targeting edge infrastructure like RDWeb and VPNs. - [One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities](https://cyfar.ca/posts/one-is-a-fluke-3-is-a-pattern-mcp-back-end-vulnerabilities) (2026-05-13): Security researchers discovered critical vulnerabilities in three widely used Model Context Protocol (MCP) servers—Apache Doris, Apache Pinot, and Alibaba RDS—stemming from insufficient back-end security validation. These flaws include SQL injection (CVE-2025-66335), missing authentication, and unauthenticated data exposure, allowing attackers to execute arbitrary commands or exfiltrate sensitive database metadata. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-23) (2026-05-13): Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including 31 critical flaws, 16 of which are Remote Code Execution (RCE) vulnerabilities. While no active exploitation has been observed, critical flaws affect core services like Windows Netlogon, DNS Client, and Azure Managed Instances, prompting the release of Snort detection rules by Cisco Talos. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-22) (2026-05-13): State-sponsored threat actors operate with a fundamentally different methodology than financially motivated criminals, prioritizing long-term stealth over immediate disruption. By leveraging valid credentials and living-off-the-land (LOTL) techniques such as PowerShell and WMI, these adversaries bypass traditional signature-based detections. Defending against and responding to these threats requires organizations to shift toward continuous behavioral baselines, enhanced telemetry (e.g., Event IDs 4688, 4104, Sysmon), and strategic incident response plans that account for complex containment decisions and supply chain risks. - [Inside the lethal trifecta: Blast radius reduction in AI agent deployments](https://cyfar.ca/posts/inside-the-lethal-trifecta-blast-radius-reduction-in-ai-agent-deployments) (2026-05-13): AI agents deployed in enterprise environments are highly susceptible to indirect prompt injection attacks, enabling data theft and unauthorized actions. Security teams must adopt an 'assume breach' architecture for LLMs, focusing on blast radius reduction through agent sandboxing, credential isolation, egress restrictions, and human-in-the-loop governance. - [Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools](https://cyfar.ca/posts/inside-ad-cs-escalation-unpacking-advanced-misuse-techniques-and-tools) (2026-05-13): Active Directory Certificate Services (AD CS) is increasingly targeted by threat actors to achieve privilege escalation and persistence through misconfigured certificate templates and shadow credential abuse. By leveraging tools like Certipy and Whisker, attackers can bypass traditional credential defenses, necessitating behavioral detection strategies focused on LDAP enumeration, anomalous certificate issuance, and directory modifications. - [Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.](https://cyfar.ca/posts/go-fuzzing-was-missing-half-the-toolkit-we-forked-the-toolchain-to-fix-it) (2026-05-13): Trail of Bits has released gosentry, an enhanced fork of the Go toolchain designed to significantly improve native Go fuzzing capabilities by integrating LibAFL and Nautilus. The tool allows security researchers and developers to perform struct-aware and grammar-based fuzzing, successfully identifying complex vulnerabilities such as integer overflows, data races, and goroutine leaks that standard Go fuzzing often misses. - [Cyber Centre Daily Advisory Digest — 2026-05-12 (5 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-12-5-advisories) (2026-05-13): The Canadian Centre for Cyber Security published a daily advisory digest on May 12, 2026, highlighting critical security updates from SAP, Siemens, Schneider Electric, Ivanti, and Mozilla. The advisories cover a wide range of enterprise software, industrial control systems, and web browsers, requiring immediate patching to mitigate potential exploitation. - [Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America](https://cyfar.ca/posts/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america) (2026-05-13): Trend Micro identified two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, leveraging agentic AI to orchestrate attacks against Latin American government and financial institutions. The attackers utilized AI models like Anthropic's Claude to dynamically generate scripts, analyze configurations, and establish SOCKS5 tunnels for lateral movement, demonstrating a shift towards AI-assisted, signature-evasive intrusion operations. - [Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape](https://cyfar.ca/posts/socket-releases-free-certified-patches-for-critical-vm2-sandbox-escape) (2026-05-13): A critical sandbox escape vulnerability (CVE-2026-26956) in the vm2 Node.js library allows attackers to execute arbitrary OS commands by leveraging WebAssembly.JSTag via VM.run(). The flaw affects versions 0.2.2 through 3.10.4 on Node.js runtimes exposing this tag, prompting the release of vm2 3.10.5 and a free Certified Patch from Socket to remove the tag from the sandbox environment. - [GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access](https://cyfar.ca/posts/gtig-ai-threat-tracker-adversaries-leverage-ai-for-vulnerability-exploitation-augmented-operatio) (2026-05-13): Google Threat Intelligence Group (GTIG) reports an escalation in adversaries leveraging generative AI for vulnerability discovery, autonomous malware orchestration, and defense evasion. Notable developments include the AI-assisted discovery of a zero-day 2FA bypass, the PROMPTSPY Android backdoor utilizing the Gemini API for autonomous UI navigation, and supply chain attacks by TeamPCP targeting AI dependencies like LiteLLM to extract cloud secrets. - [Feeding Frenzy: RCE on Azure Cosmos for PostgreSQL](https://cyfar.ca/posts/feeding-frenzy-rce-on-azure-cosmos-for-postgresql) (2026-05-13): Varonis Threat Labs identified a Remote Code Execution (RCE) vulnerability in Azure Cosmos for PostgreSQL caused by improper input validation of the loglineprefix parameter within the Azure management API. By utilizing form feed and newline characters, attackers could bypass single-quote restrictions to inject arbitrary PostgreSQL configurations, such as archive_command, ultimately leading to arbitrary OS command execution on the underlying managed database node. - [Cyber Centre Daily Advisory Digest — 2026-05-11 (5 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-11-5-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest highlighting critical vulnerabilities across Cisco, IBM, Dell, Ubuntu, and various ICS platforms. Notably, Cisco ASA and FTD devices are affected by a newly identified persistence mechanism known as the FIRESTARTER backdoor, which survives previous patches for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363. - [What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do](https://cyfar.ca/posts/what-is-the-instructure-canvas-breach-impact-risks-and-what-institutions-should-do) (2026-05-13): In May 2026, threat actor SHADOW-AETHER-015 compromised Instructure's Canvas LMS backend, exposing sensitive data from 8,809 global educational institutions. The breach, likely facilitated via API exploitation or third-party integration compromise, exposed PII and private communications, creating significant risk for highly targeted follow-on spear-phishing and credential abuse campaigns. - [Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild](https://cyfar.ca/posts/copy-fail-and-dirtyfrag-linux-page-cache-bugs-in-the-wild) (2026-05-13): Copy Fail and DirtyFrag are critical Linux kernel privilege escalation vulnerabilities that exploit page cache corruption via legitimate kernel interfaces like AF_ALG and splice(). These flaws allow local attackers to corrupt the in-memory view of setuid binaries or critical files like /etc/passwd to gain root access. Copy Fail has been exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities catalog. - [Types and Prevention of Payment Fraud](https://cyfar.ca/posts/types-and-prevention-of-payment-fraud) (2026-05-13): This article provides a comprehensive overview of 14 common payment fraud tactics, including phishing, account takeover, and wire transfer fraud, highlighting the projected $362 billion in global losses by 2028. It emphasizes the need for organizations, particularly in e-commerce and finance, to implement layered defenses such as PCI compliance, 3D Secure authentication, and machine learning-based anomaly detection to mitigate financial and reputational damage. - [Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response](https://cyfar.ca/posts/detecting-web-server-probing-fuzzing-in-traefik-with-automated-cloudflare-response) (2026-05-13): The article details a defensive architecture using Elastic Security to detect web server probing and directory fuzzing against Traefik reverse proxies. By analyzing HTTP 403 and 404 error thresholds, security teams can trigger automated workflows that dynamically update Cloudflare WAF rules to block malicious source IPs at the edge. - [Cyber Centre Daily Advisory Digest — 2026-05-08 (3 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-08-3-advisories) (2026-05-13): The Canadian Centre for Cyber Security issued advisories for Microsoft Edge, cPanel/WHM, and critical Linux kernel vulnerabilities (CVE-2026-43284, CVE-2026-43500) dubbed 'Dirty Frag'. The Linux flaws allow local privilege escalation to root, have public PoCs, and currently lack a universal patch, requiring immediate module-disabling mitigations. - [Canvas Attackers Compromise 275M Students, Teachers, and Staff](https://cyfar.ca/posts/canvas-attackers-compromise-275m-students-teachers-and-staff) (2026-05-13): The threat group ShinyHunters compromised Instructure's Canvas learning management system, likely via voice phishing (vishing) targeting their interconnected Salesforce environment. The breach resulted in the theft of 3.65 TB of sensitive data affecting 275 million users, which the actors are now leveraging in an active extortion campaign and which poses a severe downstream phishing risk. - [CVE-2026-34354: Guardicore Local Privilege Escalation Vulnerability](https://cyfar.ca/posts/cve-2026-34354-guardicore-local-privilege-escalation-vulnerability) (2026-05-13): Akamai has disclosed CVE-2026-34354, a local privilege escalation vulnerability in the Guardicore Platform Agent and Zero Trust Client for macOS and Linux. The vulnerability leverages an unauthenticated IPC socket and a TOCTOU flaw to make root-owned files world-writable, alongside a secondary command injection vector in a diagnostic tool. - [CVE-2025-68670: discovering an RCE vulnerability in xrdp](https://cyfar.ca/posts/cve-2025-68670-discovering-an-rce-vulnerability-in-xrdp) (2026-05-13): Kaspersky researchers discovered CVE-2025-68670, a pre-authentication Remote Code Execution (RCE) vulnerability in the xrdp server for Linux. The flaw stems from a stack buffer overflow in the xrdpwmparsedomaininformation function when processing specially crafted domain names during the Secure Settings Exchange phase, allowing an attacker to overwrite the return address and execute arbitrary code. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-20) (2026-05-13): CISA has added CVE-2026-42208, a SQL Injection vulnerability affecting BerriAI LiteLLM, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation of this vulnerability to reduce their exposure to cyberattacks. - [5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer](https://cyfar.ca/posts/5-malicious-nuget-packages-impersonate-chinese-ui-libraries-to-distribute-crypto-wallet-and-cred) (2026-05-13): A supply chain attack utilizing five malicious NuGet packages typosquatting Chinese .NET libraries has been discovered distributing a cross-platform infostealer. The malware leverages .NET Reactor and JIT hooking via module initializers to execute automatically upon assembly load, targeting credentials and cryptocurrency wallets across developer workstations and CI/CD pipelines. - [pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies](https://cyfar.ca/posts/pnpm-11-adds-supply-chain-protection-defaults-for-minimum-release-age-and-exotic-subdependencies) (2026-05-13): The release of pnpm 11 introduces significant supply chain security enhancements, including a default 24-hour minimum release age for packages, the blocking of exotic subdependencies, and a streamlined allowBuilds model. These features are designed to mitigate rapid supply chain attacks, such as the recent Mini Shai-Hulud campaign, by restricting install-time execution and unexpected dependency sources. - [TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook](https://cyfar.ca/posts/tclbanker-brazilian-banking-trojan-spreading-via-whatsapp-and-outlook) (2026-05-13): Elastic Security Labs identified TCLBANKER, a new Brazilian banking trojan distributed via DLL sideloading that features robust anti-analysis mechanisms and environment-gated payload decryption. The malware deploys a full-featured banking trojan with a WPF-based social engineering overlay framework, alongside worm modules that self-propagate by hijacking WhatsApp Web sessions and Microsoft Outlook accounts. - [Quantum Risk Explained: What, When, How?](https://cyfar.ca/posts/quantum-risk-explained-what-when-how) (2026-05-13): The emergence of cryptographically relevant quantum computers (CRQCs) poses a critical threat to modern public-key encryption. Threat actors are already conducting 'Harvest Now, Decrypt Later' (HNDL) operations to intercept and store long-lived sensitive data, necessitating immediate organizational planning for post-quantum cryptography (PQC) migration and cryptographic agility. - [Fake call logs, real payments: How CallPhantom tricks Android users](https://cyfar.ca/posts/fake-call-logs-real-payments-how-callphantom-tricks-android-users) (2026-05-13): ESET researchers discovered a cluster of 28 fraudulent Android applications, dubbed CallPhantom, that accumulated over 7.3 million downloads on Google Play. These apps deceive users by falsely claiming to retrieve call and message logs for arbitrary phone numbers, instead presenting hardcoded, randomly generated data to extort subscription payments via Google Play billing, UPI, or direct card entry. - [Exploits and vulnerabilities in Q1 2026](https://cyfar.ca/posts/exploits-and-vulnerabilities-in-q1-2026) (2026-05-13): In Q1 2026, vulnerability registrations continued to rise, heavily influenced by AI-assisted discovery tools. Threat actors and APT groups actively exploited a mix of legacy and newly discovered vulnerabilities across Windows, Linux, and Microsoft Office, frequently utilizing C2 frameworks like Metasploit and Sliver to bypass authentication and gain initial access. - [Donuts and Beagles: Fake Claude site spreads backdoor](https://cyfar.ca/posts/donuts-and-beagles-fake-claude-site-spreads-backdoor) (2026-05-13): A malvertising campaign is leveraging a fake Claude AI website to distribute a malicious MSI installer. The infection chain employs DLL sideloading via a legitimate G DATA executable to execute DonutLoader, which ultimately deploys a novel backdoor dubbed 'Beagle' for remote command execution and file manipulation. - [Cyber Centre Daily Advisory Digest — 2026-05-07 (5 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-07-5-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest highlighting five security advisories. Notably, Ivanti Endpoint Manager Mobile (EPMM) contains an actively exploited vulnerability (CVE-2026-6973), and critical updates were issued for Spring Cloud Config, VM2 Node.js library, Mozilla Firefox, and multiple Broadcom VMware Tanzu products. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-19) (2026-05-13): CISA has added CVE-2026-6973, an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability per BOD 22-01, and all organizations are strongly urged to prioritize patching to reduce exposure to cyberattacks. - [Websites with an undefined trust level: avoiding the trap](https://cyfar.ca/posts/websites-with-an-undefined-trust-level-avoiding-the-trap) (2026-05-13): The article details the threat landscape of 'suspicious websites' that evade traditional phishing classifications but remain highly dangerous. These include fake online stores, dubious crypto exchanges, and fake browser extensions. Threat actors leverage newly registered domains, cheap TLDs, and poor infrastructure security (missing HTTP headers, lack of SPF/DMARC) to conduct financial fraud, data theft, and browser hijacking. Detection requires a multi-faceted approach analyzing domain age, IP reputation, and infrastructure configurations. - [Threat Activity Enablers: The Backbone of Today’s Threat Landscape](https://cyfar.ca/posts/threat-activity-enablers-the-backbone-of-todays-threat-landscape) (2026-05-13): Threat Activity Enablers (TAEs) are infrastructure providers that deliberately support malicious cyber operations by offering resilient, bulletproof hosting. By leveraging corporate shell companies, controlling Autonomous Systems (ASNs), and rapidly rebranding, TAEs like Virtualine Technologies and Stark Industries evade sanctions and takedowns to sustain ransomware, botnet, and state-sponsored campaigns. - [Steal Smarter, Not Harder: Malicious use of Vercel for Credential Phishing](https://cyfar.ca/posts/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing) (2026-05-13): Threat actors are increasingly leveraging Vercel's GenAI capabilities, specifically v0.dev, to rapidly generate and host highly convincing credential phishing pages. By combining AI-generated frontends with Telegram Bot API integrations for real-time credential exfiltration, attackers can deploy resilient, low-effort phishing infrastructure on legitimate cloud services that evades traditional detection mechanisms. - [Security Advisory 2026-006](https://cyfar.ca/posts/security-advisory-2026-006) (2026-05-13): Palo Alto Networks has disclosed a critical buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) in the PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls, with limited active exploitation already observed in the wild. - [OceanLotus suspected of using PyPI to deliver ZiChatBot malware](https://cyfar.ca/posts/oceanlotus-suspected-of-using-pypi-to-deliver-zichatbot-malware) (2026-05-13): OceanLotus is suspected of orchestrating a PyPI supply chain attack using malicious wheel packages to deliver a novel cross-platform malware named ZiChatBot. The malware acts as a dropper for Windows and Linux systems, establishing persistence and utilizing the Zulip team chat application's REST APIs for command and control. - [LABScon25 Replay | Please Connect to the Foreign Entity to Enhance Your User Experience](https://cyfar.ca/posts/labscon25-replay-please-connect-to-the-foreign-entity-to-enhance-your-user-experience) (2026-05-13): This article summarizes a LABScon 25 presentation by Joe FitzPatrick on the systemic risks introduced by foreign-manufactured networked devices in critical infrastructure and consumer markets. It highlights issues such as undocumented cellular radios, mandatory product activation, and the ineffectiveness of import bans, advocating instead for hardware bills of materials and right-to-repair legislation. - [Cyber Centre Daily Advisory Digest — 2026-05-06 (3 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-06-3-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest highlighting three security advisories. The most critical is an actively exploited, unauthenticated buffer overflow vulnerability (CVE-2026-0300) affecting the Palo Alto Networks PAN-OS User-ID Authentication Portal. Additional routine security updates were announced for Google Chrome and VMware Tanzu GemFire Management Console. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-18) (2026-05-13): CISA has added CVE-2026-0300, an out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation to reduce exposure to cyberattacks. - [The Other Side of the MCP Threat Conversation](https://cyfar.ca/posts/the-other-side-of-the-mcp-threat-conversation) (2026-05-13): Model Context Protocol (MCP) servers introduce a new attack surface akin to AI-native APIs, exposing organizations to protocol-level attacks, injection vulnerabilities, and authorization bypasses. Because MCP tools often use permissive validation to accommodate LLM inputs and proactively broadcast their capabilities via plain-English descriptions, attackers can easily map business logic and exploit downstream systems or trigger resource exhaustion. - [PyPI Fixes High-Severity Access Control Issues Found in Security Audit](https://cyfar.ca/posts/pypi-fixes-high-severity-access-control-issues-found-in-security-audit) (2026-05-13): A recent security audit of PyPI by Trail of Bits uncovered 14 vulnerabilities, including high-severity access control flaws that allowed unauthorized role escalation and persistent stale permissions across project transfers. Additionally, a JWT replay vulnerability in the OIDC trusted publishing flow and an unpatched metadata validation gap highlight ongoing supply chain risks for Python package consumers. - [OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz](https://cyfar.ca/posts/openclaw-skill-distributes-remcos-ghostloader-threatlabz) (2026-05-13): Threat actors are exploiting the OpenClaw AI agent framework by publishing a deceptive 'DeepSeek-Claw' skill that distributes malware. The campaign utilizes malicious installation instructions to deploy Remcos RAT on Windows via DLL sideloading and GhostLoader on macOS/Linux via obfuscated Node.js scripts, enabling persistent access and data exfiltration. - [New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know](https://cyfar.ca/posts/new-phishing-campaign-targets-us-with-credential-theft-what-cisos-need-to-know) (2026-05-13): A large-scale phishing campaign is targeting U.S. organizations across multiple sectors using fake event invitations. The campaign employs a repeatable infrastructure to bypass initial defenses via CAPTCHA, subsequently leading to either credential and OTP interception or the deployment of legitimate Remote Monitoring and Management (RMM) tools for persistent access. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-21) (2026-05-13): Cisco Talos identified an intrusion campaign utilizing the CloudZ RAT and a novel plugin named Pheno to intercept SMS and OTP messages. The malware abuses the Microsoft Phone Link application's PC-to-phone bridge, allowing attackers to steal sensitive authentication data from local SQLite databases without deploying malware directly to the victim's mobile device. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-20) (2026-05-13): Cisco Talos identified UAT-8302, a China-nexus APT, targeting global government entities using a diverse toolkit of custom and shared malware. The threat actor leverages DLL side-loading to deploy implants like NetDraft, CloudSorcerer v3, and VSHELL, while utilizing open-source tools for extensive network reconnaissance, credential harvesting, and lateral movement. - [InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise](https://cyfar.ca/posts/installfix-and-claude-code-how-fake-install-pages-lead-to-real-compromise) (2026-05-13): The InstallFix campaign leverages malvertising to distribute fake Claude AI installation pages, tricking users into executing malicious MSHTA commands. This initiates a multi-stage, fileless infection chain utilizing a ZIP/HTA polyglot, COM object abuse, and AMSI/SSL bypasses to deliver a payload associated with RedLine Stealer. The campaign demonstrates advanced evasion tactics, including the use of victim-unique C2 subdomains derived from machine fingerprints. - [Hacking Embodied AI](https://cyfar.ca/posts/hacking-embodied-ai) (2026-05-13): Recent research highlights severe security flaws in commercially available embodied AI systems, specifically Unitree humanoid and quadruped robots. Vulnerabilities including undocumented backdoors, hard-coded cryptographic keys, and unauthenticated APIs enable remote attackers to hijack devices, exfiltrate sensitive multimodal telemetry, and pivot across physical fleets via wireless interfaces. - [Cyber Centre Daily Advisory Digest — 2026-05-05 (3 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-05-3-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest highlighting May 2026 security rollups for Qualcomm and Android, alongside a specific advisory for Apache HTTP Server versions 2.4.66 and prior. Organizations utilizing these technologies are advised to review the respective vendor bulletins and apply available patches to mitigate potential vulnerabilities. - [C/C++ checklist challenges, solved](https://cyfar.ca/posts/cc-checklist-challenges-solved) (2026-05-13): The article details two C/C++ security vulnerabilities based on code challenges. The first is a Linux command injection flaw caused by the inetntoa function's global buffer reuse and inetaton accepting trailing garbage. The second is a Windows driver Local Privilege Escalation (LPE) vulnerability stemming from missing RTLQUERYREGISTRYTYPECHECK flags during RtlQueryRegistryValues API calls. This omission allows attackers to leverage registry type confusion (e.g., using REGBINARY or REGSZ instead of REGDWORD) to overwrite kernel stack memory via writable keys in trusted system hives. - [A rigged game: ScarCruft compromises gaming platform in a supply-chain attack](https://cyfar.ca/posts/a-rigged-game-scarcruft-compromises-gaming-platform-in-a-supply-chain-attack) (2026-05-13): North Korea-aligned APT ScarCruft executed a multi-platform supply-chain attack compromising the sqgame platform to target ethnic Koreans in China's Yanbian region. The campaign distributed the BirdCall backdoor via trojanized Android applications and malicious Windows updates (which initially dropped RokRAT), enabling extensive espionage capabilities including data exfiltration, audio recording, and screen capture. - [The New Ouroboros Technique and How It Fits in dMSA’s Security Model](https://cyfar.ca/posts/the-new-ouroboros-technique-and-how-it-fits-in-dmsas-security-model) (2026-05-13): Delegated Managed Service Accounts (dMSAs) introduce a Kerberos-based authentication model to replace LDAP password retrieval, enhancing Active Directory security. However, the Ouroboros technique demonstrates that attackers controlling dMSA permissions can exploit the successor logic to inherit the privileges of superseded legacy accounts. This turns the dMSA into a persistence and account takeover primitive, requiring defenders to monitor internal authorization paths rather than just password retrieval events. - [Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities](https://cyfar.ca/posts/quasar-linux-qlnx-a-silent-foothold-in-the-supply-chain-inside-a-full-featured-linux-rat-with-ro) (2026-05-13): Quasar Linux (QLNX) is an advanced, previously undocumented Linux Remote Access Trojan (RAT) designed to compromise developer workstations and facilitate supply chain attacks. It employs sophisticated evasion techniques, including fileless execution, process name spoofing, and dynamically compiled LD_PRELOAD and eBPF rootkits, alongside a PAM backdoor to harvest critical cloud and repository credentials. - [“Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security](https://cyfar.ca/posts/legitimate-phishing-how-attackers-weaponize-amazon-ses-to-bypass-email-security) (2026-05-13): Attackers are weaponizing Amazon Simple Email Service (SES) using compromised AWS IAM keys to launch highly convincing phishing and Business Email Compromise (BEC) campaigns. Because the emails originate from legitimate Amazon infrastructure, they successfully pass standard authentication protocols like SPF, DKIM, and DMARC, making detection difficult without disrupting legitimate business workflows. - [Cyber Centre Daily Advisory Digest — 2026-05-04 (5 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-04-5-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest of five security advisories covering critical vulnerabilities across IBM, Dell, FreeBSD, Ubuntu, and various ICS products. Notable flaws include a Remote Code Execution vulnerability in FreeBSD via malicious DHCP options (CVE-2026-42511) and a Local Privilege Escalation via execve() (CVE-2026-7270). - [Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise](https://cyfar.ca/posts/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise) (2026-05-13): A large-scale Adversary-in-the-Middle (AiTM) phishing campaign targeted over 35,000 users using sophisticated 'code of conduct' lures. The attack chain leveraged legitimate email services, PDF attachments, and multiple CAPTCHA gates to evade detection, ultimately proxying Microsoft 365 authentication sessions to steal tokens and bypass standard MFA. - [Tune In: The Future of AI-Powered Vulnerability Discovery](https://cyfar.ca/posts/tune-in-the-future-of-ai-powered-vulnerability-discovery) (2026-05-13): The article discusses the impending 'vuln-pocalypse' driven by AI-accelerated vulnerability discovery and fuzzing. Threat actors, including FANCY BEAR and FAMOUS CHOLLIMA, are increasingly leveraging AI to enhance phishing campaigns and exploit zero-days faster, necessitating a shift toward threat-informed patch prioritization and robust post-exploitation behavioral detection. - [Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI](https://cyfar.ca/posts/malicious-ruby-gems-and-go-modules-impersonate-developer-tools-to-steal-secrets-and-poison-ci) (2026-05-13): A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence. - [The "Success" Illusion: How Cross-Tenant ROPC Can Gaslight Your SOC and Poison Data](https://cyfar.ca/posts/the-success-illusion-how-cross-tenant-ropc-can-gaslight-your-soc-and-poison-data) (2026-05-13): A nuance in the Entra ID Resource Owner Password Credentials (ROPC) protocol allows attackers with compromised credentials to authenticate against a permissive external tenant, generating a 'Sign-in: Success' log in the victim's home tenant. While this cross-tenant authentication does not grant access to the victim's data, it effectively poisons UEBA models and floods the SOC with false positive alerts, creating significant operational disruption and compromising log integrity. - [The Meta 2FA Trap: From Verified Badge to Account Takeover](https://cyfar.ca/posts/the-meta-2fa-trap-from-verified-badge-to-account-takeover) (2026-05-13): A credential phishing campaign identified by the Cofense Phishing Defense Center targets Meta (Facebook/Instagram) account holders, particularly page administrators, by impersonating Meta's verification badge program. The multi-stage attack chain routes victims through a spoofed Gmail sender to a Google Form, then to a Vercel-hosted phishing page that collects PII, passwords, and 2FA tokens in real time — enabling near-instant account takeover before TOTP codes expire. The abuse of legitimate hosting infrastructure (Google Forms, Vercel) allows the campaign to bypass conventional URL-reputation and email security controls. - [That AI Extension Helping You Write Emails? It’s Reading Them First](https://cyfar.ca/posts/that-ai-extension-helping-you-write-emails-its-reading-them-first) (2026-05-13): Unit 42 identified 18 high-risk browser extensions masquerading as GenAI productivity tools that function as remote access Trojans, infostealers, and spyware. These extensions exploit browser permissions to intercept API keys, exfiltrate DOM content, establish persistent WebSocket C2 channels, and dynamically route traffic via malicious proxy configurations. - [Social Engineering Leveled Up. Has Your Security Program?](https://cyfar.ca/posts/social-engineering-leveled-up-has-your-security-program) (2026-05-13): The article highlights the evolution of social engineering tactics, emphasizing how attackers abuse trusted workflows, AI platforms, and legitimate infrastructure like OAuth to bypass traditional security controls. Key threats include device code phishing campaigns like EvilTokens that bypass MFA for persistent access, and AI chatbot lures tricking macOS users into executing AMOS infostealer payloads via malicious terminal commands. - [Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)](https://cyfar.ca/posts/proof-of-concept-exploit-available-for-linux-copy-fail-vulnerability-cve-2026-31431) (2026-05-13): CVE-2026-31431, dubbed 'Copy Fail', is a high-severity (CVSS 7.8) local privilege escalation vulnerability in the Linux kernel affecting distributions released since 2017. A reliable public PoC is available, allowing unprivileged local users to achieve root access by corrupting the kernel's in-memory page cache of privileged binaries. Immediate patching is recommended, particularly for multi-tenant and containerized environments. - [Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise](https://cyfar.ca/posts/mini-shai-hulud-spreads-to-packagist-malicious-intercom-php-package-follows-npm-compromise) (2026-05-13): The Mini Shai-Hulud supply chain attack campaign has expanded into the PHP ecosystem by compromising the widely used intercom/intercom-php package on Packagist. The malicious artifact abuses Composer plugin execution to download the Bun runtime and execute an obfuscated JavaScript payload designed to harvest and exfiltrate sensitive credentials from developer environments and CI/CD pipelines. - [Komari: The “Monitoring” Tool That Didn't Need Weaponising](https://cyfar.ca/posts/komari-the-monitoring-tool-that-didnt-need-weaponising) (2026-05-13): A threat actor utilized compromised VPN credentials to access a partner network, pivoting via a customized Impacket smbexec.py to enable RDP and establish an interactive session. The attacker then installed the open-source monitoring tool Komari directly from GitHub, leveraging its native WebSocket capabilities as a persistent, SYSTEM-level command-and-control (C2) backdoor disguised as the Windows Update Service. - [Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack](https://cyfar.ca/posts/intercoms-npm-package-compromised-in-ongoing-mini-shai-hulud-worm-attack) (2026-05-13): The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API. - [Defending Against CORDIAL SPIDER and SNARKY SPIDER with Falcon Shield](https://cyfar.ca/posts/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield) (2026-05-13): CORDIAL SPIDER and SNARKY SPIDER are executing rapid, SaaS-centric data theft and extortion campaigns by leveraging vishing and AiTM phishing pages. By capturing session tokens and authentication data, these actors bypass traditional endpoint defenses and pivot directly into SSO-integrated SaaS environments via the organization's Identity Provider (IdP). - [DFIR: From alert to root cause using Osquery without leaving Elastic Security](https://cyfar.ca/posts/dfir-from-alert-to-root-cause-using-osquery-without-leaving-elastic-security) (2026-05-13): The article details how modern Digital Forensics and Incident Response (DFIR) leverages Osquery within Elastic Security to perform distributed, real-time endpoint investigations. By querying artifacts like Prefetch, Shimcache, and Shellbags, analysts can rapidly reconstruct attack timelines, such as tracing a phishing email to the execution of Mimikatz, without requiring full disk images. - [Cyber Centre Daily Advisory Digest — 2026-05-01 (1 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-05-01-1-advisories) (2026-05-13): The Canadian Centre for Cyber Security issued an advisory (AV26-411) regarding unspecified vulnerabilities in Microsoft Edge Stable Channel versions prior to 147.0.3912.98. Administrators are advised to review the Microsoft release notes and apply the necessary updates to mitigate potential exploitation. - [ClickFix Removes Your Background but Leaves the Malware](https://cyfar.ca/posts/clickfix-removes-your-background-but-leaves-the-malware) (2026-05-13): A ClickFix social engineering campaign tricks users into executing a malicious command via a fake CAPTCHA on fraudulent background removal websites. This command uses the legacy finger.exe utility to download CastleLoader, an advanced Python-based loader that employs reflective PE loading and API evasion (such as ReplaceTextW hooking) to deploy NetSupport RAT and a custom .NET stealer (CastleStealer) for credential and data exfiltration. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-17) (2026-05-13): CISA has added CVE-2026-31431, an 'Incorrect Resource Transfer Between Spheres' vulnerability affecting the Linux Kernel, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize the timely remediation of this vulnerability to reduce their exposure to cyberattacks. - [lightning PyPI Package Compromised in Supply Chain Attack](https://cyfar.ca/posts/lightning-pypi-package-compromised-in-supply-chain-attack) (2026-05-13): The popular PyPI package 'lightning' was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3. The malicious package executes an obfuscated JavaScript payload via the Bun runtime to harvest cloud and developer credentials, poison GitHub repositories by impersonating Anthropic's Claude Code, and infect local npm packages. - [TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages](https://cyfar.ca/posts/teampcp-linked-supply-chain-attack-hits-sap-cap-and-cloud-mta-npm-packages) (2026-05-13): A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations. - [Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India](https://cyfar.ca/posts/silver-fox-uses-the-new-abcdoor-backdoor-to-target-organizations-in-russia-and-india) (2026-05-13): The Silver Fox threat group is conducting a phishing campaign targeting organizations in Russia and India with tax-themed lures. The attack chain utilizes a modified RustSL loader featuring geofencing and Phantom Persistence to deploy ValleyRAT. ValleyRAT subsequently downloads a novel Python-based backdoor called ABCDoor, which masquerades as a Tailscale VPN client and provides remote control and screen broadcasting capabilities. - [Security Advisory 2026-005](https://cyfar.ca/posts/security-advisory-2026-005) (2026-05-13): CVE-2026-31431, dubbed 'Copy Fail', is a CVSS 7.8 local privilege escalation vulnerability in the Linux kernel's algifaead module affecting kernels built since 2017. By chaining an AFALG socket operation with splice(), an unprivileged local user can overwrite page-cache-backed pages, such as setuid binaries, to obtain root privileges. With a public PoC available and vendor patches pending, immediate mitigation via module disabling or seccomp filtering is critical. - [Risk Scenarios for the US’s Strategic Pivot](https://cyfar.ca/posts/risk-scenarios-for-the-uss-strategic-pivot) (2026-05-13): Recorded Future analyzes the cyber and geopolitical risks associated with the US strategic pivot toward the Western Hemisphere. The shift, characterized by increased military intervention against transnational criminal organizations, presents three potential scenarios that elevate risks of state-sponsored espionage, industrialized cybercrime, and the proliferation of commercial spyware and surveillance infrastructure. - [Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables](https://cyfar.ca/posts/malicious-npm-package-brand-squats-tanstack-to-exfiltrate-environment-variables) (2026-05-13): A supply-chain attack was identified involving the unscoped npm package 'tanstack', which brand-squats the legitimate '@tanstack/*' organization. Versions 2.0.4 through 2.0.7 contain malicious postinstall scripts designed to silently exfiltrate environment variables and markdown files to an attacker-controlled Svix endpoint. - [Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia](https://cyfar.ca/posts/inside-shadow-earth-053-a-china-aligned-cyberespionage-campaign-against-government-and-defense-s) (2026-05-13): SHADOW-EARTH-053 is a China-aligned cyberespionage campaign exploiting legacy N-day vulnerabilities in Microsoft Exchange and IIS servers to target government and defense sectors primarily in Asia. The threat actors utilize GODZILLA web shells for persistence and deploy ShadowPad implants via DLL sideloading, sharing significant operational overlaps with another intrusion set tracked as SHADOW-EARTH-054. - [Exposure Management After Mythos | Project Glasswing | Zscaler](https://cyfar.ca/posts/exposure-management-after-mythos-project-glasswing-zscaler) (2026-05-13): The emergence of frontier AI models like Claude Mythos enables autonomous, machine-speed vulnerability discovery and exploit generation, rendering traditional patch-management cycles obsolete. Security leaders must adopt converged exposure management, automated response playbooks, and Zero Trust architectures to contextualize risk and reduce the reachable attack surface. - [Email threat landscape: Q1 2026 trends and insights](https://cyfar.ca/posts/email-threat-landscape-q1-2026-trends-and-insights) (2026-05-13): In Q1 2026, Microsoft observed 8.3 billion email-based phishing threats, characterized by a 146% surge in QR code phishing and rapid evolution in CAPTCHA-gated payload delivery. Despite disruption efforts against the Tycoon2FA adversary-in-the-middle (AiTM) platform, threat actors quickly adapted their infrastructure, while Business Email Compromise (BEC) remained highly prevalent using conversational social engineering. - [Cyber Centre Daily Advisory Digest — 2026-04-30 (2 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-04-30-2-advisories) (2026-05-13): The Canadian Centre for Cyber Security issued a daily digest highlighting recent security advisories for GitLab and GNU InetUtils. Critical vulnerabilities were addressed in GitLab CE/EE (patched in 18.11.2 and 18.10.5) and GNU InetUtils (patched in version 2.8, fixing two CVEs), requiring immediate patching by administrators. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-16) (2026-05-13): CISA has added CVE-2026-41940, a missing authentication vulnerability affecting WebPros cPanel, WHM, and WP2, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The flaw allows malicious actors to access critical functions without authentication, posing a significant risk to affected enterprises. - [The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)](https://cyfar.ca/posts/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026) (2026-05-13): cPanel and WHM are vulnerable to a critical authentication bypass (CVE-2026-41940) that allows unauthenticated attackers to gain root-level access. The flaw stems from a CRLF injection vulnerability in session file handling, enabling attackers to forge session attributes and bypass password validation mechanisms by manipulating the whostmgrsession cookie and Basic Authentication headers. - ['Mini Shai-Hulud' supply chain attack targets SAP npm packages](https://cyfar.ca/posts/mini-shai-hulud-supply-chain-attack-targets-sap-npm-packages) (2026-05-13): The 'mini Shai-Hulud' campaign is a software supply chain attack involving compromised npm packages associated with SAP's Cloud Application Programming Model (CAP). The malicious packages execute upon installation or runtime to harvest sensitive credentials, encrypt the stolen data, and exfiltrate it via public GitHub repositories. Package maintainers have released patched versions to mitigate the threat. - [Meet Bluekit: The AI-Powered All-in-One Phishing Kit](https://cyfar.ca/posts/meet-bluekit-the-ai-powered-all-in-one-phishing-kit) (2026-05-13): Varonis Threat Labs analyzed Bluekit, a comprehensive Phishing-as-a-Service platform that consolidates domain management, site creation, credential harvesting, and session token theft into a single dashboard. Notably, the kit integrates an AI Assistant powered by uncensored LLMs to draft phishing lures and features advanced post-login session hijacking capabilities, including automated cookie dumping and live target monitoring to bypass standard MFA controls. - [Kuse Web App Abused to Host Phishing Document](https://cyfar.ca/posts/kuse-web-app-abused-to-host-phishing-document) (2026-05-13): Threat actors are leveraging Vendor Email Compromise (VEC) to distribute phishing links hosted on the legitimate AI platform Kuse.ai. By utilizing Markdown (.md) files containing blurred document lures, attackers successfully bypass traditional email filtering to redirect victims to credential harvesting pages masquerading as Microsoft logins. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-19) (2026-05-13): Generative AI enables defenders to rapidly deploy highly adaptive honeypots that simulate complex environments like Linux shells or IoT devices. By leveraging LLMs to generate plausible responses to attacker inputs, organizations can deceive automated AI-driven attacks, shifting the defensive strategy from passive detection to active manipulation and intelligence gathering. - [Extending Ruzzy with LibAFL](https://cyfar.ca/posts/extending-ruzzy-with-libafl) (2026-05-13): Trail of Bits detailed the technical process of integrating the LibAFL fuzzing engine into Ruzzy, their coverage-guided fuzzer for Ruby. The integration required resolving ELF linker constraints with .preinit_array sections and adjusting shared object loading to satisfy LibAFL's strict coverage map initialization requirements. - [Cyber Centre Daily Advisory Digest — 2026-04-29 (1 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-04-29-1-advisories) (2026-05-13): The Canadian Centre for Cyber Security issued an advisory highlighting unspecified vulnerabilities in Google Chrome for Desktop. Administrators are urged to update Windows, Mac, and Linux clients to the latest stable channel releases to mitigate potential exploitation. - [CI/CD pipeline abuse: the problem no one is watching](https://cyfar.ca/posts/cicd-pipeline-abuse-the-problem-no-one-is-watching) (2026-05-13): Attackers are increasingly targeting CI/CD pipelines to harvest secrets and pivot to production environments using techniques like workflow modification and privileged trigger exploitation. Elastic has released an open-source tool, cicd-abuse-detector, which leverages regex-based signal extraction and LLM analysis to detect suspicious pipeline changes during the pull request phase. - [VECT: Ransomware by design, Wiper by accident](https://cyfar.ca/posts/vect-ransomware-by-design-wiper-by-accident) (2026-05-13): VECT 2.0 is a cross-platform (Windows, Linux, ESXi) Ransomware-as-a-Service that effectively functions as a wiper due to a critical cryptographic implementation flaw. Files larger than 128 KB are encrypted in chunks using raw ChaCha20-IETF, but the malware fails to save the required nonces for the first three chunks, rendering full data recovery impossible even if the ransom is paid. - [The Money Mule Solution: What Every Scam Has in Common](https://cyfar.ca/posts/the-money-mule-solution-what-every-scam-has-in-common) (2026-05-13): The article highlights the critical role of money mule accounts in Authorized Push Payment (APP) fraud and scams, which bypass traditional breach-based detection by manipulating victims into authorizing payments. It advocates for an intelligence-led approach, utilizing agentic personas to proactively identify and verify mule accounts before fraudulent transactions occur, thereby mitigating financial losses and addressing growing regulatory pressures. - [The API Weak Spot: Study Shows AI Is Compounding Security Pressures](https://cyfar.ca/posts/the-api-weak-spot-study-shows-ai-is-compounding-security-pressures) (2026-05-13): A recent Akamai study reveals that API security incidents are escalating, exacerbated by the rapid adoption of AI technologies like LLMs. Organizations are struggling with API visibility and governance, leading to increased susceptibility to BOLA attacks, business logic abuse, and prompt injection, which bypass traditional WAFs and result in significant financial losses. - [Phishing-to-RMM Attacks: The Remote Access Blind Spot CISOs Can’t Ignore](https://cyfar.ca/posts/phishing-to-rmm-attacks-the-remote-access-blind-spot-cisos-cant-ignore) (2026-05-13): Threat actors are increasingly leveraging phishing campaigns to deliver legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect and LogMeIn Rescue, bypassing traditional malware defenses. These attacks often utilize compromised domains, SEO injection, and VBS scripts to weaken endpoint controls (e.g., SmartScreen, Defender) before silently installing the RMM payload, creating significant visibility gaps for SOC teams. - [Lazarus Doesn't Need AGI](https://cyfar.ca/posts/lazarus-doesnt-need-agi) (2026-05-13): North Korean state-sponsored actors, including Lazarus and TraderTraitor, are highly motivated to access advanced AI models to accelerate their labor-intensive cryptocurrency heists. The primary attack vectors are not direct breaches of AI cryptographic perimeters, but rather supply chain compromises, fraudulent hiring of DPRK IT workers, and third-party contractor misuse. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-18) (2026-05-13): The Cisco Talos Year in Review highlights a shifting threat landscape where attackers leverage AI and rapid exploit development to target identity infrastructure and exposed vulnerabilities. Defenders are urged to prioritize identity protection, remediate internet-facing vulnerabilities, address legacy system risks, secure trust-brokering platforms, and focus on behavioral anomaly detection to identify post-compromise activity. - [Cyber Centre Daily Advisory Digest — 2026-04-28 (4 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-04-28-4-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from SmarterTools, Zyxel, Citrix, and Mozilla. Notably, Zyxel addressed command injection vulnerabilities across various networking devices, while the other vendors released standard security updates for their respective software products. - [CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring](https://cyfar.ca/posts/crowdstrike-expands-chatgpt-enterprise-integration-with-enhanced-audit-logging-and-activity-moni) (2026-05-13): CrowdStrike has expanded its Falcon Shield integration with ChatGPT Enterprise to deliver enhanced audit logging and continuous activity monitoring. This update shifts the focus from basic configuration awareness to operational visibility, enabling security teams to track authentication, administrative changes, Codex events, and AI tool usage to enforce governance and detect threats in SaaS environments. - [CISA Adds Two Known Exploited Vulnerabilities to Catalog](https://cyfar.ca/posts/cisa-adds-two-known-exploited-vulnerabilities-to-catalog-4) (2026-05-13): CISA has added CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal Vulnerability) and CVE-2026-32202 (Microsoft Windows Protection Mechanism Failure Vulnerability) to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize patching these systems to mitigate significant risks to their enterprise environments. - [73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations](https://cyfar.ca/posts/73-open-vsx-sleeper-extensions-linked-to-glassworm-show-new-malware-activations) (2026-05-13): The GlassWorm threat campaign has escalated its supply chain attacks on the Open VSX marketplace by publishing 73 impersonation 'sleeper' extensions. These extensions initially contain no malicious code to bypass security scans, but are later updated to act as thin loaders that retrieve and execute secondary .vsix payloads from GitHub releases using bundled native binaries or obfuscated JavaScript. - [What Is Multi-Factor Authentication? A Complete Guide to MFA Security](https://cyfar.ca/posts/what-is-multi-factor-authentication-a-complete-guide-to-mfa-security) (2026-05-13): This article provides a comprehensive overview of Multi-Factor Authentication (MFA), detailing its core mechanisms across knowledge, possession, and inherence factors. It highlights the security advantages of hardware keys and authenticator apps over SMS-based methods due to risks like SIM swapping, and outlines strategic implementation practices for organizations to mitigate credential theft and account takeover risks. - [So Fresh, So Clean: Huntress’ Top Cyber Hygiene Tips](https://cyfar.ca/posts/so-fresh-so-clean-huntress-top-cyber-hygiene-tips) (2026-05-13): This article outlines foundational cybersecurity hygiene practices recommended by the Huntress SOC to reduce organizational attack surfaces. Key recommendations include enforcing MFA, securing or disabling exposed RDP, implementing strict access controls, and monitoring for behavioral indicators of compromise such as defense evasion, domain enumeration, and privilege escalation. - [How Unified EDR and ITDR Stop Attacks Before They Spread](https://cyfar.ca/posts/how-unified-edr-and-itdr-stop-attacks-before-they-spread) (2026-05-13): Huntress details the operational benefits of unifying EDR and ITDR to combat infostealers and rapid credential abuse. A highlighted incident demonstrates a ClickFix social engineering attack leveraging WebDAV and rundll32.exe to execute a remote payload, which was mitigated by automatically isolating the host and revoking associated Microsoft 365 identity sessions. - [Cyber Centre Daily Advisory Digest — 2026-04-27 (9 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-04-27-9-advisories) (2026-05-13): The Canadian Centre for Cyber Security released a daily digest of nine security advisories covering critical vulnerabilities across enterprise software, Linux kernels, and industrial control systems (ICS). Organizations are urged to apply patches for affected products from vendors including IBM, Dell, Ubuntu, Red Hat, Moxa, VMware, Notepad++, and Microsoft to prevent potential exploitation. - [BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector](https://cyfar.ca/posts/bluenoroff-uses-clickfix-fileless-powershell-and-ai-generated-fake-zoom-meetings-to-target-web3-) (2026-05-13): Arctic Wolf Labs identified a highly targeted campaign by the DPRK-nexus threat actor BlueNoroff against the Web3 sector. The attackers utilize sophisticated social engineering, including AI-generated deepfakes and stolen webcam footage, to lure victims into fake Zoom or Teams meetings. Once engaged, a ClickFix clipboard injection attack deploys a fileless PowerShell C2 implant, leading to the theft of cryptocurrency wallets, browser credentials, and Telegram sessions. - [Tools Change. Habits Don’t. We Saw It Up Close.](https://cyfar.ca/posts/tools-change-habits-dont-we-saw-it-up-close) (2026-05-13): A Huntress engineer encountered a malvertising campaign via a Google sponsored search result for 'Claude Code'. The malicious link delivered a multi-stage macOS malware utilizing base64 encoding, gzip compression, and obfuscated AppleScript to bypass Gatekeeper and attempt extraction of Claude Code credentials from the macOS keychain. - [Monitoring Claude Code/Cowork at scale with OTel in Elastic](https://cyfar.ca/posts/monitoring-claude-codecowork-at-scale-with-otel-in-elastic) (2026-05-13): Elastic's InfoSec team details a scalable architecture for monitoring AI coding assistants, specifically Claude Code and Cowork, using OpenTelemetry and Elasticsearch. The solution provides security teams with critical visibility into AI agent activities, including shell command execution, file access, and internal API interactions, enabling advanced threat detection, incident response, and EDR correlation. - [Introducing Reachability for PHP](https://cyfar.ca/posts/introducing-reachability-for-php) (2026-05-13): Socket.dev has launched an experimental PHP reachability analysis tool designed to reduce vulnerability alert fatigue. By performing deep static analysis of function-level call graphs, including complex PHP dispatch patterns, the tool determines whether known CVEs in dependencies are actually executable within an application's context. - [Token Bingo: Don’t Let Your Code be the Winner](https://cyfar.ca/posts/token-bingo-dont-let-your-code-be-the-winner) (2026-05-13): A widespread phishing campaign is leveraging the Kali365 Live Phishing-as-a-Service (PhaaS) platform to execute device code phishing and AiTM attacks. By tricking users into authorizing legitimate Microsoft device login requests, threat actors steal OAuth access and refresh tokens, bypassing traditional credential-based defenses and MFA to gain persistent access to Microsoft 365 environments. - [The Industrialization of Exploitation: Why Defensive AI Must Outpace Offensive AI](https://cyfar.ca/posts/the-industrialization-of-exploitation-why-defensive-ai-must-outpace-offensive-ai) (2026-05-13): The cybersecurity landscape is experiencing a shift towards industrialized exploitation driven by offensive AI and LLMs. These technologies act as orchestrators that rapidly discover vulnerabilities and generate exploits, necessitating defensive AI and behavioral analytics to counter machine-scale attacks. - [Supply chain attacks hit Checkmarx and Bitwarden developer tools](https://cyfar.ca/posts/supply-chain-attacks-hit-checkmarx-and-bitwarden-developer-tools) (2026-05-13): A coordinated supply chain attack compromised official distribution channels for Checkmarx KICS and the Bitwarden CLI, pushing malicious updates designed to harvest developer credentials, cloud keys, and AI assistant configurations. The payloads exfiltrated data to a shared C2 domain and exhibited advanced techniques, including weaponizing stolen GitHub tokens to inject malicious workflows and using victim repositories as dead drops. - [PhantomRPC: A new privilege escalation technique in Windows RPC](https://cyfar.ca/posts/phantomrpc-a-new-privilege-escalation-technique-in-windows-rpc) (2026-05-13): A novel, unpatched local privilege escalation technique dubbed PhantomRPC exploits an architectural weakness in Windows RPC. By deploying a malicious RPC server that mimics unavailable legitimate services, an attacker with SeImpersonatePrivilege can intercept high-privileged RPC calls and elevate to SYSTEM or Administrator. - [Introducing Data Exports](https://cyfar.ca/posts/introducing-data-exports) (2026-05-13): Socket has introduced a new Data Exports feature for its Enterprise customers, enabling the automated daily export of security alert data to customer-owned AWS S3, Google Cloud Storage, or Azure Blob Storage buckets. This integration supports multiple formats (JSON, CSV, Parquet) and modes (Full Snapshot, Incremental) to streamline ingestion into existing SIEM platforms and internal analytics workflows. - [Inside agenteV2: How Brazilian Attackers Use Fake Court Summons to Steal Banking Credentials in Real Time](https://cyfar.ca/posts/inside-agentev2-how-brazilian-attackers-use-fake-court-summons-to-steal-banking-credentials-in-r) (2026-05-13): A new phishing campaign targets Brazilian users with fake judicial summons to deliver agenteV2, a Nuitka-compiled interactive banking trojan. The malware establishes a persistent WebSocket backdoor for live screen streaming and remote shell access, enabling attackers to conduct real-time, operator-assisted financial fraud. - [From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026](https://cyfar.ca/posts/from-overwhelmed-to-autonomous-rethinking-threat-intelligence-in-2026) (2026-05-13): The article advocates for a paradigm shift in cybersecurity from manual, reactive threat intelligence to autonomous, machine-speed defense. It emphasizes the need for unified visibility across cyber operations, digital risk, third-party risk, and payment fraud to effectively counter modern, automated threats. - [CISA Adds Four Known Exploited Vulnerabilities to Catalog](https://cyfar.ca/posts/cisa-adds-four-known-exploited-vulnerabilities-to-catalog) (2026-05-13): CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with four new actively exploited vulnerabilities affecting Samsung MagicINFO 9 Server, SimpleHelp, and D-Link DIR-823X devices. Organizations are strongly urged to prioritize patching these flaws, which include path traversal and command injection vectors, to reduce their exposure to cyberattacks. - [Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign](https://cyfar.ca/posts/bitwarden-cli-compromised-in-ongoing-checkmarx-supply-chain-campaign) (2026-05-13): The Bitwarden CLI npm package was compromised in a supply chain attack linked to the ongoing Checkmarx campaign. The malicious payload, injected via GitHub Actions, harvests extensive cloud and developer credentials, exfiltrating them through unauthorized GitHub repositories and a dedicated C2 server while employing a Russian locale kill switch and shell profile persistence. - [A Shortcut to Coercion: Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202](https://cyfar.ca/posts/a-shortcut-to-coercion-incomplete-patch-of-apt28s-zero-day-leads-to-cve-2026-32202) (2026-05-13): Akamai researchers discovered that Microsoft's patch for an APT28 zero-day (CVE-2026-21510) was incomplete, resulting in a new zero-click authentication coercion vulnerability (CVE-2026-32202). While the patch successfully mitigated remote code execution by adding SmartScreen verification, it failed to prevent Windows Explorer from initiating an SMB connection to resolve UNC paths during icon extraction, allowing attackers to steal Net-NTLMv2 hashes without user interaction. - [fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet](https://cyfar.ca/posts/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-s) (2026-05-13): SentinelLABS discovered fast16, a sophisticated 2005 cyber sabotage framework that uses a Lua-based carrier and a kernel driver to selectively patch high-precision calculation software in memory. The malware subtly corrupts floating-point arithmetic in engineering and simulation tools, representing an early, state-level capability for physical-world sabotage. - [Trailmark turns code into graphs](https://cyfar.ca/posts/trailmark-turns-code-into-graphs) (2026-05-13): Trail of Bits has released Trailmark, an open-source library that converts source code into queryable call graphs to enhance AI-assisted security analysis. By integrating with Claude Code, Trailmark enables advanced mutation testing triage, blast radius analysis, and the identification of architectural bottlenecks in cryptographic libraries. - [Today, trust is the superpower that makes innovation possible](https://cyfar.ca/posts/today-trust-is-the-superpower-that-makes-innovation-possible) (2026-05-13): This thought leadership article emphasizes the critical role of digital trust and proactive threat intelligence in fostering economic growth. It highlights the partnership between Recorded Future and Mastercard and underscores the need for enhanced public-private collaboration to address rising cyber threats, particularly noting the surge of ransomware incidents in Latin America. - [Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite](https://cyfar.ca/posts/snow-flurries-how-unc6692-employed-social-engineering-to-deploy-a-custom-malware-suite) (2026-05-13): Google Threat Intelligence Group identified UNC6692, a threat actor utilizing Microsoft Teams phishing and email bombing to deploy a custom modular malware suite. The attack chain leverages a malicious Chromium extension (SNOWBELT), a Python tunneler (SNOWGLAZE), and a Python bindshell (SNOWBASIN) to establish persistence, move laterally, and exfiltrate sensitive Active Directory data via legitimate cloud services. - [NCSC: Leave passwords in the past - passkeys are the future](https://cyfar.ca/posts/ncsc-leave-passwords-in-the-past-passkeys-are-the-future) (2026-05-13): The UK's National Cyber Security Centre (NCSC) has updated its official guidance to recommend passkeys as the default authentication method for consumers and businesses, replacing traditional passwords. Passkeys provide superior resilience against modern cyber threats, particularly phishing and credential theft, while offering a faster, more user-friendly login experience. - [Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions](https://cyfar.ca/posts/malicious-checkmarx-artifacts-found-in-official-kics-docker-repository-and-code-extensions) (2026-05-13): A sophisticated supply chain attack compromised official Checkmarx KICS Docker images and VS Code extensions, injecting malware designed to harvest and exfiltrate cloud, developer, and CI/CD credentials. The threat actor, believed to be TeamPCP, utilized the Bun runtime to execute the payload, subsequently abusing stolen GitHub and NPM tokens to propagate the infection through malicious GitHub Actions workflows and poisoned NPM packages. - [Introducing Organization Notifications in Socket](https://cyfar.ca/posts/introducing-organization-notifications-in-socket) (2026-05-13): Socket has introduced Organization Notifications, a new feature allowing security teams to subscribe to, filter, and receive batched email updates for organization-level security alerts. This capability aims to streamline vulnerability management and reduce alert fatigue by grouping updates and sending them at most every 20 minutes, with Slack and Microsoft Teams integrations planned for the future. - [International cyber agencies share fresh advice to defend against China-linked covert networks](https://cyfar.ca/posts/international-cyber-agencies-share-fresh-advice-to-defend-against-china-linked-covert-networks) (2026-05-13): An international coalition of cyber agencies has issued a joint advisory warning that China-linked threat actors are leveraging covert networks of compromised edge devices to disguise their attacks. The advisory highlights the growing problem of 'IOC extinction' and urges organizations to shift towards dynamic threat filtering and behavioral baselining of edge device traffic to maintain effective defense. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-17) (2026-05-13): Cisco Talos' Q1 2026 incident response trends highlight a resurgence in phishing as the primary initial access vector, augmented by AI tools like Softr for rapid credential harvesting. Threat actors are increasingly abusing legitimate tools such as TruffleHog to discover exposed secrets, while specific campaigns like UAT-4356 have been observed exploiting n-day vulnerabilities to deploy custom backdoors on network devices. - [Hold the Phone! International Revenue Share Fraud Driven by Fake CAPTCHAs](https://cyfar.ca/posts/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas) (2026-05-13): Threat actors are utilizing Traffic Distribution Systems (TDS) to direct mobile users to fake CAPTCHA pages that trick them into sending premium international SMS messages. This International Revenue Share Fraud (IRSF) scheme leverages social engineering and back button hijacking to generate multiple SMS messages per victim, resulting in significant financial charges. - [GopherWhisper: A burrow full of malware](https://cyfar.ca/posts/gopherwhisper-a-burrow-full-of-malware) (2026-05-13): ESET researchers uncovered GopherWhisper, a previously undocumented China-aligned APT group targeting a Mongolian governmental entity. The group utilizes a diverse arsenal of custom, primarily Go-based malware that leverages legitimate services like Slack, Discord, and Microsoft Outlook for command and control, blending malicious traffic with normal enterprise communications. - [FIRESTARTER Backdoor](https://cyfar.ca/posts/firestarter-backdoor) (2026-05-13): CISA and NCSC identified FIRESTARTER, a persistent Linux ELF backdoor deployed by APT actors on Cisco Firepower and Secure Firewall devices. The malware hooks into the LINA engine, survives firmware updates and soft reboots, and facilitates the deployment of secondary payloads like LINE VIPER to establish unauthorized VPN sessions. - [Executive Summary: Defending against China-nexus covert networks of compromised devices](https://cyfar.ca/posts/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices) (2026-05-13): China-nexus threat actors are increasingly leveraging compromised SOHO and edge devices to form dynamic covert networks. These botnets facilitate various stages of cyber attacks while rendering traditional static indicators of compromise obsolete, necessitating adaptive defense strategies like traffic baselining and zero trust architecture. - [Defending against China-nexus covert networks of compromised devices](https://cyfar.ca/posts/defending-against-china-nexus-covert-networks-of-compromised-devices-2) (2026-05-13): China-nexus cyber actors have strategically shifted to utilizing large-scale covert networks of compromised SOHO and IoT devices to obfuscate their operations. These dynamic botnets, such as Raptor Train and KV Botnet, facilitate deniable access and complicate traditional static IOC-based defense, requiring organizations to adopt behavioral baselining and dynamic threat intelligence. - [Defending Against China-Nexus Covert Networks of Compromised Devices](https://cyfar.ca/posts/defending-against-china-nexus-covert-networks-of-compromised-devices) (2026-05-13): China-nexus threat actors are increasingly utilizing large-scale covert networks of compromised SOHO routers and IoT devices to obfuscate their operations and route malicious traffic. This strategic shift renders traditional static IOC blocklists ineffective, requiring defenders to adopt behavioral profiling, zero trust principles, and active network hunting to detect multi-hop proxy traffic. - [Cyber Centre Daily Advisory Digest — 2026-04-23 (2 advisories)](https://cyfar.ca/posts/cyber-centre-daily-advisory-digest-2026-04-23-2-advisories) (2026-05-13): The Canadian Centre for Cyber Security published a daily digest highlighting recent security advisories for Google Chrome and GitHub Enterprise Server. Organizations are advised to patch these products to their latest versions to mitigate undisclosed vulnerabilities. - [Critical Minerals and Cyber Operations](https://cyfar.ca/posts/critical-minerals-and-cyber-operations) (2026-05-13): The geopolitical competition for critical minerals and rare earth elements is driving an increase in cyber operations targeting the mining sector. State-sponsored actors, particularly from China, alongside financially motivated ransomware groups, are conducting espionage, extortion, and disruptive attacks to gain strategic advantages in global supply chains. - [Can AI Attack the Cloud? Lessons From Building an Autonomous Cloud Offensive Multi-Agent System](https://cyfar.ca/posts/can-ai-attack-the-cloud-lessons-from-building-an-autonomous-cloud-offensive-multi-agent-system) (2026-05-13): Unit 42 developed a multi-agent AI proof-of-concept named Zealot to empirically test autonomous offensive capabilities in cloud environments. The PoC successfully demonstrated that AI can autonomously chain reconnaissance, SSRF exploitation, IAM privilege escalation, and data exfiltration at machine speed against a misconfigured GCP environment. - [CISA Adds One Known Exploited Vulnerability to Catalog](https://cyfar.ca/posts/cisa-adds-one-known-exploited-vulnerability-to-catalog-15) (2026-05-13): CISA has added CVE-2026-39987, a Remote Code Execution (RCE) vulnerability in Marimo, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks. - [World-first NCSC-engineered device secures vulnerable display links](https://cyfar.ca/posts/world-first-ncsc-engineered-device-secures-vulnerable-display-links) (2026-05-13): The UK's National Cyber Security Centre (NCSC) has developed SilentGlass, a commercially available plug-and-play hardware device designed to secure HDMI and DisplayPort connections against malicious exploitation. Manufactured by Goldilock Labs, the device treats physical display interfaces as security boundaries to prevent unauthorized network access and espionage. - [When Wi-Fi Encryption Fails: Protecting Your Enterprise from AirSnitch Attacks](https://cyfar.ca/posts/when-wi-fi-encryption-fails-protecting-your-enterprise-from-airsnitch-attacks) (2026-05-13): Researchers have disclosed AirSnitch, a novel set of attack techniques that bypass WPA2 and WPA3-Enterprise Wi-Fi encryption and client isolation. By exploiting vulnerabilities in protocol-infrastructure interactions such as MAC address tables and routing layers, attackers can achieve Meddler-in-the-Middle (MitM) capabilities to intercept and inject traffic across enterprise networks. - [Weaponizing Apathy: How Threat Actors Exploit Vulnerabilities and Legitimate Software](https://cyfar.ca/posts/weaponizing-apathy-how-threat-actors-exploit-vulnerabilities-and-legitimate-software) (2026-05-13): Threat actors are increasingly weaponizing legitimate software and known vulnerabilities to bypass endpoint detection and response (EDR) systems. Between December 2021 and December 2024, the abuse of legitimate Remote Access Tools (RATs) like NetSupport Manager and ConnectWise has surged, often delivered via phishing emails exploiting older Microsoft Office vulnerabilities to establish persistent, stealthy access. - [Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz](https://cyfar.ca/posts/tropic-trooper-adaptixc2-custom-beacon-threatlabz) (2026-05-13): Tropic Trooper is conducting a cyber espionage campaign targeting Chinese-speaking individuals in Asia using military-themed lures. The threat actors employ a trojanized SumatraPDF reader (TOSHIS loader) to deploy a custom AdaptixC2 Beacon that uses GitHub for command-and-control, ultimately establishing persistent remote access via VS Code tunnels. - [Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm Malware](https://cyfar.ca/posts/namastexai-npm-packages-hit-with-teampcp-style-canisterworm-malware) (2026-05-13): A supply chain attack targeting npm packages associated with Namastex.ai has been discovered, utilizing CanisterWorm-style malware. The malicious packages execute upon installation to harvest developer credentials, cloud secrets, and cryptocurrency wallets, exfiltrating data to an ICP canister and webhooks while attempting to self-propagate across the npm and PyPI ecosystems. - [LABScon25 Replay | Are Your Chinese Cameras Spying For You Or On You?](https://cyfar.ca/posts/labscon25-replay-are-your-chinese-cameras-spying-for-you-or-on-you) (2026-05-13): Security researchers analyzed ultra-cheap Chinese smart home devices, revealing a shadow supply chain utilizing shared hardware with hardcoded root passwords and superficial security fixes. These devices route metadata and video content through servers in China and are shielded from regulatory oversight by shell companies, creating a massive, vulnerable IoT attack surface. - [Introducing Reports: An Extensible Reporting Framework for Socket Data](https://cyfar.ca/posts/introducing-reports-an-extensible-reporting-framework-for-socket-data) (2026-05-13): Socket has launched a new extensible reporting framework within its dashboard to provide chart-based views of vulnerabilities, dependencies, and usage. The feature aims to streamline security reporting by offering exportable visualizations aligned with standard frameworks like OWASP and CWE, improving operational visibility and risk communication. - [Intelligence Center](https://cyfar.ca/posts/intelligence-center-16) (2026-05-13): Talos IR's Q1 2026 trends report highlights the resurgence of phishing as the primary initial access vector, heavily targeting public administration and healthcare. The quarter saw novel abuses of AI tools like Softr for credential harvesting, the emergence of the Crimson Collective extortion group leveraging valid accounts and TruffleHog, and Rhysida ransomware deploying the MeowBackConn backdoor. - [Evolution of Chinese-Language Guarantee Telegram Marketplaces](https://cyfar.ca/posts/evolution-of-chinese-language-guarantee-telegram-marketplaces) (2026-05-13): Dabai Guarantee is a decentralized, Telegram-based marketplace utilized by Chinese-speaking cybercriminal syndicates to coordinate global fraud, ghost-tapping, and money laundering operations. The platform acts as an escrow service using USDT, enabling siloed teams to execute retail and financial fraud across various countries while minimizing trust issues among criminals and reducing law enforcement visibility. ## Machine-Readable Feeds - [Sitemap](https://cyfar.ca/sitemap.xml) - [IOC Index](https://cyfar.ca/iocs)