25th May – Threat Intelligence Report

What Happened

Several major organizations, including 7-Eleven, GitHub, and Grafana Labs, recently suffered data breaches. Cybercriminals are actively exploiting vulnerabilities in popular software like Windows Defender, Trend Micro, and Drupal, while also using new tools like the Kali365 phishing kit to bypass security protections. These attacks can lead to stolen personal data, compromised corporate networks, and unauthorized access to sensitive systems. Organizations should immediately apply the latest security patches, monitor for suspicious activity, and ensure robust multi-factor authentication is in place.

Key Takeaways

• ShinyHunters claimed responsibility for a breach at 7-Eleven, stealing over 600,000 Salesforce records.
• The Kali365 phishing-as-a-service kit is actively targeting Microsoft 365 users to bypass MFA via device-code phishing.
• Multiple actively exploited vulnerabilities were patched, including flaws in Windows Defender, Trend Micro Apex One, and Drupal.
• The IRGC-linked Nimbus Manticore deployed a new MiniFast backdoor via SEO poisoning and career-themed phishing.
• A supply chain attack compromised Laravel Lang localization packages via Composer to deploy a cross-platform credential stealer.

Affected Systems

• Microsoft 365
• Windows Defender
• Trend Micro Apex One
• Drupal (PostgreSQL)
• Linux
• Laravel Lang (Composer)
• GitHub
• Grafana Labs
• 7-Eleven Salesforce

Vulnerabilities (CVEs)

• CVE-2026-41091
• CVE-2026-45498
• CVE-2026-34926
• CVE-2026-9082

Attack Chain

Threat actors are utilizing a variety of initial access vectors, including weaponized VS Code extensions, compromised GitHub tokens, and SEO poisoning. Once access is gained, attackers deploy tools like the Kali365 phishing kit to bypass MFA or the MiniFast backdoor for persistence. Post-exploitation activities involve credential theft, data exfiltration, and the use of modular frameworks like Showboat to hide processes and establish SOCKS5 proxies.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Check Point IPS, Check Point Threat Emulation, Harmony Endpoint

Check Point provides protection against the Drupal SQL injection (CVE-2026-9082) via IPS, and against the Nimbus Manticore campaigns via Threat Emulation and Harmony Endpoint.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation activities like Showboat's process hiding or MiniFast backdoor execution, but may miss cloud-based token theft or supply chain package poisoning. Network Visibility: Medium — Network monitoring can identify SOCKS5 proxy traffic or SQL injection attempts, but encrypted Telegram C2 or OAuth token abuse will be difficult to inspect. Detection Difficulty: Moderate — The diversity of attacks, from cloud token theft to Linux rootkits and supply chain compromises, requires a mature, multi-layered detection strategy.

Required Log Sources

• Cloud Audit Logs (Microsoft 365, GitHub)
• Web Application Firewall (WAF) logs
• Endpoint process execution logs
• Network traffic logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual device-code authentication flows in Microsoft 365 sign-in logs, which may indicate Kali365 phishing activity.	Azure AD / Entra ID Sign-in Logs	Credential Access	Low to Medium (Legitimate device-code flows exist but are typically rare for standard user accounts)
Evaluate whether unexpected modifications to Composer packages or unusual outbound connections from development environments indicate a supply chain compromise.	Process execution logs, Network flow logs	Execution / Credential Access	Medium (Developers frequently download new packages, requiring baseline comparison)

Control Gaps

• Lack of strict OAuth application consent policies
• Insufficient monitoring of third-party developer dependencies (Composer)

Key Behavioral Indicators

• Unusual OAuth token generation
• Invisible text or zero-size fonts in emails
• SOCKS5 proxy traffic from telecom infrastructure

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider applying patches for CVE-2026-41091, CVE-2026-45498, CVE-2026-34926, and CVE-2026-9082 immediately.
• Evaluate whether to revoke and rotate potentially compromised GitHub tokens and OAuth access tokens.

Infrastructure Hardening

• If applicable, consider restricting device-code authentication in Microsoft 365 to prevent Kali365 abuse.
• Evaluate whether to implement strict dependency pinning and integrity checks for Composer and other package managers.

User Protection

• Consider deploying advanced email filtering capable of detecting indirect prompt injections and invisible text.
• If supported, enforce phishing-resistant MFA (e.g., FIDO2) to mitigate token theft.

Security Awareness

• Consider training developers on the risks of weaponized IDE extensions and supply chain attacks.
• Evaluate whether to update phishing awareness programs to include device-code phishing techniques.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1189 - Drive-by Compromise
• T1199 - Trusted Relationship
• T1078.004 - Valid Accounts: Cloud Accounts
• T1550.001 - Use Alternate Authentication Material: Application Access Token
• T1068 - Exploitation for Privilege Escalation
• T1090.003 - Proxy: Multi-hop Proxy
• T1564 - Hide Artifacts