{"id":5241,"date":"2026-05-17T17:45:28","date_gmt":"2026-05-17T22:45:28","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5241"},"modified":"2026-05-25T17:47:01","modified_gmt":"2026-05-25T22:47:01","slug":"malware-analysis-brief-may-17-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5241","title":{"rendered":"Malware Analysis Brief \u2014 May 17, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#dc2626 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Malware Analysis Bulletin \u00b7 Issue May 17, 2026<\/div>\n<div style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;mso-line-height-rule:exactly;\">The Malware Analysis Brief<\/div>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">APT campaigns, malware families, active exploits, deep detection and response<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #dc2626;padding-bottom:6px;\">This week at a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">An exceptionally heavy week. Microsoft published a deep teardown of <strong>Turla&rsquo;s evolved Kazuar backdoor<\/strong> \u2014 now a modular P2P botnet attributed to Russia&rsquo;s FSB Center 16. Two Linux kernel LPE chains shipped public PoCs: <strong>Dirty Frag<\/strong> (CVE-2026-43284 \/ 43500) and the spawned-from-its-patch <strong>Fragnesia<\/strong> (CVE-2026-46300). Microsoft disclosed an actively exploited <strong>Exchange Server zero-day<\/strong> (CVE-2026-42897), and Cisco patched a maximum-severity <strong>Catalyst SD-WAN bypass<\/strong> (CVE-2026-20182, CVSS 10.0) under active exploitation by China-linked <strong>UAT-8616<\/strong> \u2014 added to CISA&rsquo;s KEV catalog with a federal May 17 remediation deadline. New APT activity from <strong>FamousSparrow<\/strong> (China, Azerbaijani oil &amp; gas), <strong>Ghostwriter<\/strong> (Belarus, Ukrainian government), and the espionage cluster <strong>UAT-8302<\/strong>. Supply chain hits: malicious <strong>node-ipc<\/strong> npm packages, a tampered <strong>Jenkins AST<\/strong> Marketplace plugin, and the RubyGems-abusing <strong>GemStuffer<\/strong> campaign. PoC for the open-source <strong>PraisonAI<\/strong> framework was exploited within <em>four hours<\/em> of disclosure. German + Spanish police took down the <strong>Crimenetwork<\/strong> dark-web marketplace and arrested its 35-year-old operator in Mallorca, and a key member of <strong>Scattered Spider<\/strong> was arrested. Coverage window: May 10 \u2013 May 17, 2026.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Entity graph &mdash; people, organizations, threats, and how they cross-correlate<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Every named entity extracted from this week&#8217;s 25 articles, with edges showing direct relationships.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/05\/topic-map-malware-analysis-2026-05-17-2.png\" alt=\"Topic map for malware analysis\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#dc2626;text-transform:uppercase;letter-spacing:1px;\">APT campaigns and nation-state activity<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/14\/kazuar-anatomy-of-a-nation-state-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">Kazuar: Anatomy of a nation-state botnet (Turla \/ Secret Blizzard \/ Russia FSB)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/turla-turns-kazuar-backdoor-into.html\" style=\"color:#1d4ed8;text-decoration:none;\">Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/russian-hackers-turn-kazuar-backdoor-into-modular-p2p-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">Russian hackers turn Kazuar backdoor into modular P2P botnet<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/china-famoussparrow-apt-south-caucasus-energy-firm\" style=\"color:#1d4ed8;text-decoration:none;\">China&#8217;s &#8216;FamousSparrow&#8217; APT Nests in South Caucasus Energy Firm (Azerbaijan)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Dark Reading<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 13, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/securityaffairs.com\/192196\/apt\/ghostwriter-group-resumes-attacks-on-ukrainian-government-targets.html\" style=\"color:#1d4ed8;text-decoration:none;\">Ghostwriter group resumes attacks on Ukrainian government targets<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Security Affairs<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/research.checkpoint.com\/2026\/11th-may-threat-intelligence-report\/\" style=\"color:#1d4ed8;text-decoration:none;\">11th May Threat Intelligence Report (UAT-8302 espionage, Ivanti, PAN-OS)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Check Point Research<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 11, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">Active-exploit vulnerabilities and Patch Tuesday<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild (CVE-2026-42897)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-are-exploiting-a-critical-cisco-sd-wan-flaw\/\" style=\"color:#1d4ed8;text-decoration:none;\">Hackers exploiting critical Cisco SD-WAN flaw (CVE-2026-20182, CVSS 10.0, UAT-8616)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/linux-kernel-dirty-frag-lpe-exploit.html\" style=\"color:#1d4ed8;text-decoration:none;\">Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Week of May 11, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/new-fragnesia-linux-kernel-lpe-grants.html\" style=\"color:#1d4ed8;text-decoration:none;\">New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 13&ndash;14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/14\/fragnesia-cve-2026-46300-linux-lpe-vulnerability\/\" style=\"color:#1d4ed8;text-decoration:none;\">Fragnesia (CVE-2026-46300): new Linux LPE bug spawned by Dirty Frag patch<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/praisonai-cve-2026-44338-auth-bypass.html\" style=\"color:#1d4ed8;text-decoration:none;\">PraisonAI CVE-2026-44338 auth bypass targeted within hours of disclosure<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 11, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.csoonline.com\/article\/4171215\/praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure.html\" style=\"color:#1d4ed8;text-decoration:none;\">PraisonAI vulnerability gets scanned within 4 hours of disclosure<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CSO Online<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/patch-tuesday-analysis-may-2026\/\" style=\"color:#1d4ed8;text-decoration:none;\">May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CrowdStrike<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 12, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.thezdi.com\/blog\/2026\/5\/12\/the-may-2026-security-update-review\" style=\"color:#1d4ed8;text-decoration:none;\">The May 2026 Security Update Review (ZDI)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Zero Day Initiative<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 12, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#d97706;text-transform:uppercase;letter-spacing:1px;\">Supply-chain attacks<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/malicious-node-ipc-package.html\" style=\"color:#1d4ed8;text-decoration:none;\">Malicious node-ipc npm packages confirmed (9.1.6 \/ 9.2.3 \/ 12.0.1)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 14, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/cisoseries.com\/the-department-of-know-gemstuffer-attack-ai-sboms-and-ai-created-zero-days\/\" style=\"color:#1d4ed8;text-decoration:none;\">GemStuffer attack on RubyGems (Socket research)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CISO Series \/ Socket<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 13, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/checkmarx.com\/blog\/modified-jenkins-ast-plugin-marketplace\/\" style=\"color:#1d4ed8;text-decoration:none;\">Checkmarx: modified Jenkins AST plugin pushed to Jenkins Marketplace<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Checkmarx \/ SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 11, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#16a34a;text-transform:uppercase;letter-spacing:1px;\">Law enforcement and criminal-infrastructure takedowns<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/resurrected-crimenetwork-marketplace-taken-down-administrator-arrested\/\" style=\"color:#1d4ed8;text-decoration:none;\">Resurrected &#8216;Crimenetwork&#8217; Marketplace Taken Down, Administrator Arrested in Mallorca<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 15, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/in-other-news-scattered-spider-hacker-arrested-soc-effectiveness-metrics-nsa-tool-vulnerability\/\" style=\"color:#1d4ed8;text-decoration:none;\">In Other News: Scattered Spider Hacker Arrested, SOC Effectiveness Metrics, NSA Tool Vulnerability<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Week of May 11\u201317, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#475569;text-transform:uppercase;letter-spacing:1px;\">Foundational reading <span style=\"font-weight:400;text-transform:none;letter-spacing:0;color:#9ca3af;font-size:11px;\">(refreshed weekly)<\/span><\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.wiz.io\/blog\/fragnesia-linux-kernel-local-privilege-escalation-via-esp-in-tcp\" style=\"color:#1d4ed8;text-decoration:none;\">Fragnesia: Linux Kernel LPE via ESP-in-TCP \u2014 technical deep dive<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Wiz Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.tenable.com\/blog\/dirty-frag-cve-2026-43284-cve-2026-43500-frequently-asked-questions-linux-kernel-lpe\" style=\"color:#1d4ed8;text-decoration:none;\">Dirty Frag FAQ: technical, exploitation, and mitigation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Tenable<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/m-trends-2026\" style=\"color:#1d4ed8;text-decoration:none;\">M-Trends 2026: 224 malware families and 22-second intervention windows<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Google Cloud \/ Mandiant<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">March 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.recordedfuture.com\/blog\/ransomware-tactics-2026\" style=\"color:#1d4ed8;text-decoration:none;\">New ransomware tactics to watch out for in 2026<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Recorded Future<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/securelist.com\/state-of-ransomware-in-2026\/119761\/\" style=\"color:#1d4ed8;text-decoration:none;\">Reviewing the trends in ransomware attacks in 2026<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Securelist<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2026<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Turla turns Kazuar into a modular P2P botnet (May 14)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Microsoft attributes Kazuar&#8217;s new modular architecture (Kernel, Bridge, Worker components) to <strong>Turla \/ Secret Blizzard<\/strong>, affiliated with <strong>Russia&#8217;s FSB Center 16<\/strong>. The malware supports HTTP, WebSockets, and Exchange Web Services (EWS) for C2, has 150+ config parameters, and includes AMSI\/ETW bypasses. Government, diplomatic, and defense targets in Europe and Central Asia. Read alongside the BleepingComputer and Hacker News reporting for full context.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/14\/kazuar-anatomy-of-a-nation-state-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security Blog<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/turla-turns-kazuar-backdoor-into.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/russian-hackers-turn-kazuar-backdoor-into-modular-p2p-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Dirty Frag (May 7&ndash;13) and Fragnesia (May 13)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A chained pair of bugs in the Linux kernel&#8217;s ESP\/IPsec and RxRPC paths \u2014 <strong>CVE-2026-43284 and CVE-2026-43500 (Dirty Frag)<\/strong> \u2014 allows reliable LPE to root across Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. Public PoC pre-dated patches. Then the patch for one of the Dirty Frag bugs <em>accidentally activated<\/em> a related bug in XFRM ESP-in-TCP, disclosed May 13 by <strong>William Bowling (Zellic) and the V12 security team<\/strong> as <strong>Fragnesia (CVE-2026-46300)<\/strong>. PoC released. Mitigation for both: unload\/denylist esp4, esp6, rxrpc modules.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/linux-kernel-dirty-frag-lpe-exploit.html\" style=\"color:#1d4ed8;text-decoration:none;\">Hacker News (Dirty Frag)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/new-fragnesia-linux-kernel-lpe-grants.html\" style=\"color:#1d4ed8;text-decoration:none;\">Hacker News (Fragnesia)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/14\/fragnesia-cve-2026-46300-linux-lpe-vulnerability\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Microsoft Exchange Server zero-day CVE-2026-42897 (May 14)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">CVSS 8.1 cross-site scripting flaw in on-prem Exchange enables unauthorized spoofing. Active exploitation observed; Microsoft published mitigations on May 16 while a permanent fix is prepared. Immediate response for any hybrid or on-prem Exchange estate.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.securityweek.com\/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Cisco Catalyst SD-WAN authentication bypass CVE-2026-20182 (May 14&ndash;15)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">CVSS 10.0 \u2014 maximum severity. Cisco attributes active exploitation to <strong>UAT-8616<\/strong>, the same cluster that weaponized CVE-2026-20127. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 15 with a federal remediation deadline of <strong>May 17<\/strong>.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-are-exploiting-a-critical-cisco-sd-wan-flaw\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">PraisonAI exploited four hours after disclosure (May 11)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>CVE-2026-44338<\/strong> (CVSS 7.3): missing authentication in the open-source multi-agent orchestration framework PraisonAI exposes sensitive endpoints. The advisory was published at 13:56 UTC; the first exploit attempt landed at 17:40 UTC the same day. A stark data point for AI infrastructure exposure-to-exploit timelines.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/praisonai-cve-2026-44338-auth-bypass.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/www.csoonline.com\/article\/4171215\/praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure.html\" style=\"color:#1d4ed8;text-decoration:none;\">CSO Online<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">FamousSparrow targets Azerbaijani oil and gas (May 13)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">China-linked <strong>FamousSparrow<\/strong> ran a multi-wave intrusion against an Azerbaijani oil &amp; gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence. South Caucasus energy-sector targeting fits broader Chinese strategic-resource collection priorities.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/china-famoussparrow-apt-south-caucasus-energy-firm\" style=\"color:#1d4ed8;text-decoration:none;\">Dark Reading<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Ghostwriter resumes Ukraine government attacks (May 14)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Belarus-aligned <strong>Ghostwriter<\/strong> attributed to a fresh set of attacks against Ukrainian governmental organizations. Coverage continues the established pattern of regional state-aligned cyber operations.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/securityaffairs.com\/192196\/apt\/ghostwriter-group-resumes-attacks-on-ukrainian-government-targets.html\" style=\"color:#1d4ed8;text-decoration:none;\">Security Affairs<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Crimenetwork takedown and Mallorca arrest (May 15)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">German authorities, with Spanish National Police, dismantled the relaunched <strong>Crimenetwork<\/strong> dark-web marketplace and arrested its 35-year-old suspected operator at his residence in Mallorca under a European Arrest Warrant. The site had 22,000+ users, 100+ vendors, \u20ac3.6M commissions, and used BTC\/LTC\/XMR. Server infrastructure, user database, communications, and transaction logs were preserved \u2014 expect downstream prosecutions.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.securityweek.com\/resurrected-crimenetwork-marketplace-taken-down-administrator-arrested\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Supply chain: node-ipc, Jenkins AST, GemStuffer<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Three malicious <strong>node-ipc<\/strong> npm versions (9.1.6, 9.2.3, 12.0.1) published with obfuscated stealer\/backdoor behavior. <strong>Checkmarx<\/strong> confirmed a modified <strong>Jenkins AST plugin<\/strong> published to the Jenkins Marketplace on May 11. <strong>Socket<\/strong> researchers dubbed a new RubyGems campaign <strong>GemStuffer<\/strong>: 150+ gems using the registry as a data-exfil channel rather than malware delivery.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/malicious-node-ipc-package.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (node-ipc)<\/a> &middot; <a href=\"https:\/\/cisoseries.com\/the-department-of-know-gemstuffer-attack-ai-sboms-and-ai-created-zero-days\/\" style=\"color:#1d4ed8;text-decoration:none;\">CISO Series \/ Socket (GemStuffer)<\/a> &middot; <a href=\"https:\/\/checkmarx.com\/blog\/modified-jenkins-ast-plugin-marketplace\/\" style=\"color:#1d4ed8;text-decoration:none;\">Checkmarx (Jenkins AST)<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Calls to action for the next 7 days<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>Patch immediately:<\/strong> Exchange (CVE-2026-42897), Cisco SD-WAN (CVE-2026-20182, federal deadline May 17), Linux Dirty Frag + Fragnesia (CVE-2026-43284 \/ 43500 \/ 46300).<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Hunt for Kazuar artifacts<\/strong> in any government, diplomatic, or defense-sector environment \u2014 Microsoft has published indicators and module-level structure.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Audit your software supply chain<\/strong> for node-ipc, the modified Jenkins AST plugin, and any RubyGems pulled in the GemStuffer window.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Inventory PraisonAI<\/strong> and any other agentic AI frameworks in your environment. Treat the disclosure-to-exploit window as 4 hours.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Re-baseline detection content<\/strong> for UAT-8616 (Cisco SD-WAN), FamousSparrow (oil &amp; gas TTPs), and Ghostwriter (Ukrainian-targeted phishing infrastructure).<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">The Malware Analysis Brief &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Bulletin \u00b7 Issue May 17, 2026 The Malware Analysis Brief APT campaigns, malware families, active exploits, deep detection and response This week at a glance An exceptionally heavy week. Microsoft published a deep teardown of Turla&rsquo;s evolved Kazuar backdoor \u2014 now a modular P2P botnet attributed to Russia&rsquo;s&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5241","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5241"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5241\/revisions"}],"predecessor-version":[{"id":5250,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5241\/revisions\/5250"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}