{"id":5243,"date":"2026-05-24T14:09:49","date_gmt":"2026-05-24T19:09:49","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5243"},"modified":"2026-05-25T17:49:10","modified_gmt":"2026-05-25T22:49:10","slug":"malware-analysis-brief-may-24-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5243","title":{"rendered":"Malware Analysis Brief \u2014 May 24, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#dc2626 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Malware Analysis Bulletin &middot; Issue May 24, 2026<\/div>\n<div style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;mso-line-height-rule:exactly;\">The Malware Analysis Brief<\/div>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">APT campaigns, malware families, active exploits, deep detection and response<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #dc2626;padding-bottom:6px;\">This week at a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">The deepest week of the quarter. A multi-front <strong>supply-chain wave<\/strong> hit nearly every package ecosystem at once: the <strong>Megalodon<\/strong> campaign pushed 5,718 malicious commits across 5,561 GitHub repos in six hours; the cross-ecosystem <strong>TrapDoor<\/strong> campaign poisoned npm, PyPI, and crates.io with AI-prompt-injection payloads; and <strong>Laravel-Lang<\/strong> Composer packages were retagged to ship a cross-platform credential stealer. Europol&#8217;s <strong>Operation Saffron<\/strong> dismantled <strong>First VPN<\/strong> \u2014 used by 25 ransomware groups \u2014 and Microsoft disrupted <strong>Fox Tempest<\/strong>, a malware-signing-as-a-service operator abusing Microsoft Artifact Signing. ESET published a deep look at <strong>Webworm<\/strong>&#8216;s EchoCreep \/ GraphWorm backdoors, and ReliaQuest showed how attackers <strong>bypass SonicWall MFA<\/strong> by alternating UPN and SAM login formats. The <strong>Nightmare-Eclipse<\/strong> Windows 0-day cluster grew again with the <strong>YellowKey<\/strong> BitLocker bypass mitigation, <strong>GreenPlasma<\/strong> + <strong>MiniPlasma<\/strong> LPE PoCs, and Barracuda&#8217;s six-exploit retrospective. Two <strong>Microsoft Defender<\/strong> CVEs landed on CISA KEV; <strong>Cisco SD-WAN UAT-8616<\/strong> kept exploiting CVE-2026-20182; on-prem <strong>Exchange OWA<\/strong> CVE-2026-42897 saw new email-triggered exploitation; <strong>Trend Micro Apex One<\/strong> CVE-2026-34926 turned EDR into a malware-distribution channel. Krebs documented a <strong>CISA contractor&#8217;s leaked AWS GovCloud admin keys<\/strong> on public GitHub. Law-enforcement wins: <strong>Ukraine<\/strong> identified an 18-year-old infostealer operator behind 28,000 stolen accounts, <strong>Canada<\/strong> arrested the <strong>Kimwolf<\/strong> DDoS-for-hire operator, and <strong>INTERPOL Operation Ramz<\/strong> made 201 arrests across 13 MENA countries. The <strong>Verizon DBIR 2026<\/strong> recorded a 19-year inversion: vulnerability exploitation has overtaken credential theft as the #1 initial-access vector. Coverage window: May 17 &ndash; May 24, 2026.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Entity graph &mdash; people, organizations, threats, and how they cross-correlate<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Every named entity extracted from this week&#8217;s 26 articles, with edges showing direct relationships.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/05\/topic-map-malware-analysis-2026-05-24-1.png\" alt=\"Topic map for malware analysis\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#d97706;text-transform:uppercase;letter-spacing:1px;\">Supply-chain attacks<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html\" style=\"color:#1d4ed8;text-decoration:none;\">Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI\/CD Workflows<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/trapdoor-supply-chain-attack-spreads.html\" style=\"color:#1d4ed8;text-decoration:none;\">TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 23&ndash;24, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/laravel-lang-php-packages-compromised.html\" style=\"color:#1d4ed8;text-decoration:none;\">Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 23, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#dc2626;text-transform:uppercase;letter-spacing:1px;\">APT campaigns and nation-state activity<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/webworm-echocreep-graphworm-discord-msgraph.html\" style=\"color:#1d4ed8;text-decoration:none;\">Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/webworm-new-burrowing-techniques\/\" style=\"color:#1d4ed8;text-decoration:none;\">Webworm: New burrowing techniques (full ESET research write-up)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">ESET WeLiveSecurity<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/cisco-catalyst-sd-wan-auth-bypass-uat-8616.html\" style=\"color:#1d4ed8;text-decoration:none;\">Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/blog.talosintelligence.com\/uat-8616-cisco-sd-wan\/\" style=\"color:#1d4ed8;text-decoration:none;\">Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities (UAT-8616)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Cisco Talos<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Week of May 14, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">Windows 0-day cluster (Nightmare-Eclipse) and Defender CVEs<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/microsoft-yellowkey-bitlocker-bypass-mitigation.html\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/yellowkey-bitlocker-bypass-cve-2026-45585-mitigation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft provides mitigation for &#8220;YellowKey&#8221; BitLocker bypass flaw (CVE-2026-45585)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-bitlocker-ctfmon-greenplasma-miniplasma.html\" style=\"color:#1d4ed8;text-decoration:none;\">Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/blog.barracuda.com\/2026\/05\/19\/nightmare-eclipse-six-zero-days-six-weeks\" style=\"color:#1d4ed8;text-decoration:none;\">Nightmare-Eclipse: six zero-days, six weeks and one big grudge<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Barracuda Labs<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/defender-cve-2026-41091-cve-2026-45498-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Defender vulnerabilities exploited in the wild (CVE-2026-41091, CVE-2026-45498)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">EDR weaponized and active-exploit CVEs<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/trend-micro-warns-of-apex-one-zero-day-cve-2026-34926\/\" style=\"color:#1d4ed8;text-decoration:none;\">Trend Micro warns of Apex One zero-day exploited in attacks (CVE-2026-34926)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/exchange-owa-cve-2026-42897-crafted-email.html\" style=\"color:#1d4ed8;text-decoration:none;\">On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sonicwall-vpn-mfa-bypass-incomplete-patching\/\" style=\"color:#1d4ed8;text-decoration:none;\">Hackers bypass SonicWall VPN MFA due to incomplete patching<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/cisa-adds-drupal-sqli-cve-2026-9082-to-kev.html\" style=\"color:#1d4ed8;text-decoration:none;\">CISA Adds Drupal SQLi CVE-2026-9082 to KEV<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News \/ CISA<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21&ndash;22, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ghost-cms-sqli-cve-2026-26980-clickfix-campaign\/\" style=\"color:#1d4ed8;text-decoration:none;\">Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign (CVE-2026-26980)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22&ndash;25, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">Malware families, ad-fraud schemes, and signing abuse<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/19\/disrupting-fox-tempest-malware-signing-service\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks (Fox Tempest)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cybercrime-service-disrupted-microsoft-artifact-signing\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybercrime service disrupted for abusing Microsoft platform to sign malware<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/trapdoor-android-ad-fraud-455-apps.html\" style=\"color:#1d4ed8;text-decoration:none;\">Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#16a34a;text-transform:uppercase;letter-spacing:1px;\">Law enforcement and criminal-infrastructure takedowns<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/first-vpn-dismantled-operation-saffron.html\" style=\"color:#1d4ed8;text-decoration:none;\">First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/first-vpn-bulletproof-hosting-takedown\/\" style=\"color:#1d4ed8;text-decoration:none;\">Europol seizes 33 servers across 27 countries in &#8216;First VPN&#8217; takedown<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukraine-identifies-infostealer-operator-28000-accounts\/\" style=\"color:#1d4ed8;text-decoration:none;\">Ukraine identifies infostealer operator tied to 28,000 stolen accounts<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 21, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/kimwolf-ddos-botnet-arrest-canada.html\" style=\"color:#1d4ed8;text-decoration:none;\">Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/interpol-operation-ramz-mena-201-arrests.html\" style=\"color:#1d4ed8;text-decoration:none;\">INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#475569;text-transform:uppercase;letter-spacing:1px;\">Reports, leaks, and benchmarks<\/h3>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:55%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:30%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:15%;\">Published<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/05\/cisa-admin-leaked-aws-govcloud-keys-on-github\/\" style=\"color:#1d4ed8;text-decoration:none;\">CISA Admin Leaked AWS GovCloud Keys on GitHub<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">KrebsOnSecurity<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19, 2026<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft\/\" style=\"color:#1d4ed8;text-decoration:none;\">Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 20&ndash;21, 2026<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Megalodon, TrapDoor, and Laravel-Lang: the supply-chain wave (May 18&ndash;23)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Three distinct campaigns hit nearly every package ecosystem in the same week. <strong>Megalodon<\/strong> automated 5,718 malicious commits across 5,561 GitHub repos in six hours on May 18 via forged bot identities (build-bot, auto-ci, ci-bot, pipeline-bot); the injected GitHub Actions workflows run base64-encoded bash that exfiltrates CI secrets, cloud credentials, SSH keys, and OIDC tokens to <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">216.126.225.129:8443<\/code>. <strong>TrapDoor<\/strong> \u2014 distinct from the Android ad-fraud Trapdoor below \u2014 published 34 cross-ecosystem packages (384 versions total) on npm, PyPI, and crates.io targeting crypto, DeFi, Solana, and AI developers; payload includes a hidden prompt-injection layer designed to manipulate AI coding assistants when victims push PRs through GitHub. <strong>Laravel-Lang<\/strong> attackers obtained push access to the Composer org and rewrote git tags on May 22&ndash;23, repointing 233+ versions to malicious commits that load on every <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">composer install<\/code> via autoload, exfiltrating <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">.env<\/code>, SSH keys, Docker\/Kubernetes configs, and AES-256-encrypted browser passwords from 17 Chromium variants to <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">flipboxstudio[.]info\/exfil<\/code>.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/megalodon-github-attack-targets-5561.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Megalodon)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/trapdoor-supply-chain-attack-spreads.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (TrapDoor)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/laravel-lang-php-packages-compromised.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Laravel-Lang)<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Operation Saffron: First VPN dismantled (May 21)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Europol&#8217;s coordinated <strong>Operation Saffron<\/strong> seized 33 bulletproof servers across 27 countries and arrested a Ukrainian admin of <strong>First VPN<\/strong> \u2014 the bulletproof anonymization service that 25 ransomware operations (including Avaddon) used for recon, intrusion staging, and C2 obfuscation. The full user database \u2014 roughly 5,000 criminal accounts \u2014 was preserved for downstream attribution. Subscriber lookups against this list against past incident IOCs should be a priority hunt for any IR team that has touched ransomware response in the last 24 months: persistent egress IPs from First VPN ranges will now de-anonymize a long tail of unattributed intrusions.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/first-vpn-dismantled-operation-saffron.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/first-vpn-bulletproof-hosting-takedown\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Microsoft disrupts Fox Tempest&#8217;s malware-signing service (May 19&ndash;20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Under <strong>Operation FauxSign<\/strong>, Microsoft seized infrastructure operated by <strong>Fox Tempest<\/strong>, a financially motivated MSaaS operator that abused <strong>Microsoft Artifact Signing<\/strong> to mint more than 1,000 short-lived (72-hour) code-signing certificates disguising ransomware payloads as legitimate apps \u2014 AnyDesk, Microsoft Teams, PuTTY, Webex. BleepingComputer&#8217;s reporting adds the business model: $5,000&ndash;$9,000 per customer, with Fox Tempest using stolen U.S. and Canadian identities to pass Artifact Signing&#8217;s identity verification. Downstream impact: healthcare, education, government, and financial-services intrusions whose initial-access binaries carried a legitimate Microsoft signature. Hunt teams should pivot on Artifact Signing certificate metadata in the May 1&ndash;May 20 window.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/19\/disrupting-fox-tempest-malware-signing-service\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security Blog<\/a> &middot; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cybercrime-service-disrupted-microsoft-artifact-signing\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Webworm: EchoCreep, GraphWorm, and chained proxies (May 20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">ESET published a deep look at the China-aligned <strong>Webworm<\/strong> cluster (overlapping with Space Pirates and UAT-8302). Two new custom backdoors take center stage: <strong>EchoCreep<\/strong> uses Discord channels for C2, and <strong>GraphWorm<\/strong> abuses Microsoft Graph and OneDrive for tasking and data staging. Supporting tooling includes WormFrp, ChainWorm, SmuxProxy, and WormSocket. Targets: government and diplomatic organizations in Belgium, Italy, Poland, Serbia, and Spain. ESET decrypted 400+ Discord operator messages plus bash-history fragments documenting recon commands across 50+ unique victims, and published indicators for iox \/ frp tunneling and the chained-proxy infrastructure. For European government CSIRTs, the Graph-API C2 detection is the highest-leverage hunt: tenant audit logs, OneDrive item names, and outbound Graph traffic baselines.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/webworm-echocreep-graphworm-discord-msgraph.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/webworm-new-burrowing-techniques\/\" style=\"color:#1d4ed8;text-decoration:none;\">ESET WeLiveSecurity<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Nightmare-Eclipse: YellowKey, GreenPlasma, MiniPlasma (May 18&ndash;20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">The Windows 0-day cluster published by <strong>Chaotic Eclipse \/ Nightmare-Eclipse<\/strong> grew to six exploits across six weeks. Microsoft this week issued mitigation guidance for <strong>YellowKey (CVE-2026-45585)<\/strong> \u2014 a BitLocker bypass on Windows 11 and Server 2022\/2025 \u2014 instructing admins to remove <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">autofstx.exe<\/code> from the WinRE BootExecute list; the attack uses crafted FsTx files on USB or EFI media to cause WinRE to spawn <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">cmd.exe<\/code> after a Ctrl-keypress, sidestepping TPM-only BitLocker. On May 13&ndash;17 the group released <strong>GreenPlasma<\/strong> (a ctfmon.exe LPE-to-SYSTEM chain via a registry trick) and <strong>MiniPlasma<\/strong> (a weaponized PoC for the 2020-patched CVE-2020-17103 Cloud Files Mini Filter, still yielding SYSTEM on fully patched Windows 11). Barracuda&#8217;s retrospective ties together the six-exploit campaign \u2014 BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma \u2014 including in-the-wild weaponization and the emergency Microsoft \/ CISA KEV response cycle.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/microsoft-yellowkey-bitlocker-bypass-mitigation.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (YellowKey)<\/a> &middot; <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/20\/yellowkey-bitlocker-bypass-cve-2026-45585-mitigation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security (YellowKey)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-zero-days-bitlocker-ctfmon-greenplasma-miniplasma.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (GreenPlasma\/MiniPlasma)<\/a> &middot; <a href=\"https:\/\/blog.barracuda.com\/2026\/05\/19\/nightmare-eclipse-six-zero-days-six-weeks\" style=\"color:#1d4ed8;text-decoration:none;\">Barracuda Labs<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Microsoft Defender CVEs in the wild (May 19&ndash;21)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Two Defender flaws disclosed May 19 are being actively exploited. <strong>CVE-2026-41091<\/strong> is a link-following local privilege escalation in Defender scanning, granting SYSTEM. <strong>CVE-2026-45498<\/strong> is a denial-of-service in the Antimalware Platform. Both landed on the CISA Known Exploited Vulnerabilities catalog with a June 3 federal remediation deadline. The combination is especially nasty: -45498 silences Defender, -41091 then escalates inside the same host. Validate that Defender platform components are on the May patch level, and watch for unusual <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">MsMpEng<\/code> child processes and Antimalware Platform service restarts.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/21\/defender-cve-2026-41091-cve-2026-45498-exploited\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Cisco SD-WAN UAT-8616: ongoing exploitation (May 14&ndash;18)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Cisco and Talos continue to attribute the active exploitation of <strong>CVE-2026-20182<\/strong> (CVSS 10.0 authentication bypass) and the earlier CVE-2026-20127 to <strong>UAT-8616<\/strong>, a sophisticated actor active since 2023 with overlap into a known ORB network. Post-compromise behavior: appending SSH keys to <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">\/home\/vmanage-admin\/.ssh\/authorized_keys<\/code>, NETCONF configuration tampering, and root escalation. CISA Emergency Directive 26-03 mandated federal-civilian remediation by May 17; Talos publishes IOCs and YARA, plus authorized_keys persistence detection guidance. Critical-infrastructure operators with vManage exposure should run integrity checks on authorized_keys and recent NETCONF changes regardless of patch status.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/cisco-catalyst-sd-wan-auth-bypass-uat-8616.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/blog.talosintelligence.com\/uat-8616-cisco-sd-wan\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cisco Talos<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Trend Micro Apex One zero-day turns EDR into a delivery channel (May 20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>CVE-2026-34926<\/strong> in on-prem <strong>Trend Micro Apex One<\/strong> is a directory-traversal that lets an admin-authenticated local attacker modify a key database table on the management server. Injected code then propagates to every connected endpoint agent through normal policy push, turning the EDR fleet into a malware-distribution channel. Added to CISA KEV May 20 with a June 4 federal deadline. The supply-chain framing matters: an attacker who reaches Apex One admin no longer needs to drop binaries on each host \u2014 they ride the trusted EDR update path.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/trend-micro-warns-of-apex-one-zero-day-cve-2026-34926\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">SonicWall MFA bypass via login-format alternation (May 20)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">ReliaQuest documented active exploitation of <strong>CVE-2024-12802<\/strong> on SonicWall Gen6 SSL-VPN. Attackers brute-force credentials, then exploit the fact that MFA enrollment is applied <em>per login-format<\/em> (UPN vs SAM) rather than per-user \u2014 so an attacker who has only an MFA-enforced SAM enrollment can re-authenticate via UPN and bypass MFA entirely. Crucially, the rogue logins appear in logs as normal MFA flows. The original patch was incomplete; SonicWall released supplemental guidance. Detection: alert on the same identity authenticating across both UPN and SAM forms within short windows, and on first-time UPN authentications from never-seen-before geos.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sonicwall-vpn-mfa-bypass-incomplete-patching\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Exchange OWA CVE-2026-42897 and Ghost CMS ClickFix (May 18&ndash;25)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Two browser-layer exploitation stories book-ended the week. <strong>CVE-2026-42897<\/strong> (CVSS 8.1) is an OWA cross-site-scripting \/ spoofing bug in <strong>on-prem Exchange Server<\/strong> (Subscription Edition, 2019, 2016) \u2014 crafted emails trigger arbitrary JavaScript in the OWA browser context. No patch initially; Microsoft shipped an Emergency Mitigation Service rule (M2.1.x URL rewrite) while a fix is prepared. Meanwhile, <strong>Ghost CMS<\/strong> SQL injection <strong>CVE-2026-26980<\/strong> (Ghost 3.24.0&ndash;6.19.0) lets unauthenticated attackers read DB rows including admin API keys; XLab\/Qianxin reports 700+ compromised sites \u2014 Harvard, Oxford, Auburn, DuckDuckGo among them \u2014 where attackers used the keys to inject malicious JS into published articles, loading a cloaking script that fingerprints visitors and serves a fake Cloudflare prompt via iframe (the now-familiar <strong>ClickFix<\/strong> lure). Observed payloads: DLL loaders, JS droppers, and Electron-based <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">UtilifySetup.exe<\/code>.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/exchange-owa-cve-2026-42897-crafted-email.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Exchange)<\/a> &middot; <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ghost-cms-sqli-cve-2026-26980-clickfix-campaign\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer (Ghost CMS)<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Law-enforcement wins: Ukraine infostealer, Kimwolf DDoS, INTERPOL Ramz (May 19&ndash;22)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Three substantial criminal-infrastructure outcomes. <strong>Ukraine&#8217;s cyberpolice<\/strong> (with U.S. partners) identified an 18-year-old Odesa man running infrastructure that processed and resold browser-session and credential data from an infostealer campaign hitting 28,000 customer accounts of a California online retailer; 5,800 accounts were used for $721K in fraudulent purchases. <strong>Jacob Butler (&#8220;Dort&#8221;), 23, of Ottawa<\/strong>, was charged in U.S.\/Canada for operating <strong>Kimwolf<\/strong> \u2014 an AISURU-variant IoT botnet that enslaved millions of digital photo frames, IP cameras, and other niche edge devices; tied to ~30 Tbps DDoS and 25,000+ attack commands sold as a service. The Central District of California simultaneously unsealed seizure warrants against 45 DDoS-for-hire platforms. <strong>INTERPOL Operation Ramz<\/strong> \u2014 the first MENA-focused Interpol cybercrime operation, running Oct 2025&ndash;Feb 2026 across 13 countries \u2014 delivered 201 arrests, identified 382 additional suspects, recovered 3,867 victims, and seized 53 servers, including disruption of a phishing-as-a-service operation seized by Algerian authorities. For threat-intel teams: expect IOCs from these takedowns to start retiring infrastructure that&#8217;s been quietly reused across unrelated campaigns.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukraine-identifies-infostealer-operator-28000-accounts\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer (Ukraine)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/kimwolf-ddos-botnet-arrest-canada.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Kimwolf)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/interpol-operation-ramz-mena-201-arrests.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (INTERPOL Ramz)<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">CISA contractor leaks GovCloud admin keys; DBIR documents the inversion (May 19&ndash;21)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Brian Krebs broke a story with major operational consequences: a contractor named &#8220;Private-CISA&#8221; (associated with <strong>Nightwing<\/strong>) maintained a public GitHub repo since November 2025 containing AWS GovCloud admin tokens, plaintext credentials for dozens of internal CISA systems, and a total of 844 MB in git history \u2014 with secret-scanning <em>disabled<\/em>. AWS keys remained valid 48 hours after takedown. Treat this as a credential-leak precedent for any partner with privileged federal access. In parallel, the <strong>Verizon DBIR 2026<\/strong> recorded the first time in 19 years that vulnerability exploitation (31%) overtook credential abuse (13%) as the initial-access vector, citing AI&#8217;s collapse of time-to-exploit from months to hours and noting orgs patched only 26% of CISA KEV entries (down from 38% in 2024). Read together: high-value credentials still leak out, but the attacker preference has rotated toward the patch-gap.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/krebsonsecurity.com\/2026\/05\/cisa-admin-leaked-aws-govcloud-keys-on-github\/\" style=\"color:#1d4ed8;text-decoration:none;\">KrebsOnSecurity<\/a> &middot; <a href=\"https:\/\/www.securityweek.com\/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek (DBIR)<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">Trapdoor Android ad-fraud, Drupal SQLi, and the rest<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">HUMAN Security exposed <strong>Trapdoor<\/strong> \u2014 a different beast from the npm\/PyPI TrapDoor above \u2014 a 455-app Android ad-fraud operation (24M+ installs) abusing install-attribution to activate hidden WebView ad fraud only for users coming through threat-actor campaigns; peak 659M fake bid requests per day across 183 attacker C2 domains. CISA also added Drupal core SQL injection <strong>CVE-2026-9082<\/strong> (PostgreSQL backends with JSON:API, Views exposed filters, or entity-autocomplete exposed) to KEV; exploitation began within 48 hours of the patch release.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/trapdoor-android-ad-fraud-455-apps.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News (Trapdoor Android)<\/a> &middot; <a href=\"https:\/\/thehackernews.com\/2026\/05\/cisa-adds-drupal-sqli-cve-2026-9082-to-kev.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News \/ CISA (Drupal)<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Calls to action \/ watch list for the next 7 days<\/h2>\n<div style=\"height:3px;width:48px;background-color:#dc2626;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>Patch and mitigate the active-exploit cluster.<\/strong> Trend Micro Apex One (CVE-2026-34926, KEV June 4), Microsoft Defender (CVE-2026-41091, CVE-2026-45498, KEV June 3), Drupal core SQLi (CVE-2026-9082), Cisco SD-WAN (CVE-2026-20182, ED 26-03 deadline May 17), Exchange OWA (CVE-2026-42897 \u2014 EMS rule M2.1.x if no fix yet), Ghost CMS (CVE-2026-26980), SonicWall Gen6 SSL-VPN (CVE-2024-12802 supplemental patch). Apply the YellowKey (CVE-2026-45585) WinRE BootExecute mitigation across BitLocker fleet.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Audit the package-ecosystem blast radius.<\/strong> Search every dev environment, CI, and registry mirror for: Megalodon-injected GitHub Actions workflows (forged bot identities + base64-encoded bash + C2 <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">216.126.225.129:8443<\/code>); TrapDoor packages across npm\/PyPI\/crates.io targeting crypto\/DeFi\/Solana\/AI projects; Laravel-Lang Composer versions installed since May 22; and any AI-coding-assistant PRs that look prompt-injected.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Hunt Webworm and UAT-8616 across the European-government and CI verticals.<\/strong> Webworm&#8217;s Microsoft Graph \/ OneDrive C2 is the highest-leverage detection \u2014 baseline Graph traffic and audit OneDrive item names for the ESET-published indicators. For UAT-8616, integrity-check <code style=\"font-family:Consolas,monospace;background:#f3f4f6;padding:1px 4px;border-radius:3px;\">\/home\/vmanage-admin\/.ssh\/authorized_keys<\/code> and recent NETCONF changes on every vManage.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Sweep for Fox Tempest Microsoft Artifact Signing certs (May 1&ndash;20).<\/strong> Any binary signed by a freshly minted, short-lived certificate in this window \u2014 even when &#8220;Microsoft&#8221; appears in the signer chain \u2014 should be triaged. Healthcare, education, government, and finance: prioritize.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Cross-reference First VPN egress IPs against historical IR caseload.<\/strong> Europol preserved the 5,000-account user database. Once published, run the egress IP ranges against unattributed ransomware incidents 2024&ndash;2026 \u2014 there is a strong chance of new attribution links and victim notifications.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Reset detection priors against the DBIR inversion.<\/strong> If your detection content is still credential-abuse-first, refactor. Vulnerability exploitation is now the dominant initial-access vector; weight your investment in scanner-to-detection telemetry, KEV remediation SLAs, and exposed-service inventories accordingly.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">The Malware Analysis Brief &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Bulletin &middot; Issue May 24, 2026 The Malware Analysis Brief APT campaigns, malware families, active exploits, deep detection and response This week at a glance The deepest week of the quarter. A multi-front supply-chain wave hit nearly every package ecosystem at once: the Megalodon campaign pushed 5,718 malicious&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5243","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5243"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5243\/revisions"}],"predecessor-version":[{"id":5254,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5243\/revisions\/5254"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}