{"id":5291,"date":"2026-06-03T18:33:53","date_gmt":"2026-06-03T23:33:53","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5291"},"modified":"2026-06-03T18:33:53","modified_gmt":"2026-06-03T23:33:53","slug":"malware-analysis-weekly-june-7-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5291","title":{"rendered":"Malware Analysis Weekly &mdash; June 7, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#b91c1c 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Malware Analysis Weekly &middot; Issue June 7, 2026<\/div>\n<h1 style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff;\">Malware Analysis Weekly<\/h1>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #b91c1c;padding-bottom:6px;\">At a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">Two threads dominated the past ten days. First, <strong>AI-assisted malware development<\/strong> stepped out of the proof-of-concept phase: Sophos uncovered a Claude-Opus-4.5-orchestrated lab generating ~80 Rust\/Go modules tested against three EDRs in a Ludus virtualization range, and CSO + Security Affairs profiled <strong>Greyvibe<\/strong>, a Russia-aligned crew using AI extensively across phishing and credential theft while still leaking traceable OPSEC signatures.<\/p>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">Second, the <strong>supply-chain wave<\/strong> stayed loud. The <strong>Miasma<\/strong> Mini Shai-Hulud variant compromised 32+ @redhat-cloud-services npm versions on June 1 via a hijacked GitHub account abusing OIDC. Kaspersky confirmed <strong>DAEMON Tools<\/strong> installers signed and distributed from the legitimate site have carried a CRT-init backdoor since April 8. Grandoreiro and BTMOB RAT ran parallel Windows\/Android campaigns across Iberia and LATAM.<\/p>\n<p style=\"margin:0 0 18px;font-size:15px;color:#374151;\">Active-exploitation IOCs piled up too &mdash; <strong>PAN-OS GlobalProtect (CVE-2026-0257)<\/strong> auth-bypass exploitation in the wild, <strong>Ivanti EPMM (CVE-2026-6973)<\/strong> in KEV with a 3-day remediation, <strong>Drupal Core (CVE-2026-9082)<\/strong> SQLi hit 15,000+ times in 65 countries, and a fresh PAN-OS hunting checklist from Rapid7. Novel C2 patterns kept showing up: TON-network endpoints in TrickMo&rsquo;s Android variant, Steam Community profile comments as dead-drops for ~1,980 WordPress sites, and GlassWorm&rsquo;s multi-channel (Solana, BitTorrent, Calendar) resilience model now postmortemed after takedown.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Topic map &mdash; families, actors, CVEs, and how they intersect<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Named entities extracted from this week&rsquo;s 20 malware-analysis articles &mdash; threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/06\/topic-map-malware-analysis-2026-06-07.png\" alt=\"Topic map for malware analysis\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#b91c1c;text-transform:uppercase;letter-spacing:1px;\">Supply-chain &amp; signed-package compromises<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Self-propagating npm worms, signed-installer backdoors, and a banking-trojan re-tooling campaign hitting trusted distribution channels.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">1<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/miasma-supply-chain-attack-compromises.html\" style=\"color:#1d4ed8;text-decoration:none;\">Miasma Supply Chain Attack Compromises Red Hat npm Packages<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">7<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor\/\" style=\"color:#1d4ed8;text-decoration:none;\">DAEMON Tools trojanized in supply-chain attack<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 26<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">5<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/grandoreiro-malware-and-btmob-rat.html\" style=\"color:#1d4ed8;text-decoration:none;\">Grandoreiro and BTMOB RAT Campaigns Target Windows and Android<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 27<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">AI-assisted malware development<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Frontier-model orchestration of evasion, automated AD discovery, and actor-level adoption &mdash; with the inevitable counter-current (deliberately AI-free analyst tooling).<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/\" style=\"color:#1d4ed8;text-decoration:none;\">AI-built ransomware toolkit automates EDR evasion, AD discovery<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">3<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/02\/ai-agents-edr-evasion-techniques\/\" style=\"color:#1d4ed8;text-decoration:none;\">Sophos uncovers AI-powered malware lab built for EDR evasion<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">17<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.csoonline.com\/article\/4176701\/as-ai-speeds-coding-cve-lite-cli-keeps-security-deliberately-ai-free.html\" style=\"color:#1d4ed8;text-decoration:none;\">CVE Lite CLI keeps security deliberately AI-free<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CSO Online<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Recent<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">18<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.csoonline.com\/article\/4178879\/russia-aligned-crime-group-greyvibe-extensively-uses-ai-in-attacks.html\" style=\"color:#1d4ed8;text-decoration:none;\">Russia-aligned crime group Greyvibe extensively uses AI in attacks<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CSO Online<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Recent<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">20<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/securityaffairs.com\/192877\/apt\/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-rookie-mistakes.html\" style=\"color:#1d4ed8;text-decoration:none;\">Meet Greyvibe: Russia-linked AI-using group targeting Ukraine<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Security Affairs<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">Active-exploitation campaigns &amp; IOCs<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Edge-VPN auth bypass, KEV-listed MDM RCE, identity-only cloud breach, mass CMS SQLi, and live ClickFix-to-RAT infection chains analysts can hunt today.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">11<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/pan-os-globalprotect-authentication.html\" style=\"color:#1d4ed8;text-decoration:none;\">PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 31<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">12<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/08\/ivanti-epmm-zero-day-cve-2026-6973\/\" style=\"color:#1d4ed8;text-decoration:none;\">Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 8<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">13<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/18\/storm-2949-turned-compromised-identity-into-cloud-wide-breach\/\" style=\"color:#1d4ed8;text-decoration:none;\">How Storm-2949 turned a compromised identity into a cloud-wide breach<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">14<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/drupal-core-sql-injection-bug-actively.html\" style=\"color:#1d4ed8;text-decoration:none;\">Drupal Core SQL Injection (CVE-2026-9082) Actively Exploited, Added to KEV<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 28<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">15<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/isc.sans.edu\/diary\/33034\" style=\"color:#1d4ed8;text-decoration:none;\">Unidentified RAT pushes NetSupport RAT (SmartApeSG ClickFix)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SANS ISC Diary<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 1<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">16<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/01\/hackers-are-exploiting-palo-alto-globalprotect-vpn-authentication-bypass-cve-2026-0257\/\" style=\"color:#1d4ed8;text-decoration:none;\">Hackers exploiting PAN-OS GlobalProtect VPN auth bypass &mdash; log-line examples<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 1<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">Stealers, RATs &amp; ransomware families<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">MaaS at scale, novel dead-drop C2 channels, multi-channel botnet takedowns, blockchain-routed Android trojans, and a fresh double-extortion crew.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">4<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-116-000-minecraft-systems-infected-in-weedhack-malware-campaign\/\" style=\"color:#1d4ed8;text-decoration:none;\">Over 116,000 Minecraft systems infected in WeedHack malware campaign<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 3<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">6<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/wordpress-malware-campaign-hides-payloads-in-steam-profiles\/\" style=\"color:#1d4ed8;text-decoration:none;\">WordPress malware campaign hides payloads in Steam profiles<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 1<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">8<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/inside-crowdstrike-takedown-of-a-developer-targeting-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">CrowdStrike, Google, and Shadowserver dismantle GlassWorm botnet<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CrowdStrike Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 27<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">9<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/securityaffairs.com\/192003\/malware\/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html\" style=\"color:#1d4ed8;text-decoration:none;\">New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Security Affairs<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 12<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">10<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.godaddy.com\/resources\/news\/malware-targeting-wordpress-abuses-steam-community-profiles\" style=\"color:#1d4ed8;text-decoration:none;\">WordPress Malware Abuses Steam Community Profiles for C2 (technical writeup)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">GoDaddy Security Blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 29<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">19<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.csoonline.com\/article\/4178580\/the-gentlemen-are-coming-for-your-files-and-then-your-network.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Gentlemen are coming for your files &mdash; and then your network<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CSO Online<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Recent<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">1. Miasma Supply Chain Attack Compromises Red Hat npm Packages<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A new Mini Shai-Hulud variant dubbed <strong>Miasma<\/strong> compromised 32+ <code>@redhat-cloud-services<\/code> npm versions on June 1 after a hijacked GitHub account pushed orphan commits that triggered OIDC-backed GitHub Actions publishing. Once installed, the worm sweeps <code>GITHUB_TOKEN<\/code>, AWS\/GCP\/Azure credentials, Vault and Kubernetes service-account tokens, then republishes backdoored versions across every package the compromised identity has rights to. Concrete TTPs: orphan-commit triggering of trusted-publishing workflows, OIDC token theft from runner memory, recursive republish to multiply the blast radius. IR teams should rotate any token issued from impacted publishing workflows, audit recent <code>@redhat-cloud-services<\/code> installs, and block downstream egress.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/miasma-supply-chain-attack-compromises.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">2. AI-built ransomware toolkit automates EDR evasion, AD discovery<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Sophos uncovered an AI-orchestrated malware lab built around a <strong>Claude Opus 4.5<\/strong> coordinator agent driving Cursor IDE to generate roughly <strong>80 Rust and Go modules<\/strong>, then test each against Sophos, CrowdStrike, and Microsoft Defender EDRs. Operational infra: Sliver C2, Cobalt Strike beacons disguised as web traffic, Telegram-based C2, and Cloudflare Worker proxies. The orchestration loop iterated until samples evaded the target stack, with a human-in-the-loop hardening pass at the end. Defenders should treat the toolkit as a template &mdash; expect rapid module turnover, Rust\/Go-leaning binaries, and Telegram or Cloudflare Worker C2 fronts.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">3. Sophos uncovers AI-powered malware lab built for EDR evasion<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Companion coverage filling in the operational detail: a <strong>Ludus virtualization lab<\/strong> mirrors target estates, Russian-language Python orchestration scripts drive Cursor sessions, and an automated <strong>Active Directory discovery panel<\/strong> enumerates trusts and high-value identities before payload selection. Each generated module is funneled through a human-in-the-loop hardening workflow so the operator can promote, reject, or re-prompt. The pipeline turns frontier-model output into ready-to-deploy tooling at a pace that strains signature- and behavior-rule cadences. Hunt for Cursor or Ludus artifacts in suspected staging hosts, and look for Russian-language Python in dev-environment forensics.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/02\/ai-agents-edr-evasion-techniques\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">4. Over 116,000 Minecraft systems infected in WeedHack malware campaign<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">McAfee exposed <strong>WeedHack<\/strong>, a malware-as-a-service infostealer distributed via YouTube videos and SEO-poisoned Minecraft mods. The campaign spans 240+ URLs and 3,820 malicious JARs. The free tier steals session IDs and cookies across <strong>36 browsers, 56 crypto add-ons, and 12 wallets<\/strong>; the premium tier layers a RAT with keylogger, webcam capture, and remote shell. JAR delivery, gaming-mod lure, and tiered MaaS pricing mark this as both a credential-harvest engine and a foothold for downstream operators. IR teams: hunt for unsigned Java processes spawned from user-mod directories and outbound to recently registered mod-hosting infrastructure.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-116-000-minecraft-systems-infected-in-weedhack-malware-campaign\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">5. Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">WatchGuard and ESET document parallel campaigns. <strong>Grandoreiro<\/strong> (Windows banking trojan) uses <strong>DLL side-loading via four legitimate apps<\/strong> to target Portuguese banks; victims sit across Spain, Portugal, Mexico, and Brazil. <strong>BTMOB v4.5.5<\/strong> &mdash; an Android RAT pitched as the successor to CraxsRAT\/CypherRAT\/SpySolr at <strong>$700\/month<\/strong> &mdash; rides the same regions and overlaps in some lure infrastructure. Two named families, current pricing, side-loading TTPs &mdash; everything an IR or malware-analysis team needs to build yara, EDR detection content, and customer-comms templates for LATAM\/Iberia exposure.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/grandoreiro-malware-and-btmob-rat.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">6. WordPress malware campaign hides payloads in Steam profiles<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">GoDaddy found ~<strong>1,980 WordPress sites<\/strong> running malware that encodes next-stage URLs into Steam Community profile comments using <strong>invisible Unicode characters<\/strong>. The chain is two-stage: front-end JavaScript injection retrieves the encoded URL from a chosen Steam profile, then a server-side PHP backdoor renders payloads on demand. Steam Community is a perfect dead drop &mdash; high reputation, never blocked, and trivially mutable by the actor. Detection content: outbound requests from PHP processes to <code>steamcommunity.com<\/code> profile pages, and Unicode-rich strings in WordPress option tables. Pair with #10 below for the encoding scheme and primary IOCs.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/wordpress-malware-campaign-hides-payloads-in-steam-profiles\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">7. DAEMON Tools trojanized in supply-chain attack<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Kaspersky disclosed that <strong>DAEMON Tools installers (versions 12.5.0.2421&ndash;12.5.0.2434)<\/strong> distributed from the legitimate signed website since April 8 carry a <strong>CRT-init backdoor<\/strong>. Thousands of infections span <strong>100+ countries<\/strong>; forensic artifacts point to a Chinese-speaking actor. CRT-init persistence runs the backdoor inside the C runtime initialization path before <code>main()<\/code>, evading import-table and entry-point-based static checks. IR: pull installer hashes and check against the affected version band, dust off process-creation telemetry for legitimate DAEMON Tools binaries spawning unusual child processes, and treat any signed software installed in that window as suspect until validated.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">8. CrowdStrike, Google, and Shadowserver dismantle GlassWorm botnet<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">May 26 takedown of <strong>GlassWorm<\/strong>, a developer-targeting botnet running <strong>four parallel C2 channels<\/strong>: Solana memo transactions, BitTorrent DHT lookups, Google Calendar dead-drops, and conventional VPS infrastructure. Propagation rode trojanized OpenVSX extensions, poisoned npm and Python packages, and <strong>300+ compromised GitHub repos<\/strong>. The CrowdStrike postmortem documents both the joint operation and the resilience design &mdash; multiple, fundamentally different lookup paths so seizing any one doesn&rsquo;t kill the botnet. Useful as a reference architecture for the next campaign: expect Calendar, blockchain, and DHT dead-drops to keep showing up.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/inside-crowdstrike-takedown-of-a-developer-targeting-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">CrowdStrike Blog<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">9. New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">ThreatFabric documents a <strong>TrickMo variant<\/strong> that routes C2 over <strong>TON (The Open Network)<\/strong>, resolving <code>.adnl<\/code> endpoints through an embedded proxy. A new <strong>SOCKS5 module<\/strong> turns infected Android devices into fraud-traffic exit nodes, monetizing the foothold even when banking-overlay theft fails. The blockchain-network C2 path is the headline: classic DNS\/IP takedowns don&rsquo;t reach it, and TON addresses are cheap to rotate. Detection focus: outbound traffic to TON proxies, anomalous Android SOCKS5 listeners, and unusual mobile-device patterns in fraud-network exit logs. Expect the TON C2 pattern to spread beyond TrickMo.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/securityaffairs.com\/192003\/malware\/android-banking-trojan-trickmo-evolves-using-ton-network-for-c2.html\" style=\"color:#1d4ed8;text-decoration:none;\">Security Affairs<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">10. WordPress Malware Abuses Steam Community Profiles for C2 (technical writeup)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">GoDaddy&rsquo;s primary-source analysis on the Steam-profile dead-drop campaign &mdash; full IOCs, the <strong>invisible-Unicode encoding scheme<\/strong> mapping zero-width characters to URL bytes, the <code>hello-mywordl[.]info<\/code> delivery domain, and the PHP backdoor artifacts. The encoding makes manual triage hard (the comments look empty) but it&rsquo;s deterministic: a small regex on zero-width spaces, joiners, and direction marks decodes the C2 URL. Pair with #6 above; use this writeup to build the parser, then sweep WordPress fleets for the backdoor artifacts.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.godaddy.com\/resources\/news\/malware-targeting-wordpress-abuses-steam-community-profiles\" style=\"color:#1d4ed8;text-decoration:none;\">GoDaddy Security Blog<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">11. PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A critical authentication bypass in <strong>Palo Alto PAN-OS GlobalProtect<\/strong> lets unauthenticated attackers forge auth cookies to obtain VPN access. <strong>Rapid7 MDR<\/strong> reports in-the-wild exploitation from May 17 onward. Hunt for &ldquo;Cookie&rdquo; auth-method logins from previously unseen IPs, anomalous geos for known users, and rapid session creation followed by lateral RDP\/SSH. See item 16 for log-line examples (spoofed MAC, GP-CLIENT user agent) and concrete SIEM search strings. Patch and rotate any sessions established during the exposure window.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/pan-os-globalprotect-authentication.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">12. Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>CISA added CVE-2026-6973<\/strong> (Ivanti Endpoint Manager Mobile authenticated RCE) to the KEV catalog with a <strong>3-day remediation deadline<\/strong>. Harvested admin credentials link this campaign to the earlier CVE-2026-1340 activity, suggesting the same actor cluster is pivoting through stale EPMM admin sessions. No reliable atomic IOCs &mdash; build behavioral analytics around EPMM admin actions: bulk policy edits, unexpected MDM-payload pushes, and command shells spawned from EPMM service accounts. Treat EPMM admin credentials issued during the exposure window as compromised.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/05\/08\/ivanti-epmm-zero-day-cve-2026-6973\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">13. How Storm-2949 turned a compromised identity into a cloud-wide breach<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Microsoft Threat Intelligence details a <strong>no-malware<\/strong> identity-driven campaign by <strong>Storm-2949<\/strong>. The chain abuses <strong>Entra ID Self-Service Password Reset<\/strong> and MFA fatigue to take over identities, then pivots across M365, OneDrive, SharePoint, and Azure resources. There is no implant to find &mdash; only behavior. KQL content priorities: SSPR events from unusual networks, MFA prompt bursts, post-authentication enumeration of OneDrive\/SharePoint, and azure-portal sessions from non-standard ASNs. Conditional Access policies covering SSPR risk and impossible-travel are the structural fixes.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/18\/storm-2949-turned-compromised-identity-into-cloud-wide-breach\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">14. Drupal Core SQL Injection (CVE-2026-9082) Actively Exploited, Added to KEV<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A critical PostgreSQL-specific SQLi in <strong>Drupal Core<\/strong> was added to KEV in under two days. <strong>Imperva<\/strong> observed <strong>15,000+ attack attempts against ~6,000 sites in 65 countries<\/strong>. Mass-exploitation against a public-facing CMS implies many low-effort foothold opportunities for opportunistic actors and follow-on web-shell drops. Defenders: confirm patch level on every Drupal property, audit recent database errors and unusual queries against PostgreSQL backends, and watch for newly created admin accounts or modified <code>node<\/code>\/<code>users_field_data<\/code> rows.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/drupal-core-sql-injection-bug-actively.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">15. Unidentified RAT pushes NetSupport RAT (SmartApeSG ClickFix)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">SANS ISC reports a May 27 infection where an <strong>unidentified RAT (C2 at 89.110.110.119:443)<\/strong> delivered a <strong>NetSupport Manager RAT<\/strong> package via a <strong>SmartApeSG ClickFix<\/strong> fake-CAPTCHA chain. The TTP analysts should pull out: <code>mshta<\/code> invoked from clipboard contents the user pasted after a ClickFix prompt. Detection content: <code>mshta.exe<\/code> with non-file arguments, suspicious clipboard-write events followed by mshta or wscript launches, and outbound to the listed IP. The ClickFix lure remains one of the most productive initial-access patterns going into Q3.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/isc.sans.edu\/diary\/33034\" style=\"color:#1d4ed8;text-decoration:none;\">SANS ISC Diary<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">16. Hackers exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Companion to #11 with the operational SIEM\/EDR content: Rapid7 MDR observations and concrete <strong>log-line examples<\/strong> showing the <strong>Cookie auth method<\/strong>, a <strong>spoofed MAC address<\/strong>, and the <strong>GP-CLIENT user agent<\/strong> on forged sessions. Plug these into your hunt queries directly &mdash; particularly anything that pairs <code>auth-method=&quot;Cookie&quot;<\/code> with first-time-seen client IPs or unusual GP-CLIENT versions. Detection should also alert on Cookie-auth sessions arriving from countries or ASNs outside the user&rsquo;s baseline.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/01\/hackers-are-exploiting-palo-alto-globalprotect-vpn-authentication-bypass-cve-2026-0257\/\" style=\"color:#1d4ed8;text-decoration:none;\">Help Net Security<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">17. As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">CSO profiles <strong>CVE Lite CLI<\/strong>, a new analyst tool that adopts a deliberately <strong>AI-free<\/strong> stance, citing reliability and trust concerns &mdash; specifically the cost of hallucinated CVE detail in a workflow where ground-truth matters. The piece is useful as a counter-current reference point for malware analysts whose toolchain is otherwise going agentic: signal-stable, deterministic CVE handling at the CLI is still a viable choice and worth surfacing when asked to justify model-free links in the analysis pipeline.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.csoonline.com\/article\/4176701\/as-ai-speeds-coding-cve-lite-cli-keeps-security-deliberately-ai-free.html\" style=\"color:#1d4ed8;text-decoration:none;\">CSO Online<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">18. Russia-aligned crime group Greyvibe extensively uses AI in attacks<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">CSO covers <strong>Greyvibe<\/strong>, a Russia-aligned crime crew making <strong>extensive use of AI<\/strong> across attack tradecraft &mdash; phishing generation, credential-theft staging, and translation\/localization. The piece highlights <strong>operational shortcuts<\/strong> that produce <strong>traceable telltale signatures<\/strong> &mdash; reused prompt-shaped phrasing, consistent translation artifacts, and timestamp\/locale slips that betray the toolchain. Threat-hunters can build clustering on the language artifacts even before binary IOCs land. Useful actor profile to pair with the Sophos lab finding: AI-assisted offensive operations leave fingerprints when the operator skips OPSEC.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.csoonline.com\/article\/4178879\/russia-aligned-crime-group-greyvibe-extensively-uses-ai-in-attacks.html\" style=\"color:#1d4ed8;text-decoration:none;\">CSO Online<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">19. The Gentlemen are coming for your files &mdash; and then your network<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">CSO profiles <strong>The Gentlemen<\/strong>, a ransomware group running a textbook <strong>double-extortion playbook<\/strong> &mdash; data theft first, then lateral movement to network-wide encryption. Victim profile and TTPs are conventional but well-executed: phishing or stolen creds for initial access, off-the-shelf RMM for persistence, AD enumeration, archive-and-exfil before locker detonation. IR teams should treat the group as a likely client of broker traffic; once The Gentlemen surface in the environment, the original initial-access compromise is likely several weeks old. Hunt for archive utilities running on unexpected hosts, unusual outbound to cloud-storage, and the RMM tools commonly chosen by the cluster.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.csoonline.com\/article\/4178580\/the-gentlemen-are-coming-for-your-files-and-then-your-network.html\" style=\"color:#1d4ed8;text-decoration:none;\">CSO Online<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">20. Meet Greyvibe, the Russia-linked group using AI to target Ukraine<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Security Affairs companion to #18 with Ukraine-focused detail: AI-assisted <strong>phishing and credential theft<\/strong>, but also explicit <strong>rookie OPSEC mistakes<\/strong> &mdash; reused infrastructure, leaked development artifacts, and language slips that ease attribution. The piece is particularly useful for hunters building &ldquo;cheap and dirty&rdquo; clustering rules: when AI accelerates an operator who lacks discipline, telltale infrastructure reuse is the soft spot. Combine with the CSO write-up (#18) and the Sophos lab finding (#2\/#3) for a full picture of AI-in-the-loop crime tradecraft going into Q3.<\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/securityaffairs.com\/192877\/apt\/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-rookie-mistakes.html\" style=\"color:#1d4ed8;text-decoration:none;\">Security Affairs<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">On our watch list<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>The next Mini Shai-Hulud variants.<\/strong> Miasma is the second worm in this family within a month; we expect at least one more variant targeting a different high-trust npm scope, likely through OIDC-publishing abuse again. Watch for orphan-commit triggers, recursive republishing, and any pattern matching the @redhat-cloud-services chain on other org-owned scopes.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>EDR vendors&rsquo; response to AI-assisted evasion.<\/strong> Sophos, CrowdStrike, and Microsoft were the named targets in the AI-orchestrated lab. Expect formal vendor responses, marketing pivots toward &ldquo;adversarial AI-resilient&rdquo; positioning, and concrete model-side counters &mdash; including behavioral-cluster detection of toolchain-generated binaries (Rust\/Go bursts, Cursor\/Ludus artifacts).<\/li>\n<li style=\"margin-bottom:8px;\"><strong>TON-network C2 beyond TrickMo.<\/strong> Blockchain-routed C2 sidesteps DNS\/IP takedowns and is cheap to rotate. We expect at least one Windows-side malware family to adopt TON or a comparable chain over the next 30 days. Detection focus: outbound to known TON proxies and anomalous <code>.adnl<\/code> lookups.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Greyvibe IOCs and OPSEC patterns.<\/strong> The current writeups emphasize traceable signatures (reused infra, language slips) but stop short of formal indicators. We expect Mandiant, CrowdStrike, or Microsoft Threat Intel to publish a fuller technical readout with binary IOCs and infrastructure pivots that hunters can plug straight into Sigma\/KQL.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">Malware Analysis Weekly &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven to ten days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Weekly &middot; Issue June 7, 2026 Malware Analysis Weekly Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams At a glance Two threads dominated the past ten days. First, AI-assisted malware development stepped out of the proof-of-concept phase: Sophos uncovered a Claude-Opus-4.5-orchestrated&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5291","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5291"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5291\/revisions"}],"predecessor-version":[{"id":5310,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5291\/revisions\/5310"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}