The Indicator — Threat Intelligence Blog

Weekly Report May 29, 2026

Weekly Threat Intel: May 25–29, 2026

ShinyHunters extortion spree hits Charter (40M records), Carnival (6M), and Canvas (275M education records) using the same vishing-to-SaaS-export technique three times. Scattered Spider pivots to the US with the Victoria’s Secret attack as UK police arrest four (three teenagers). PAN-OS GlobalProtect CVE-2026-0257 actively exploited with CISA KEV June 19 deadline; 18-year-old NGINX heap overflow with public ASLR bypass chain. Dutch police seize Asocks botnet (17M devices). First in-the-wild LLM-driven intrusion documented by Sysdig. ESET APT report: Lazarus poisons axios (100M weekly downloads), GREYVIBE uses AI across the full kill chain.

32 reports analyzed 6 critical CISA KEV additions 17M-device botnet seized

Weekly Report May 24, 2026

Weekly Threat Intel: May 18–24, 2026

LummaC2 global takedown seizes 2,300 C2 domains and disrupts 394,000+ active infections. Joint 21-agency advisory confirms sustained APT28 espionage against Western logistics supplying Ukraine. Ivanti EPMM chained RCE (CVE-2025-4427 + CVE-2025-4428) actively exploited by China-nexus UNC5221 with public PoCs available. DanaBot disrupted, 16 charged — dual criminal/espionage tracks revealed. Interlock ransomware exposes 1.7M Kettering Health patients after 41-day dwell. Scattered Spider expands UK campaign to cold-chain logistics, disrupting nine supermarket chains simultaneously.

28 reports analyzed 1,800+ IOCs extracted 4 critical CISA KEV additions

Weekly Report May 17, 2026

Weekly Threat Intel: May 11–17, 2026

Google GTIG documents the first AI-generated zero-day exploit used in a real attack — a 2FA bypass written by a criminal actor using an AI model, caught before mass exploitation launched. Cisco SD-WAN Manager hit by a CVSS 10.0 authentication bypass (CVE-2026-20182) already under active exploitation by UAT-8616. May Patch Tuesday fixes 120+ CVEs including unauthenticated SYSTEM RCE against domain controllers. ShinyHunters’ Canvas breach reaches a “ransom resolution” covering 275 million students and staff, and “Dirty Frag” delivers root on all major Linux distros with a public PoC and one CVE still unpatched.

25 reports analyzed 1,600+ IOCs extracted 3 critical CISA KEV additions

Weekly Report May 10, 2026

Weekly Threat Intel: May 4–10, 2026

Palo Alto PAN-OS zero-day (CVE-2026-0300, CVSS 9.3) confirmed under active exploitation since April 9 with root RCE — no patch until May 13. DOJ sentencing reveals Karakurt ransomware group co-opted Russian government databases as operational infrastructure. ShinyHunters claims 9 million Medtronic medical records, PCPJack cloud worm fully documented targeting AI API keys, and IBM discloses a Chinese-backed group using Claude for 80–90% of attack operations end-to-end.

22 reports analyzed 1,400+ IOCs extracted 2 critical CISA KEV additions

Weekly Report May 3, 2026

Weekly Threat Intel: April 27–May 3, 2026

DragonForce cartel simultaneously takes down M&S, Co-op, and Harrods via outsourced helpdesk social engineering — M&S projects £300M in losses. APT28 deploys LAMEHUG and PROMPTSTEAL, the first confirmed state-sponsored malware that queries Alibaba Cloud’s Qwen LLM at runtime. DPRK closes April at $577M in crypto theft. TeamPCP poisons four official SAP npm packages and PCPJack worm spreads through cloud infrastructure harvesting AI API keys.

28 reports analyzed 2,100+ IOCs extracted 4 supply-chain incidents

Weekly Report April 26, 2026

Weekly Threat Intel: April 19–26, 2026

The SaaS supply chain cracks open — Vercel breached via a 22-month OAuth chain that started with Lumma at Context.ai, the Bitwarden CLI npm package shipped a credential stealer for 90 minutes, and Scattered LAPSUS$ Hunters launches the first “Extortion-as-a-Service” platform. APT28 Operation Neusploit produces the week’s largest 347-IOC dataset, DPRK industrializes fake-meeting lures, and Huntress publishes the first IR report where an AI coding agent actively complicated triage.

24 reports analyzed 1,650+ IOCs extracted 5 supply-chain incidents

Weekly Report April 18, 2026

Weekly Threat Intel: April 11–18, 2026

The Iran picture sharpens — DomainTools maps the MOIS-linked ecosystem tying Handala, Homeland Justice, and Karma together, while APT28 opens two new fronts with TP-Link DNS hijacking and a PRISMEX zero-day chain. Four actively exploited zero-days, GlassWorm’s 433-package second wave, and threat actors treating n8n, Heroku, and Solana as purpose-built C2 infrastructure.

23 reports analyzed 980+ IOCs extracted 4 active zero-days

Weekly Report April 10, 2026

Weekly Threat Intel: April 3–10, 2026

Developer trust under siege — Claude Code lures deliver Vidar, GlassWorm infects six IDEs via a single extension, and a PyPI trojan hijacks university AI infrastructure. Storm-1175 burns zero-days for sub-24-hour Medusa ransomware deployments.

43 reports analyzed 2,900+ IOCs extracted 4 nation-state actors

Monthly Report April 2026

Cyber Threat Trends in March 2026

March 2026 marked a pivotal month in the cyber threat landscape — one defined by industrialized supply chain compromises, the weaponization of open-source developer tooling, and the continued maturation of nation-state intrusion programs.

50+ reports analyzed 1,400+ IOCs extracted 5 nation-state actors