The Indicator — Weekly Threat Intelligence

Weekly Threat Intel
May 25–29, 2026

Published May 29, 2026 | Based on 32 IOC reports | TLP: CLEAR
32 Reports analyzed
275M Canvas education records exposed
17M Devices in Asocks botnet seized
40M Charter Communications records leaked
6 Critical vulns added to CISA KEV
Key Takeaways for Security Professionals
  • Patch PAN-OS GlobalProtect immediately for CVE-2026-0257 — Rapid7 documented two exploitation waves in May and CISA added it to KEV on May 29 with a June 19 federal deadline. The flaw is an authentication bypass via forged authentication override cookies that allows unauthorized VPN connections without credentials. An attacker who reaches the GlobalProtect portal over HTTPS can authenticate without any valid credentials. Fixed in PAN-OS 12.1.4-h6/12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6 and later. If immediate patching is not possible, disable authentication override cookies on the portal/gateway configuration as a temporary mitigation.
  • If your organization runs NGINX and has ASLR disabled, treat CVE-2026-42945 as an emergency — a public PoC with ASLR bypass chain is available for an 18-year-old heap buffer overflow present in NGINX since version 0.6.27 (2008). Unauthenticated attackers can crash worker processes or achieve RCE via a single crafted HTTP request to ngx_http_rewrite_module. VulnCheck honeypots detected active exploitation. NGINX's dominance as a web server (~40% of internet-facing servers) makes blast radius enormous. Prioritize patching any NGINX instance accessible from untrusted networks. Confirm ASLR is enabled (cat /proc/sys/kernel/randomize_va_space should return 2) as a compensating control.
  • Security teams at law firms should treat the Silent Ransom Group FBI FLASH (May 26) as requiring immediate physical security review — the group has escalated to physically walking operatives into offices posing as IT support and inserting USB exfiltration devices. Over 100 law firms attacked, with 38+ having data posted publicly. The physical intrusion TTP bypasses all network-layer defenses. Require picture ID and escort for any unannounced IT support visits, implement USB port blocking on attorney workstations handling sensitive client data, and review physical access logs for tailgating or unauthorized badge use during the past 90 days.
  • If your organization uses FortiClient EMS and cannot immediately patch CVE-2026-35616, audit all on_connect VPN script configurations for unauthorized entries — attackers are abusing the legitimate script execution feature to deliver the EKZ infostealer disguised as a Fortinet patch update. The vulnerability enables unauthenticated API access, after which the script execution feature is weaponized for credential theft targeting Chrome, Firefox, cookies, MFA bypass data, and credit cards. Over 2,000 internet-exposed EMS instances were visible at disclosure. Arctic Wolf documented active exploitation clusters; check FortiClient EMS event logs for unexpected on_connect script execution events from external IP addresses.
  • Canvas/Instructure users across 8,809 institutions should treat student, staff, and faculty data as compromised and notify affected populations — ShinyHunters claims 275 million records, the largest education breach on record, and the FBI has warned of follow-on targeting of students and staff. Exposed data includes names, email addresses, student IDs, enrollment data, and institutional credentials. Affected individuals are high-value targets for credential stuffing (many reuse institutional passwords), financial aid fraud, and spearphishing exploiting academic context. Institutions should force password resets for all affected accounts, alert users to phishing risk, and review for unauthorized access to financial aid and administrative systems.
  • Disable or restrict Gogs self-hosted Git immediately — CVE-2026-25921 is an unpatched RCE zero-day (argument injection) with a public Metasploit module available, and Gogs ships with open registration enabled by default, making the vulnerability effectively unauthenticated in default configurations. The vulnerability was reported to maintainers on March 17 and publicly disclosed after maintainers went silent. Any Gogs instance accessible from the internet should be taken offline or placed behind strict IP allowlisting until a patch is available. Consider migrating to Gitea (a maintained Gogs fork) as a longer-term remediation.
  • Treat AI share links and fake AI app installers as an active delivery vector requiring user education — attackers are abusing legitimate chatgpt.com/s/ share links to serve malware via fake OpenAI outage pages, and trojanized ChatGPT and Claude desktop installers on GitHub and SourceForge are distributing DinDoor RAT with crypto wallet exfiltration. The ChatGPT share link abuse is particularly dangerous because the links are on a trusted domain and bypass URL scanners. Detection: DinDoor creates SOCKS5 proxy tunnels and queries 50+ known crypto wallet extension paths; monitor for browser processes spawning unusual child processes and for exfiltration patterns to non-business destinations from developer workstations.
Contents
  1. ShinyHunters Extortion Spree: Charter, Carnival, Canvas — The Insider Access Playbook
  2. Scattered Spider Pivots to the US: Victoria’s Secret and the UK Arrests
  3. Critical Vulnerabilities: PAN-OS GlobalProtect, NGINX 18-Year RCE, FortiClient EMS, Cisco SD-WAN
  4. Nation-State: ESET APT Report, GREYVIBE, Kimsuky, Nimbus Manticore
  5. Also This Week: LLM-Driven Intrusion, Asocks Botnet Seized, Acreed Infostealer, Silent Ransom Group
The week of May 25–29 brought a data breach volume that strains comprehension: ShinyHunters leveraged a single vishing-enabled insider access technique to extract records covering tens of millions of Charter customers, nearly six million Carnival passengers, and up to 275 million people across the education sector via Canvas — a single week in which one threat actor may have compromised more PII than most years. Meanwhile, Scattered Spider completed its pivot from UK retail to US retail with the Victoria’s Secret attack, even as UK law enforcement arrested four individuals (three of them teenagers) in connection with the M&S, Co-op, and Harrods campaign. On the vulnerability front, CISA added six entries to the Known Exploited Vulnerabilities catalog in five days, including an 18-year-old NGINX heap overflow with a public ASLR bypass chain and a PAN-OS GlobalProtect authentication bypass already under active exploitation. Dutch police disrupted the Asocks residential proxy botnet (17 million compromised consumer devices). And Sysdig documented the first observed in-the-wild LLM-agent-driven intrusion — an attacker automating the full post-exploitation chain from CVE to database dump in under an hour.
01 — TOP STORY

ShinyHunters Extortion Spree: Charter, Carnival, Canvas — The Insider Access Playbook

ShinyHunters was responsible for the three largest breach disclosures of the week, each leveraging a structurally identical initial access technique: voice phishing (vishing) against employees or contractors to compromise cloud-platform credentials, followed by bulk data extraction from Salesforce, Workday, or equivalent SaaS data stores. The result was a simultaneous extortion wave that, by victim count, represents one of the highest-impact single-week disclosure clusters on record.

ShinyHunters — Charter Communications — Vishing / Microsoft Entra

Charter Communications: 40–42 Million Customer Records, Salesforce Exfiltration via Vished Entra Account

ShinyHunters set and then executed on a May 27 deadline, leaking data allegedly covering 40–42 million Charter Communications residential and business customer records. BleepingComputer analysis confirmed approximately 4.9 million accounts in the sample reviewed. The group claims initial access was obtained on April 1 via a vishing call that convinced a Charter employee to provide credentials and approve an MFA push, granting access to their Microsoft Entra (Azure AD) account. The attacker then exported customer PII from Charter’s Salesforce instance using the compromised identity. The Salesforce data model meant that once the attacker had a valid Entra credential with appropriate entitlements, bulk export required no further exploitation — just API calls that blended with legitimate CRM usage. Data fields reported: names, addresses, phone numbers, email addresses, account numbers, and service details.

40–42M records claimed — 4.9M confirmed in sample · Initial access: April 1 vishing → Entra credential · Exfiltration target: Salesforce CRM
ShinyHunters — Carnival Cruise Line

Carnival Cruise Line: 6 Million Passengers, April Breach Confirmed This Week

Carnival Corporation confirmed on May 28 that approximately 6 million people were affected by a breach that occurred in April 2026. ShinyHunters claims responsibility. The breach encompasses guests from Carnival’s portfolio of cruise lines, including Carnival, Princess, Holland America, Cunard, and others. Exposed data includes names, addresses, dates of birth, passport numbers, and customer loyalty program identifiers. The passenger profile for major cruise lines — demographic skewing toward retirees with disposable income — makes this population particularly valuable for financial fraud and elder scam targeting. The DOJ this week also sentenced a North Carolina man to more than ten years for selling elderly Americans’ personal data to Jamaican scammers; the convergence is not coincidental: breach data exposing demographics, travel patterns, and loyalty program membership creates ready-made targeting lists for exactly this type of operation.

6M passengers affected · Breach occurred: April 2026 · Confirmed: May 28 · Multiple Carnival brands affected
ShinyHunters — Canvas / Instructure — Education Sector

Canvas LMS: 275 Million Records Across 8,809 Educational Institutions — Largest Education Breach on Record

ShinyHunters claims to have exfiltrated 275 million records from Canvas (Instructure), the dominant learning management system across higher education and K-12, covering 8,809 institutions including universities, K-12 school districts, and national ministries of education. If accurate, this is the largest breach of educational data on record by a substantial margin. Instructure stated it has entered a data destruction agreement with the threat actor, suggesting a ransom or settlement was reached; however, destruction agreements with ShinyHunters have historically not prevented data from surfacing on underground markets after the payment period lapses. The FBI issued a warning to students and staff of targeted follow-on attacks using the stolen data. Exposed data includes names, email addresses, student IDs, enrollment records, course data, and institutional credentials. The population of university students and faculty represents a high-value credential target: academic email addresses are used as single sign-on for research databases, grant management systems, and cloud platforms, and students frequently reuse passwords across platforms.

275M records claimed — 8,809 institutions across K-12, higher ed, and government · Instructure entered data destruction agreement · FBI warning issued

ShinyHunters’ Charter breach demonstrates why Salesforce (and equivalent SaaS CRM) data access controls are a critical security surface that most organizations underinvest in. Once the attacker had a valid credential with legitimate Salesforce entitlements, the exfiltration required no exploitation — only API calls that would appear in logs as normal CRM usage unless specific data export monitoring was in place. Three defensive improvements would have materially changed this outcome: (1) Phishing-resistant MFA (hardware tokens or passkeys) rather than push-approval MFA, which can be defeated by real-time vishing; (2) Salesforce field-level security policies restricting bulk export entitlements to a minimal set of users with documented business justification; (3) CASB or DLP tooling alerting on bulk record export volume from Salesforce, independent of whether the exporting credential is valid. The vishing technique itself is not new — but its consistent success against enterprise Entra accounts with cloud-platform entitlements is a pattern that now warrants mandatory review of which identities have CRM data export rights and what MFA type they use.

02 — THREAT ACTOR UPDATE

Scattered Spider Pivots to the US: Victoria’s Secret and the UK Arrests

The week brought simultaneous news from both ends of Scattered Spider’s campaign arc: UK law enforcement arrested four individuals (three teenagers) in connection with the M&S, Co-op, and Harrods attacks, while the group completed its assessed pivot to US targets with the Victoria’s Secret attack beginning May 24.

Scattered Spider — US Pivot — DragonForce

Victoria’s Secret: Retail Operations Disrupted, ~$10M Income Impact, Systems Restored by May 29

Victoria’s Secret was attacked on May 24 and spent the week restoring systems, successfully bringing its website back online by May 29 while continuing to repair corporate infrastructure. The attack disrupted retail store operations and forced a delay in Q1 earnings reporting. Estimated income impact: approximately $10 million. Security researchers assess Scattered Spider as the likely perpetrator based on alignment with the group’s documented TTP signature: initial access via help desk vishing impersonating employees to manipulate agents into credential resets or MFA bypass, followed by DragonForce encryptor deployment targeting VMware ESXi hosts for mass VM encryption and double extortion. The Victoria’s Secret attack is significant for two reasons: it confirms the group’s capability to pivot from the UK market to US major retail targets using the same technique without adaptation, and it demonstrates that the UK law enforcement arrests (see below) have not disrupted operational capability, at least not immediately. The combined UK financial impact from the M&S (£300M profit impact), Co-op (£206M revenue loss, 6.5M customer records), and Harrods (430,000+ customer records) campaign has now reached approximately £506M ($677M).

~$10M income impact — Website restored May 29 · Initial access: help desk vishing · Encryptor: DragonForce (ESXi targeting) · UK total: ~£506M ($677M)
Scattered Spider — UK Arrests

Four Arrested in UK, Three of Them Teenagers, in Connection with Retail Campaign

UK law enforcement — the National Crime Agency (NCA) and regional police — arrested four individuals this week in connection with the M&S, Co-op, and Harrods attacks. Three of the four are teenagers. The arrests reflect the demographic reality of Scattered Spider: the group operates as a loosely affiliated English-speaking community (“The Com”) where recruitment skews young and members are distributed across the US, UK, and other English-speaking countries. The arrests are operationally significant but almost certainly represent peripheral members rather than core operators; Scattered Spider’s attack on Victoria’s Secret — assessed to have begun the day before or the same day as the UK arrests — suggests the arrests did not disrupt the group’s primary operational capability. Law enforcement disruption of groups with diffuse, online-recruited membership structures requires sustained pressure across multiple jurisdictions; single-sweep arrests typically remove execution-layer participants while leaving the social engineering operators and infrastructure managers active.

Four arrested · Three teenagers · NCA + regional UK police · US arrest activity expected to follow
03 — VULNERABILITIES & ACTIVE EXPLOITATION

Critical Vulnerabilities: PAN-OS GlobalProtect, NGINX 18-Year RCE, FortiClient EMS, Cisco SD-WAN

CISA added six new entries to the Known Exploited Vulnerabilities catalog between May 25 and May 29, spanning network security appliances, web servers, and enterprise management platforms. The NGINX vulnerability is particularly notable for its age: 18 years in production before a public exploit chain arrived.

CVE Product Impact Status
CVE-2026-0257 Palo Alto PAN-OS GlobalProtect Authentication bypass via forged authentication override cookies; unauthorized VPN connections without credentials. Actively exploited — CISA KEV — June 19 deadline
CVE-2026-42945 NGINX (ngx_http_rewrite_module) 18-year-old heap buffer overflow (since v0.6.27, 2008). Unauthenticated crash or RCE (with ASLR disabled). Public PoC with ASLR bypass available. Active exploitation (VulnCheck honeypots) — CISA KEV
CVE-2026-35616 Fortinet FortiClient EMS Unauthenticated API access; on_connect VPN script feature abused to deliver EKZ Infostealer disguised as Fortinet patch. 2,000+ exposed instances. Actively exploited — CISA KEV
CVE-2026-20182 Cisco Catalyst SD-WAN Controller CVSS 10.0 authentication bypass via vdaemon DTLS service (UDP 12346). Exploited by UAT-8616 for SSH key injection, NETCONF modification, root escalation. Actively exploited — CISA KEV
CVE-2026-9082 Drupal Core (PostgreSQL backend) Critical unauthenticated SQL injection in PostgreSQL EntityQuery handler. 15,000+ exploit attempts against 6,000 sites in 65 countries within 48 hours of disclosure. Active exploitation — CISA KEV — Federal deadline May 27
CVE-2026-25921 Gogs (self-hosted Git) Argument injection RCE. UNPATCHED zero-day — maintainers unresponsive since March 17. Public Metasploit module. Open registration default = effectively unauthenticated. Unpatched zero-day — public Metasploit module
CVE-2026-42945 — NGINX — 18-Year-Old RCE — CISA KEV

NGINX Heap Overflow Since 2008: Public ASLR Bypass Chain, ~40% of Internet-Facing Servers at Risk

CVE-2026-42945 is a heap buffer overflow in NGINX’s ngx_http_rewrite_module that has been present in every version since 0.6.27 (2008). The vulnerability is triggered by a crafted HTTP request and, on systems where ASLR is disabled, enables unauthenticated remote code execution. A public proof-of-concept with a working ASLR bypass chain has been published. VulnCheck honeypots detected active exploitation. NGINX serves approximately 40% of internet-facing web servers globally, making this the broadest potential attack surface in this week’s vulnerability set. The practical risk varies: ASLR is enabled by default on most modern Linux distributions (verify with cat /proc/sys/kernel/randomize_va_space, which should return 2). Systems at highest risk include embedded devices running NGINX where ASLR is disabled or absent, legacy containerized environments with non-standard kernel configurations, and systems where the ASLR bypass chain has been adapted to succeed despite randomization. Patch immediately; for instances where patching cannot happen immediately, ASLR enforcement should be verified and confirmed as a compensating control, with the understanding that the public ASLR bypass chain reduces the protection ASLR provides.

Present since NGINX 0.6.27 (2008) — 18 years in production · Active exploitation confirmed · ASLR bypass PoC public · ~40% of internet web servers affected
CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect — KEV

GlobalProtect Auth Bypass: Two Exploitation Waves in May, CISA KEV June 19 Deadline

Rapid7 documented two distinct exploitation waves against CVE-2026-0257 — May 17 and May 21 — both attributed with high confidence to the same threat actor across numerous enterprise customers. The vulnerability is an authentication bypass in PAN-OS GlobalProtect triggered when authentication override cookies are configured using a certificate shared with the HTTPS portal/gateway service. Forged cookies constructed with the shared certificate bypass authentication entirely, granting unauthorized VPN access without valid user credentials. This is consistent with how organizations deploy GlobalProtect in practice: the shared-certificate configuration is common in large deployments. CISA added CVE-2026-0257 to the KEV catalog on May 29 with a June 19 remediation deadline for federal agencies. Fixed in PAN-OS 12.1.4-h6/12.1.7, 11.2.12, 11.1.15, 10.2.18-h6 and later. If immediate patching is not possible: disable authentication override cookies on the GlobalProtect portal and gateway configuration as a temporary mitigation.

Two exploitation waves: May 17 and May 21 · CISA KEV June 19 federal deadline · Fixed: PAN-OS 12.1.4-h6, 11.2.12, 11.1.15, 10.2.18-h6+
CVE-2026-20182 — Cisco Catalyst SD-WAN — CVSS 10.0

Maximum-Severity Cisco SD-WAN Auth Bypass: UAT-8616 Exploiting for Root Escalation

Cisco confirmed limited targeted exploitation of CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller’s vdaemon DTLS service on UDP port 12346. The threat actor — tracked as UAT-8616, a sophisticated actor assessed as nation-state-adjacent — achieved post-exploitation SSH key injection, NETCONF configuration modification, and root privilege escalation on compromised SD-WAN controllers. SD-WAN controllers occupy a privileged position in network architecture: a compromised controller can manipulate routing policy, intercept traffic, and propagate configuration to all managed WAN edge devices. Organizations running Cisco Catalyst SD-WAN should treat this as critical-priority patching. If patching is delayed, restrict access to UDP port 12346 to management network segments with IP allowlisting and audit recent NETCONF configuration changes and SSH authorized_keys files on SD-WAN controller hosts.

CVSS 10.0 — Targeted exploitation by UAT-8616 · Attack surface: UDP 12346 (vdaemon DTLS) · Post-exploitation: SSH key injection, NETCONF modification, root escalation

The Verizon 2026 DBIR finding that vulnerability exploitation has overtaken stolen credentials as the primary initial access vector — 31% vs. roughly 25% for credentials — is reinforced by this week’s KEV additions. The DBIR also found that only 26% of CISA KEV vulnerabilities were fully remediated in 2025 and that median time to patch has increased to 43 days. The six KEV additions this week represent patches that a median organization won’t fully deploy until mid-July. For the two vulnerabilities currently under active exploitation with public PoCs (PAN-OS GlobalProtect and NGINX), waiting until mid-July means operating under active exploitation conditions for six weeks. The DBIR data suggests this is not unusual — it is the organizational norm. Closing this gap requires operationalizing vulnerability prioritization by exploitation status rather than CVSS score alone: the NGINX vulnerability has been exploitable for 18 years; what changed is the public PoC, not the CVSS score.

04 — NATION-STATE ACTIVITY

Nation-State: ESET APT Report, GREYVIBE, Kimsuky, Nimbus Manticore

ESET’s Q4 2025–Q1 2026 APT Activity Report, published May 28, provided the week’s most comprehensive view of nation-state activity. Alongside it, WithSecure disclosed GREYVIBE, a newly profiled Russian-nexus cluster using AI across every stage of the attack lifecycle, and Iran’s Nimbus Manticore continued aviation and defense targeting via SEO poisoning and fake software installers.

North Korea — Lazarus / BlueNoroff — Supply Chain

Lazarus Poisons axios npm Package (100M Weekly Downloads) via Fake Founder Impersonation

ESET’s APT report documented a Lazarus/BlueNoroff supply chain attack against the axios npm package, which records 100 million weekly downloads and is used by a significant fraction of the global JavaScript ecosystem. The attack vector was sophisticated social engineering rather than infrastructure compromise: North Korean operators impersonated the axios company founder, created a fake Slack workspace mimicking the legitimate team’s communications, and used this persona over weeks to build sufficient maintainer trust to receive the target’s npm publish token. The malicious package remained live for approximately three hours before detection and removal. The trojanized update harvested the victim maintainer’s npm token, credentials, and development environment secrets. This attack represents the highest-volume single package poisoned in a DPRK supply chain operation, though three hours of availability substantially limited actual installation reach. The technique — long-horizon persona building to gain developer trust — requires no technical exploitation and is not preventable by code scanning or dependency monitoring alone. npm package maintainers of high-download packages should be treated as high-value social engineering targets requiring the same identity verification rigor applied to privileged employees.

axios: 100M weekly downloads — 3 hours live before removal · Vector: fake Slack workspace, founder impersonation · Attribution: Lazarus/BlueNoroff (DPRK)
Russia — GREYVIBE (New Cluster) — Ukraine Targeting

GREYVIBE: New Russian-Nexus Group Runs Five Parallel Attack Chains with AI Throughout the Kill Chain

WithSecure Labs published the full profile of GREYVIBE, a previously undocumented Russian-speaking threat cluster active since at least August 2025, targeting Ukrainian military, government, civilian, and business entities. The group’s defining characteristic is systematic use of AI tools throughout the attack lifecycle: GREYVIBE uses OpenAI ChatGPT, Google Gemini, and Ideogram AI to generate phishing lures, obfuscation code, loader scripts, infrastructure configuration, decoy images, and post-compromise commands. The group runs five parallel attack chains simultaneously across different victim categories. Delivery vectors include spearphishing, fake CAPTCHA pages mimicking legitimate services, and fraudulent Ukrainian adult club websites. The custom malware family “LegionRelay” was developed with AI assistance and features modular architecture for persistence, lateral movement, and data exfiltration. WithSecure’s attribution assessment: Russian-aligned actors with nation-state tasking, possibly incorporating former TrickBot (UAC-0098) members. The significance of GREYVIBE is not any individual novel TTP but the operational throughput AI enables: five simultaneous campaign tracks with AI-generated variation of lures, obfuscation, and infrastructure would previously have required a substantially larger team.

Active since August 2025 · 5 parallel attack chains · AI used: ChatGPT, Gemini, Ideogram · Custom malware: LegionRelay · Attribution: Russian-aligned, possible UAC-0098 overlap
North Korea — Kimsuky — South Korea

Kimsuky: AI-Generated Military ID Lures, GPKI Certificate Exfiltration, New Malware Family Cluster

Kimsuky (Velvet Chollima) deployed a cluster of new malware families against South Korean defense, government, and healthcare targets in the March–April 2026 period covered by ESET’s report: HTTPSpy (disguised as legitimate Korean security software), HelloDoor, HttpMalice, HappyDoor (specialized for GPKI government certificate exfiltration), and enhanced PebbleDash variants. Social engineering lures used AI-generated fake military IDs and fake Webex meeting pages targeting defense ministry and government procurement employees. The GPKI certificate exfiltration focus is notable: South Korea’s Government Public Key Infrastructure certificates are used to authenticate to numerous sensitive government and defense portals; exfiltrating them provides access to systems that require hardware-token-equivalent authentication without the hardware token.

New malware: HTTPSpy, HelloDoor, HttpMalice, HappyDoor, PebbleDash enhanced · GPKI cert exfiltration target · Lures: AI-generated military IDs, fake Webex · Sectors: defense, government, healthcare
Iran — Nimbus Manticore (IRGC-linked) — Aviation / Defense

Nimbus Manticore: Three-Phase SEO Poisoning Campaign, MiniFast Backdoor, AI-Assisted Development

Iran’s Nimbus Manticore (IRGC-linked) continued a three-phase targeting campaign against US, European, and Middle East aviation, defense, aerospace, and telecommunications organizations spanning February–April 2026. Phase 1: fake job offer documents delivered via OnlyOffice macros. Phase 2: fake Zoom meeting invitations with trojanized meeting applications. Phase 3 (dominant during this week): SEO poisoning of legitimate software installer search terms (“SQL Developer download”, “Zoom security update”) to place malicious downloads in top search results. All three phases deliver the MiniFast backdoor, a lightweight persistent access tool whose code shows clear signs of AI-assisted development (standardized function comments, consistent variable naming, rapid feature iteration). MiniFast capabilities: command execution, screenshot capture, file exfiltration, and secondary payload delivery for heavier tooling in high-value targets.

Three phases: fake job offers → fake Zoom → SEO poisoning · Payload: MiniFast backdoor (AI-assisted) · Sectors: aviation, defense, aerospace, telecom · Attribution: IRGC-linked Nimbus Manticore

The proliferation of AI-assisted malware development — GREYVIBE’s LegionRelay, Kimsuky’s new family cluster, Nimbus Manticore’s MiniFast — documented in a single ESET reporting period represents a qualitative shift in the threat landscape. AI-assisted development compresses the time from concept to operational malware, enables teams with lower technical depth to produce functional tooling, and generates variant diversity that challenges signature-based detection. GREYVIBE’s five-parallel-chain operational tempo would have required a meaningfully larger development and operations team before LLMs were available as a force multiplier. The defensive implication is not panic but recalibration: behavioral detection, execution monitoring, and anomaly detection become relatively more important as signature detection erodes against AI-generated variation. The ESET report also documents a recurring pattern worth noting: nation-state groups are using legitimate AI platforms (ChatGPT, Gemini) with no apparent platform-level detection or blocking of these use cases.

05 — ALSO THIS WEEK

Also Worth Tracking

AI Security — First In-the-Wild LLM-Driven Intrusion

Sysdig Documents First Observed In-the-Wild LLM Agent Driving Post-Exploitation Automation

Sysdig published documentation of the first observed in-the-wild attack where a threat actor deployed an LLM agent to automate post-exploitation after gaining initial access via CVE-2026-39987 (critical RCE in Marimo Python notebooks). The LLM agent autonomously executed the following chain in under one hour: extracted cloud credentials from the compromised environment → made 12 AWS API calls across 11 source IPs in 22 seconds (routing through Cloudflare Workers egress to evade per-source-IP detection) → retrieved an SSH private key from AWS Secrets Manager → dumped a complete internal PostgreSQL database. The automation achieved in 22 seconds what manual post-exploitation would require minutes to hours to accomplish, and the Cloudflare Workers IP rotation specifically defeated a common detection control. This is a meaningful milestone: LLM-driven automation is no longer hypothetical or confined to red-team research. Detection focus for this pattern: bursts of AWS API calls from Cloudflare egress IP ranges in rapid succession, particularly calls to Secrets Manager followed immediately by database connection establishment.

First in-the-wild LLM-agent intrusion · Initial access: CVE-2026-39987 (Marimo RCE) · 12 AWS calls / 11 IPs / 22 seconds · Detection: Cloudflare egress + Secrets Manager access pattern
Law Enforcement — Infrastructure Takedown

Dutch Police Seize Asocks Residential Proxy Botnet: 200 Servers, 17 Million Compromised Devices

The Hague cybercrime unit and Dutch NCSC seized 200 servers in the Netherlands controlling the Asocks residential proxy service, which operated a botnet of approximately 17 million compromised consumer devices — PCs, home routers, smartphones, and IoT cameras — worldwide. Asocks sold access to this infrastructure to cybercriminals for phishing campaigns, DDoS attacks, ad fraud, and anonymization of malicious traffic. The investigation was initiated following a report from an independent security researcher to the Dutch NCSC. No arrests have been announced. Residential proxy services occupy a specific defensive gap: traffic routed through compromised home devices appears to originate from legitimate residential IP ranges, evading geo-blocking, IP reputation filtering, and datacenter IP blocking commonly used in fraud prevention and abuse detection. The Asocks takedown, following the Operation Saffron dismantlement of First VPN the previous week, represents back-to-back disruptions of the anonymization-infrastructure layer that underlies much cybercriminal operation.

200 servers seized — 17M compromised devices · Device types: PCs, routers, smartphones, IoT · Use cases: phishing, DDoS, fraud, traffic anonymization · Dutch NCSC / Hague cybercrime unit
Malware Ecosystem — Post-LummaC2

Acreed Infostealer Consolidates Post-LummaC2 Market Share, Uses Steam Profiles for C2 Evasion

Following the May 2025 LummaC2 infrastructure seizure, Acreed infostealer has rapidly become the dominant credential-theft MaaS platform on Russian underground markets (Russian Market), surpassing Raccoon, RedLine, Vidar, and StealC in market share within months. Acreed’s key differentiators from prior MaaS stealers: C2 infrastructure routed through Steam community profile pages (leveraging a trusted gaming platform to evade network-layer detection), advanced OPSEC with JSON-structured log output, and a modular subscription pricing model. LummaC2 operators have attempted to rebuild infrastructure but remain fragmented; the operational vacuum created by the 2025 takedown has been effectively filled. Security teams should add Acreed indicators to their hunt lists alongside LummaC2 IOCs; behavioral detection focus: browser credential access patterns, crypto wallet extension file access, and outbound connections to Steam community profile endpoints from non-gaming workstations.

Dominant MaaS post-LummaC2 · C2 via Steam community profiles · Detection: browser credential access + Steam endpoint connections from non-gaming hosts
FBI FLASH — Physical Security

Silent Ransom Group: Physical USB Exfiltration at Law Firms, 100+ Attacks, Russia-Linked

The FBI issued a FLASH alert on May 26 warning law firms about Silent Ransom Group (also tracked as Luna Moth / Chatty Spider / UNC3753), a Russia-linked extortion gang that has escalated to physically walking operatives into law firm offices posing as IT support personnel. The operative obtains unsupervised access to a workstation, inserts a USB storage device to exfiltrate sensitive files, and departs. 38+ firms have had data posted on Silent Ransom Group’s leak site; total confirmed attack count exceeds 100, with activity surging in early 2026. The physical intrusion TTP is explicitly chosen to bypass network-layer defenses: no phishing email, no C2 traffic, no EDR trigger, just a USB drive. Law firms are targeted specifically for client data (M&A deal information, litigation strategy, privileged communications) with high extortion leverage. Defensive measures: require photo ID and escort for all unannounced IT support visits; implement USB port blocking via group policy on attorney workstations; review physical access control logs for tailgating events; conduct a test of reception staff procedures for verifying IT support identities.

FBI FLASH May 26 · 100+ law firm attacks · 38+ data leak postings · TTP: physical USB exfiltration posing as IT support · Attribution: Russia-linked (Luna Moth / UNC3753)
Supply Chain — npm / NuGet

14 Malicious npm Packages Harvest AWS Credentials and Vault Tokens; NuGet Sicoob.Sdk Steals Brazilian Banking PFX Certificates

Two supply chain campaigns targeted developer credentials this week. 14 malicious npm packages from a single actor (handle “vpmdhaj”), published May 28, typosquatted OpenSearch, Elasticsearch, and DevOps tooling libraries to harvest AWS credentials, HashiCorp Vault tokens, npm publish tokens, and CI/CD pipeline secrets. Simultaneously, Sicoob.Sdk (versions 2.0.0–2.0.4) on NuGet exfiltrated Brazilian banking PFX certificates and client IDs to a hardcoded Sentry endpoint; the package was downloaded approximately 500 times. Both campaigns are designed to hit CI/CD infrastructure: developer credentials harvested from automated build systems provide access to cloud accounts, container registries, and internal APIs with no interactive MFA challenge. Organizations should audit recent npm and NuGet dependency additions, particularly from unknown publishers, and ensure CI/CD environment variables for cloud credentials are scoped to minimum necessary permissions with short-lived credential rotation.

14 npm packages (actor: vpmdhaj) · Sicoob.Sdk NuGet (500 downloads) · Targets: AWS creds, Vault tokens, npm tokens, CI/CD secrets, banking PFX certs
Phishing-as-a-Service — MFA Bypass

Kali365 PhaaS: OAuth Device Code Abuse for MFA Bypass at Scale, $250/Month on Telegram

The FBI issued a PSA on May 21 (widely reported this week) warning of Kali365, a phishing-as-a-service platform first observed in April 2026 that abuses Microsoft’s OAuth 2.0 Device Authorization Grant flow to capture access and refresh tokens without intercepting user credentials or needing real-time MFA interception. The attack delivers a device authorization code to the victim and instructs them to authenticate it at microsoft.com/devicelogin — a legitimate Microsoft URL. When the victim completes authentication, the attacker receives the resulting access and refresh tokens without ever seeing the credentials. Kali365 distributes via Telegram at $250/month with AI-generated lure templates, automated campaign management, and real-time token capture dashboards. Device-code phishing is particularly effective against organizations that have deployed push-based MFA (Authenticator app) and trained users to be suspicious of phishing pages, because the authentication occurs on legitimate Microsoft infrastructure. Conditional Access policies restricting the OAuth Device Authorization flow to managed devices are the primary defensive control.

FBI PSA May 21 · $250/month Telegram subscription · Method: OAuth 2.0 Device Code abuse · Defense: Conditional Access policy blocking device code flow for unmanaged devices

Analyst Assessment: May 25–29 in Context

ShinyHunters’ simultaneous extortion spree against Charter, Carnival, and Canvas demonstrates that the era of “the breach was a sophisticated attack” is largely over — the breach was a phone call. All three incidents trace to the same technique: a vishing call that produced a valid enterprise credential with SaaS data-platform access. No zero-day exploitation, no advanced persistent access, no months of dwell time. The sophistication is in the targeting and the social engineering script, not the technical execution. This has a specific defensive implication: the marginal return on additional vulnerability scanning and patch management investment is lower than the return on reviewing which employee identities have CRM data-export entitlements and what MFA type they use. Phishing-resistant MFA (hardware tokens, passkeys) for identities with access to large SaaS data exports is the most direct structural fix to the technique ShinyHunters used three times this week.

The first in-the-wild LLM-agent-driven intrusion documented by Sysdig is a milestone event that deserves to be treated as such. The agent achieved in 22 seconds — across 12 AWS API calls from 11 source IPs — what manual post-exploitation would require minutes to hours to accomplish. More importantly, the Cloudflare Workers IP rotation was not a coincidence; it was a deliberate architectural choice to defeat a specific detection control. LLM agents in offensive operations can encode knowledge of defensive controls and adapt execution accordingly. The detection approach that fails first is any control that relies on per-source-IP rate limiting or sequencing assumptions about post-exploitation activity. The detection approach that has more durability is behavioral: AWS Secrets Manager access immediately followed by database connection establishment, or a burst of short-interval API calls from egress IP ranges not associated with your organization’s cloud operations.

The NGINX CVE-2026-42945 disclosure illustrates the enduring value of exploitability research over CVSS score prioritization. The vulnerability is 18 years old. Its CVSS score didn’t change this week. What changed was a public ASLR bypass chain that moved it from “theoretically exploitable under restricted conditions” to “actively exploited.” The Verizon DBIR finding that only 26% of CISA KEV vulnerabilities were fully remediated in 2025 — combined with a 43-day median time to patch — means the marginal impact of any given KEV addition is limited by remediation velocity. The organizations that close the gap are those tracking exploitation status and public PoC availability as primary prioritization signals, not those sorting by CVSS.

What to do this week: (1) Patch PAN-OS GlobalProtect for CVE-2026-0257 immediately; if delayed, disable authentication override cookies as interim mitigation. (2) Patch NGINX for CVE-2026-42945; verify ASLR enforcement (cat /proc/sys/kernel/randomize_va_space = 2) on all production NGINX instances as a compensating control. (3) Audit which enterprise identities have Salesforce (or equivalent CRM) bulk-export entitlements and verify they use phishing-resistant MFA, not push-approval MFA. (4) Disable Gogs internet exposure immediately if running it — the unpatched zero-day has a public Metasploit module. (5) For law firms: test and harden physical access control procedures against IT support impersonation; implement USB port blocking on attorney workstations; review physical access logs for anomalous events in the past 90 days. (6) Review FortiClient EMS on_connect script configurations for unauthorized entries if you have not already patched CVE-2026-35616. (7) Canvas/Instructure institutions: force password resets for all accounts and issue targeted phishing warnings to affected users.

Sources

  1. SC WorldShinyHunters Extorts Charter Communications After Data Breach
  2. BleepingComputerVictoria’s Secret Restores Critical Systems After Cyberattack
  3. Rapid7ETR: Rapid7 Observed Exploitation of PAN-OS GlobalProtect Auth Bypass CVE-2026-0257
  4. AkamaiNGINX Critical Heap Buffer Overflow CVE-2026-42945
  5. Arctic WolfFortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as Fortinet Patch
  6. Rapid7CVE-2026-20182: Critical Authentication Bypass in Cisco Catalyst SD-WAN Controller
  7. TenableCVE-2026-9082: Highly Critical SQL Injection in Drupal Core
  8. The RegisterNo Fix Yet for Critical Gogs RCE Bug — Exploit Module Is Out
  9. Help Net SecurityESET APT Activity Report Q4 2025–Q1 2026
  10. WithSecure LabsGREYVIBE: New Russian-Nexus Threat Cluster Using AI Throughout the Attack Lifecycle
  11. The Hacker NewsIranian Hackers Deploy MiniFast Backdoor via SEO Poisoning Campaign
  12. BleepingComputerDutch Govt Disrupts Malware Botnet with 17 Million Infected Devices
  13. SysdigAI Agent at the Wheel: How an Attacker Used LLMs to Move from a CVE to an Internal Database in 4 Pivots
  14. The RecordAcreed Infostealer Arises After LummaC2 Takedown
  15. FBI / IC3FBI FLASH: Silent Ransom Group Targeting Law Firms via Physical USB Intrusion
  16. FBI / IC3FBI PSA: Kali365 PhaaS Exploiting OAuth 2.0 Device Authorization Grant for MFA Bypass
  17. The Hacker NewsMalicious Sicoob NuGet Package Steals Banking Certificates
  18. Help Net SecurityDinDoor RAT Distributed via Fake ChatGPT and Claude Installers on GitHub and SourceForge
  19. BleepingComputerChatGPT Share Links Abused to Host Fake Outage Pages and Deliver Malware
  20. Help Net SecurityVerizon 2026 DBIR: Vulnerability Exploitation Overtakes Stolen Credentials as Top Initial Access Vector
  21. The Hacker NewsIvanti EPMM CVE-2026-6973 RCE Under Active Exploitation
  22. Check Point ResearchMay 25 Threat Intelligence Report

This post was generated with Claude by Anthropic, based on source reporting from the publications listed above and analysis of 32 IOC submissions to iocget.com between May 25–29, 2026.

The Indicator — iocget.com · Reports spanning May 25–29, 2026 · All IOCs TLP:CLEAR