Previous Cyber Pulse

Previous weekly cybersecurity briefs from CyberMentor365, covering exploited vulnerabilities, breaches, OT/ICS risk, cyber governance, threat activity, and leadership takeaways. Each update is retained for reference, trend tracking, and ongoing cyber awareness.

Week of June 22–june 28, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

 Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Five Eyes Alliance Issues Urgent AI Cyber Warning: “Months, Not Years”
The US, UK, Canada, Australia, and New Zealand’s intelligence agencies issued a rare joint statement declaring that frontier AI models will “fundamentally transform both offensive and defensive cyber capabilities” within months — not years. The agencies urged global leaders and enterprises to accelerate patching, modernize legacy systems, restrict critical access, and deliberately integrate AI into their defensive posture.reuters+1

Source: Reuters — https://www.reuters.com/world/asia-pacific/five-eyes-intelligence-alliance-warns-that-new-ai-models-pose-urgent-cyber-risk-2026-06-22/


2. LastPass Confirms Customer Data Stolen via Klue Supply Chain Breach
On June 23, LastPass confirmed that the Icarus extortion group had accessed its Salesforce CRM environment by stealing OAuth tokens from Klue, a market-intelligence SaaS vendor used internally by LastPass. Customer contact data — names, phone numbers, email addresses, physical addresses, and support case records — were exposed, though encrypted password vaults and master passwords were unaffected.mashable+1

Source: Mashable — https://mashable.com/tech/lastpass-data-breach-confirmed-everything-we-know-so-far


3. Klue Breach Deepens: Second Hacker Group Extorts Affected Companies
Klue, the vendor at the centre of the LastPass supply chain attack, disclosed that a second unnamed threat actor has emerged claiming to possess data stolen from Icarus — now extorting companies including HackerOne and others directly. The breach, conducted June 11–12, exposed customer data linked to approximately a dozen enterprise clients.thenextweb+1

Source: The Next Web — https://thenextweb.com/news/klue-says-the-hackers-who-stole-its-customer-data-are-deleting-data-second-hacker-group-extortion


4. Tata Electronics Confirms Breach Exposing Apple and Tesla Secrets
Tata Electronics, a key iPhone assembler and supplier to Apple and Tesla, confirmed a cybersecurity incident on June 22 after the World Leaks ransomware group published more than 204,000 files (630+ GB) on the dark web. The leak reportedly includes Apple iPhone 18 Pro supplier mappings, internal component codenames, and Tesla engineering documents — Apple confirmed it is investigating.reuters+1

Source: TechCrunch — https://techcrunch.com/2026/06/22/tata-electronics-a-major-tech-supplier-to-apple-and-tesla-confirms-data-breach/


5. Texas Parks & Wildlife Data Breach Affects 3 Million Individuals
The Texas Parks and Wildlife Department disclosed that a third-party vendor breach exposed data belonging to 3,087,721 hunting and fishing licence customers, including driver’s licence information, passport numbers, email addresses, and home addresses. The Texas Cyber Command is investigating; affected individuals are eligible for one year of free credit monitoring.securityweek+1

Source: SecurityWeek — https://www.securityweek.com/texas-parks-wildlife-data-breach-affects-3-million-individuals/


6. FortiBleed: 75,000 Fortinet Firewall Admin Credentials Cracked
A Russian-speaking cybercriminal campaign dubbed “FortiBleed” systematically extracted and cracked administrator credential hashes from configuration files of approximately 75,000 internet-facing Fortinet FortiGate firewalls and VPN gateways across 194 countries — roughly 50% of all internet-exposed FortiGates. UAE-based deployments are confirmed in scope; organizations are advised to immediately rotate all admin and VPN credentials and enforce MFA.picussecurity+1

Source: Help Net Security — https://www.helpnetsecurity.com/2026/06/18/fortinet-fortibleed-data-leak/


7. Cisco Unified CM CVE-2026-20230 Added to CISA KEV After Active Exploitation
CISA added CVE-2026-20230, an SSRF-to-root vulnerability in Cisco Unified Communications Manager, to its Known Exploited Vulnerabilities catalog on June 25 and gave federal agencies until June 28 to patch. Public PoC code had been available prior to confirmed exploitation, and Cisco had released patches in versions 14SU6 and 15SU5.horizon3+1

Source: The Hacker News — https://thehackernews.com/2026/06/cisco-unified-cm-flaw-exploited-after.html


8. Splunk Enterprise CVE-2026-20253 Exploited Days After Disclosure; CISA Mandates Patch
Splunk confirmed active exploitation of CVE-2026-20253 — a critical CVSS 9.8 unauthenticated RCE flaw in Splunk Enterprise — just eight days after its June 10 disclosure. CISA added it to the KEV catalog on June 18 and directed federal agencies to apply fixes by June 21. WatchTowr’s published PoC demonstrated full pre-authenticated code execution via the PostgreSQL sidecar service.securityweek+1

Source: SecurityWeek — https://www.securityweek.com/splunk-enterprise-vulnerability-exploited-in-attacks-days-after-disclosure/


9. Mastra npm Supply Chain Attack Compromises 144 AI Framework Packages
A critical supply chain attack against the entire @mastra/* npm scope compromised 144 packages, deploying a cross-platform infostealer on any developer system that installed affected packages. The malware targeted npm tokens, GitHub tokens, cloud provider API keys, LLM API keys, CI/CD secrets, and cryptocurrency wallets, with active C2 infrastructure identified on Hostwinds ASN.orca

Source: Orca Security — https://orca.security/resources/blog/mastra-npm-supply-chain-attack/


10. Microsoft Records Largest-Ever Patch Tuesday with 208 CVEs Fixed in June 2026
Microsoft’s June 2026 Patch Tuesday shattered all prior records, addressing 208 vulnerabilities — including 39 Critical and six zero-days (five publicly disclosed; one actively exploited). Key areas covered: Windows kernel, Hyper-V, HTTP.sys, DHCP, Exchange Server, Remote Desktop, and BitLocker, alongside three BitLocker bypass CVEs and a new Defender zero-day (RoguePlanet) left unpatched.thezdi+1

Source: Arctic Wolf — https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-security-recap-june-2026-edition/

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

1. MuddyWater APT (Boggy Serpens / Seedworm) — Active META Operations (UAE Priority)
Iran’s MuddyWater, attributed to Iran’s Ministry of Intelligence and Security (MOIS), continues to operate extensively across the Middle East, Turkey, and Africa in a campaign tracked as Operation Olalampo. Active tactics include phishing with macro-laden Excel documents deploying the Phoenix v4 backdoor, abuse of legitimate RMM tools for persistence, and credential harvesting across Microsoft 365 environments. UAE government, energy, and telecom entities remain primary targets.halcyon+1

Source: Halcyon — https://www.halcyon.ai/ransomware-alerts/iranian-use-of-cybercriminal-tactics-in-destructive-cyber-attacks-2026-updates


2. ShinyHunters (UNC6240) — Multi-Track Extortion Campaigns Escalate
ShinyHunters, identified as the dominant cyber extortion actor of 2026, continues to run simultaneous parallel extortion operations: Oracle PeopleSoft compromise (100+ orgs), Eastman Kodak breach (2.2M records), Amazon One Medical data theft (8.8 TB), and Council of Europe exfiltration (429,000+ documents). The group was tied to 14 of 37 confirmed “mega-breaches” in H1 2026.swktech+1

Source: Mandiant / Google GTIG — https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit


3. World Leaks Ransomware — Targeting Global Technology Supply Chains
The World Leaks ransomware group published the 630 GB Tata Electronics dataset this week — including Apple iPhone 18 Pro pre-release supply chain documents and Tesla engineering data — demonstrating a strategic shift toward high-value IP theft over pure financial extortion. The group’s leak infrastructure and post-infection TTPs remain under active investigation.cybernews+1

Source: Reuters — https://www.reuters.com/business/media-telecom/indias-tata-electronics-hit-by-cyber-breach-claiming-expose-apple-tesla-trade-secrets-2026-06-22/


4. Icarus Extortion Group — Emerging Threat to SaaS Supply Chains
Icarus, a newly emerged extortion group tracked from April 2026, exploited legacy credentials to breach Klue’s Salesforce integration and pivot to over a dozen enterprise customers. The group’s methodology — abusing inter-tenant OAuth trust, followed by targeted phishing on stolen contact data — represents a refined SaaS supply chain attack pattern now spreading across the vendor ecosystem.gblock+1

Source: GBlock — https://www.gblock.app/articles/lastpass-klue-supply-chain-breach-june-2026


5. Handala & Iran-Aligned Hacktivists — Gulf Region Infrastructure Targeting Persists
Handala, a pro-Palestinian hacktivist group aligned with Iranian cyber objectives, continues to claim DDoS, data breaches, and destructive attacks across Gulf state targets including financial institutions, aviation systems, and law enforcement-linked platforms. Post-conflict escalation in March 2026 has sustained elevated hacktivist operations well into June, with attribution increasingly blurred across criminal and state-sponsored actors.thenationalnews+1

Source: The National News — https://www.thenationalnews.com/future/technology/2026/04/10/iranian-cyber-attacks-move-from-disruptive-to-complex-threats-in-gulf/


6. Check Point-Documented Crypto Clipboard Hijacker — GitHub/YouTube-Amplified Campaign
Check Point Research unmasked a Rust-based crypto clipboard hijacker promoted via a phishing website and amplified through GitHub, SourceForge, YouTube, and legitimate news sites. The malware targets Windows and macOS, replacing copied cryptocurrency wallet addresses with attacker-controlled wallets — a persistent low-profile financial threat active across the region.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/22nd-june-threat-intelligence-report/


7. Amazon Prime Day-Themed Phishing Surge (June 23–26, 2026)
Check Point Research documented thousands of newly registered Amazon-lookalike domains and internationalized domain names deployed to coincide with Amazon Prime Day (June 23–26). Campaigns target Prime members with fake credential theft pages, payment fraud lures, and fraudulent “customer support” interactions — posing elevated risk to UAE consumers and enterprises using Amazon Web Services.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/22nd-june-threat-intelligence-report/


8. Travel-Themed Cybercrime Seasonal Surge — 47,000+ Domains Registered in May 2026
Check Point Research documented a seasonal surge in travel-themed cybercrime, with 47,318 travel-related domains registered in May 2026 — impersonating Booking.com, Airbnb, and Skyscanner. Summer travel patterns in the Gulf mean UAE residents and regional businesses engaging hospitality or travel platforms face heightened credential theft and payment fraud risk through July.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/22nd-june-threat-intelligence-report/


9. FortiBleed Credential Campaign — Confirmed UAE Exposure in 194-Country Sweep
Help AG’s June 23 advisory confirmed UAE organizations are among those exposed in the FortiBleed campaign, with approximately 75,000 FortiGate devices globally having their administrator and SSL VPN credentials systematically cracked. The threat actor leveraged FortiOS configuration file extraction and offline hash cracking — bypassing real-time detection mechanisms entirely.helpag+1

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-23-june-2026/


10. AutoJack — AI Agent Exploit Chain Enabling Host-Level RCE via Web Pages
Microsoft’s Defender Security Research Team disclosed AutoJack on June 18 — a proof-of-concept attack chain where a single malicious webpage, when loaded by a local AI browsing agent (AutoGen Studio pre-release), achieves unauthenticated host-level remote code execution. The vulnerability class extends beyond AutoGen to any AI agent that browses the web and connects to unauthenticated localhost MCP servers.thehackernews+1

Source: The Hacker News — https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-35273 | CVSS 9.8 | Oracle PeopleSoft Environment Management | Patched (Mitigation Only — Full Patch Pending)
Summary: A critical SSRF vulnerability in Oracle PeopleSoft’s Environment Management component, actively exploited by ShinyHunters (UNC6240) beginning May 27 against approximately 100 organizations. The flaw allows unauthenticated remote code execution via XMLDecoder abuse; Oracle has issued a stopgap mitigation but has not released a full patch as of this reporting period.
Source: Mandiant / Google GTIG — https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploitcloud.google+1


2. CVE-2026-20253 | CVSS 9.8 | Splunk Enterprise | Patched
Summary: An unauthenticated attacker can create or truncate arbitrary files via an unauthenticated PostgreSQL sidecar service endpoint in Splunk Enterprise, which researchers chained into full pre-authenticated remote code execution within two days of disclosure. CISA added to KEV on June 18; active exploitation confirmed. Fixed in versions 10.0.7 and 10.2.4.
Source: The Hacker News — https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.htmlthehackernews+1


3. CVE-2026-25089 | CVSS 9.8 | Fortinet FortiSandbox | Patched
Summary: An OS command injection vulnerability in the FortiSandbox Web UI allows unauthenticated attackers to execute arbitrary commands via crafted HTTP requests, enabling sandbox takeover that disrupts malware analysis and internal security workflows. Proof-of-concept exploit code was publicly available at the time of disclosure. Fixed in FortiSandbox 4.4.9 and 5.0.6.
Source: Singapore CSA — https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-073/govcert+1


4. CVE-2026-44815 | CVSS 9.8 | Windows DHCP Client Service | Patched
Summary: A stack-based buffer overflow in the Windows DHCP Client Service allows an unauthenticated attacker on the same network segment to achieve remote code execution on vulnerable Windows endpoints. Rated “Exploitation More Likely” by Microsoft, this vulnerability poses a lateral-movement risk in enterprise environments. Patched in June 2026 Patch Tuesday.
Source: CrowdStrike — https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/arcticwolf+1


5. CVE-2026-47291 | CVSS 9.8 | Windows HTTP.sys (RCE) | Patched
Summary: A remote code execution vulnerability in the Windows HTTP.sys kernel-mode driver — used by IIS and numerous Windows web services — allows an unauthenticated attacker to execute code at kernel level via crafted HTTP requests. Rated “Exploitation More Likely”; any internet-facing Windows web server is in scope. Patched in June 2026 Patch Tuesday.
Source: Rapid7 — https://www.rapid7.com/blog/post/em-patch-tuesday-june-2026/rapid7+1


6. CVE-2026-20230 | CVSS 8.6 (Cisco-rated Critical) | Cisco Unified CM / CM SME | Patched
Summary: An SSRF vulnerability in the Cisco Unified Communications Manager WebDialer component allows an unauthenticated attacker to write arbitrary files to the underlying OS and escalate to root. Exploited in the wild before June 25 CISA KEV addition; public PoC available. Patched in versions 14SU6 and 15SU5.
Source: Horizon3.ai — https://horizon3.ai/attack-research/vulnerabilities/cve-2026-20230/thehackernews+1


7. CVE-2026-50656 (“RoguePlanet”) | CVSS 7.8 | Microsoft Defender (Malware Protection Engine) | Unpatched
Summary: A race condition in the Microsoft Malware Protection Engine within Microsoft Defender allows an authenticated local attacker to escalate privileges to SYSTEM level on fully updated Windows 10 and Windows 11 systems. Microsoft has acknowledged the flaw and confirmed a patch is in development; no patch available as of the reporting period.
Source: Help Net Security — https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/securityaffairs+1


8. CVE-2026-48582 | CVSS Critical | Microsoft Exchange Online | Patched
Summary: A missing-authorisation vulnerability in Microsoft Exchange Online allows privilege escalation, enabling an attacker to elevate their access within the Exchange environment and potentially access or modify mail data at scale. Addressed in Microsoft’s out-of-band release covering Exchange Online, Azure Synapse, and Entra ID this week. No customer action required (cloud-side fix).
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-23-june-2026/helpag


9. CVE-2026-20262 | CVSS High | Cisco Catalyst SD-WAN Manager | Patched
Summary: An arbitrary file-write vulnerability in the Cisco Catalyst SD-WAN Manager web UI allows an authenticated attacker with write-level access to overwrite system files and escalate to root, compromising the SD-WAN management plane. Cisco confirmed limited targeted exploitation; patches are available across all affected release trains.
Source: SOC Prime — https://socprime.com/blog/cve-2026-20262-cisco-sd-wan-manager-zero-day/socprime


10. CVE-2026-41940 | CVSS 9.8 | cPanel & WHM / WP Squared | Patched
Summary: A CRLF injection in cPanel & WHM’s session management layer allows an unauthenticated attacker to inject arbitrary session properties — including user=root — and gain full WHM root-level administrative access without credentials. In-the-wild exploitation confirmed from approximately February 2026 onward; CISA added to KEV on May 1. Patched April 28. Approximately 1.5 million internet-exposed cPanel instances were potentially vulnerable.
Source: Rapid7 — https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactPatch StatusSource
CVE-2026-35273Critical9.8Oracle PeopleSoft Env. Mgmt.Unauthenticated RCE; ShinyHunters mass exploitation (100+ orgs)Mitigation available; full patch pendingMandiant/GTIG
CVE-2026-20253Critical9.8Splunk EnterpriseUnauthenticated arbitrary file write → RCE; CISA KEV; actively exploitedPatched (10.0.7 / 10.2.4)The Hacker News
CVE-2026-25089Critical9.8Fortinet FortiSandboxOS command injection via HTTP; unauthenticated sandbox takeover; PoC publicPatched (4.4.9 / 5.0.6)Singapore CSA
CVE-2026-44815Critical9.8Windows DHCP Client ServiceStack-based buffer overflow → unauthenticated RCE; “Exploitation More Likely”Patched (June 2026 PT)CrowdStrike
CVE-2026-47291Critical9.8Windows HTTP.sysKernel-mode unauthenticated RCE on internet-facing Windows serversPatched (June 2026 PT)Rapid7
CVE-2026-20230Critical8.6Cisco Unified CM / CM SMESSRF → arbitrary file write → root privilege escalation; CISA KEV (Jun 25); exploitedPatched (14SU6 / 15SU5)Horizon3.ai
CVE-2026-48584CriticalN/AAzure SynapseExecution with unnecessary privileges → privilege escalation; cloud-side fixPatched (cloud-side)Help AG
CVE-2026-50656 (“RoguePlanet”)High7.8Microsoft Defender (MMPE)Race condition → SYSTEM-level privilege escalation on fully patched Win 10/11Unpatched (patch in dev)Help Net Security
CVE-2026-42824 (“SearchLeak”)Critical6.5–7.5Microsoft 365 Copilot EnterpriseP2P injection + SSRF → one-click mailbox/file exfiltration; no exploitation observedPatched (server-side)Varonis
CVE-2026-20262HighN/ACisco Catalyst SD-WAN ManagerAuthenticated arbitrary file write → root privilege escalation; limited exploitationPatchedSOC Prime

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

1. UAE / Gulf Region | Persistent Iranian APT & Hacktivist Campaign | MuddyWater, Handala, 313 Team
Region/Country: UAE, Saudi Arabia, Bahrain | Attack Type: Espionage, DDoS, Data Exfiltration, Wiper Malware | Threat Actor: MuddyWater (MOIS), Handala, 313 Team
Summary: Multiple Iran-aligned groups continue a sustained hybrid campaign across Gulf states, encompassing phishing-based intrusions via the Phoenix backdoor, DDoS attacks on financial and government portals, and claimed infrastructure breaches. The UAE Cybersecurity Council has confirmed attacks on digital infrastructure tripled to 600,000 daily attempts since the onset of the US–Israel–Iran conflict, with ransomware, data leaks, and wiper malware all observed.
Source: The National News — https://www.thenationalnews.com/future/technology/2026/04/10/iranian-cyber-attacks-move-from-disruptive-to-complex-threats-in-gulf/halcyon+1


2. UAE (Confirmed Exposure) | FortiBleed Mass Credential Compromise | Unknown Russian-Speaking Actor
Region/Country: UAE (among 194 countries) | Attack Type: Credential Theft, Infrastructure Compromise | Threat Actor: Russian-speaking cybercriminal group
Summary: UAE-based organizations are confirmed within the FortiBleed dataset, in which approximately 75,000 Fortinet FortiGate administrator and SSL VPN credential hashes were extracted from internet-facing devices and cracked offline. Help AG’s June 23 advisory specifically flagged UAE exposure, warning that compromised credentials could enable unauthorized access to enterprise network perimeters across the region.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-23-june-2026/picussecurity+1


3. Sharjah, UAE / Gulf Region | Handala Claims Sharjah National Oil Corporation Breach
Region/Country: Sharjah, UAE | Attack Type: Data Exfiltration | Threat Actor: Handala (Iran-aligned)
Summary: Handala, the Iran-aligned hacktivist group, claimed a breach of Sharjah National Oil Corporation (SNOC) and Israel Opportunity Energy, claiming to have exfiltrated more than 1.3 TB of sensitive data including confidential financial data, oil contracts, and project details. This claim is part of a sustained pattern of Iranian-linked targeting of GCC energy infrastructure following the February 2026 US–Israel strikes on Iran.
Source: Security.com (Symantec) — https://www.security.com/threat-intelligence/iran-cyber-threat-activity-ussecurity


4. Gulf Region (Middle East OT Infrastructure) | State-Sponsored ICS/OT Targeting | Iran-Linked APTs
Region/Country: GCC (UAE, Saudi Arabia, Qatar) | Attack Type: OT/ICS Intrusion | Threat Actor: Iran-linked APTs
Summary: The Middle East OT threat environment is assessed at CRITICAL in June 2026, with 19,000+ internet-exposed ICS devices identified in H1 scanning, and state-sponsored actors confirmed targeting GCC oil & gas, utilities, and water infrastructure. Living-off-the-land techniques were observed in 77% of OT-impacting intrusions across the region this quarter.
Source: Instagram (OT Threat Assessment Summary) — https://www.instagram.com/p/DZZp-0Zk06s/instagram


5. India (Global Supply Chain Impact) | Tata Electronics — World Leaks Ransomware | World Leaks
Region/Country: India (global impact) | Attack Type: Ransomware / IP Theft | Threat Actor: World Leaks
Summary: World Leaks ransomware group published 204,341 files (630 GB) stolen from Tata Electronics on June 22, including Apple iPhone 18 Pro pre-launch supply chain data, Tesla engineering documents, TSMC and Qualcomm confidential materials, and employee passport scans. Apple is investigating; a ransom demand was confirmed.
Source: Reuters — https://www.reuters.com/business/media-telecom/indias-tata-electronics-hit-by-cyber-breach-claiming-expose-apple-tesla-trade-secrets-2026-06-22/reuters+1


6. USA | Texas Parks & Wildlife — Third-Party Vendor Breach | Unknown
Region/Country: United States | Attack Type: Third-Party Supply Chain Breach | Threat Actor: Unknown
Summary: A third-party vendor breach exposed personal data of 3,087,721 Texas hunting and fishing licence holders, including driver’s licence details, passport numbers, email addresses, and home addresses. The Texas Cyber Command is leading the investigation; SSNs, financial data, and dates of birth were not among the exposed data types.
Source: SecurityWeek — https://www.securityweek.com/texas-parks-wildlife-data-breach-affects-3-million-individuals/securityweek


7. USA | LastPass Customer Data Stolen via Klue SaaS Supply Chain | Icarus
Region/Country: United States (global customer impact) | Attack Type: Supply Chain / OAuth Token Abuse | Threat Actor: Icarus
Summary: The Icarus extortion group abused legacy credentials to breach Klue’s Salesforce integration, stealing OAuth tokens that granted access to LastPass and approximately a dozen other enterprise clients’ CRM data. LastPass customer contact records were exfiltrated; password vaults remained intact.
Source: GBlock — https://www.gblock.app/articles/lastpass-klue-supply-chain-breach-june-2026gblock


8. Global (Multiple Orgs) | ShinyHunters Parallel Extortion Campaigns | ShinyHunters (UNC6240)
Region/Country: Global | Attack Type: Data Extortion / Ransomware | Threat Actor: ShinyHunters
Summary: ShinyHunters continued simultaneous active extortion operations this week, with confirmed claims against Amazon One Medical (8.8 TB), Eastman Kodak (2.2M records confirmed breach), the Council of Europe (429,000+ documents), and legacy Oracle PeopleSoft victims still under pressure. The group has dominated the extortion landscape as the most prolific threat actor of H1 2026.
Source: Malwarebytes — https://www.malwarebytes.com/blog/news/2026/06/kodak-confirms-breach-as-shinyhunters-leak-threat-reaches-deadlinemalwarebytes+1


9. Global (Developer Ecosystem) | Mastra npm Supply Chain Attack — 144 Packages | Unknown
Region/Country: Global | Attack Type: Supply Chain / Infostealer | Threat Actor: Unknown
Summary: All 144 packages under the @mastra/* npm scope were compromised with a cross-platform infostealer targeting developer and CI/CD secrets, including npm tokens, GitHub tokens, cloud API keys, LLM API keys, and cryptocurrency wallets. Any developer workstation or CI runner that installed affected packages after June 16 should be treated as fully compromised.
Source: Orca Security — https://orca.security/resources/blog/mastra-npm-supply-chain-attack/orca


10. Global (Enterprise/Gov Environments) | Fortinet FortiSandbox Triple Exploitation | Unknown
Region/Country: Global | Attack Type: Unauthenticated API Exploitation | Threat Actor: Unknown
Summary: Three FortiSandbox vulnerabilities — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are being actively exploited through unauthenticated API requests, enabling path traversal and root-level command execution. The risk extends to sandbox takeover, which can corrupt malware analysis pipelines and allow adversaries to evade security policies across enterprise and government environments.
Source: Check Point Research — https://research.checkpoint.com/2026/22nd-june-threat-intelligence-report/research.checkpoint

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. Five Eyes Joint Statement: AI Cyber Threat is “Months Away” — Urgency Call to Global Leaders
In a rare coordinated statement released June 22, the Five Eyes cybersecurity agencies (CISA, NCSC, ASD, CCCS, GCSB) declared that frontier AI models are anticipated to “exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities” within months. The agencies called on boards and CISOs to act immediately — accelerate patching, address legacy systems, enforce identity controls, and deliberately integrate AI into defensive operations rather than merely for efficiency.cyber+1

Source: Australian Cyber Security Centre — https://www.cyber.gov.au/about-us/view-all-content/news/five-eyes-cyber-security-agencies-statement


2. Microsoft AutoJack Disclosure: AI Agents Weaponisable via a Single Web Page
Microsoft’s Defender Security Research Team published the AutoJack proof-of-concept on June 18 — demonstrating that a single malicious webpage, rendered by a locally running AI browsing agent, can achieve unauthenticated host-level RCE by exploiting missing authentication on AutoGen Studio’s MCP WebSocket surface. The research established a critical precedent: any AI agent that browses external URLs and shares localhost with high-privilege MCP servers is an RCE vector by design.metana+1

Source: The Hacker News — https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html


3. SearchLeak (CVE-2026-42824): Microsoft 365 Copilot Weaponised for One-Click Enterprise Data Exfiltration
Varonis Threat Labs disclosed SearchLeak on June 15 — a three-stage vulnerability chain that turned M365 Copilot Enterprise Search into a silent data exfiltration tool. By chaining a Parameter-to-Prompt injection, an HTML rendering race condition, and a Bing SSRF bypass, an attacker could steal emails, MFA codes, calendar events, and OneDrive/SharePoint files with a single click of a legitimate microsoft.com URL. Microsoft patched server-side in early June; no in-the-wild exploitation was observed.varonis+1

Source: Varonis Threat Labs — https://www.varonis.com/blog/searchleak


4. Anthropic Expands Project Glasswing to 150+ Organizations Across 15+ Countries
Anthropic expanded Project Glasswing on June 2 to approximately 150 new organizations in over 15 countries — including ENISA (the EU cybersecurity agency) and critical infrastructure operators in power, water, healthcare, and communications sectors. Claude Mythos Preview partners had already identified more than 10,000 high- or critical-severity vulnerabilities across major codebases, converting the model into a commercial cybersecurity product at scale.cybersecuritydive+1

Source: CybersecurityDive — https://www.cybersecuritydive.com/news/ai-anthropic-claude-mythos-project-glasswing-expand/821714/


5. OpenAI Releases GPT-5.5 Cyber — Dedicated Model for Offensive Vulnerability Research
OpenAI released GPT-5.5 Cyber — a model purpose-built to find and fix software vulnerabilities — to a select group of verified security organizations under the “Trusted Access for Cyber” programme. The model reportedly topped the CyberGym benchmark, outperforming Anthropic models and earlier GPT versions in end-to-end exploit identification and remediation. Access remains restricted to approved security research organizations.instagram

Source: Instagram/Security Media (OpenAI) — https://www.instagram.com/p/DaAhIS1lXPB/


6. Trump AI Executive Order Creates Mandatory AI Cybersecurity Clearinghouse (Effective July 2, 2026)
On June 2, President Trump signed Executive Order 14409 — “Promoting Advanced Artificial Intelligence Innovation and Security” — directing CISA, NSA, and the Treasury to establish an AI cybersecurity clearinghouse and a voluntary 30-day pre-release government review framework for frontier AI models. The EO also directs the Attorney General to prioritise enforcement of criminal statutes against AI-enabled cyberattacks, with key deadlines clustering around July–August 2026.hklaw+2

Source: White House — https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/


7. Anthropic Blocks Foreign Access to Claude Fable 5 and Mythos 5 After US Government Directive
Following a Trump administration security directive, Anthropic disabled access to its two most advanced models — Claude Fable 5 and Mythos 5 — for all foreign nationals, including those residing in the United States, citing concerns over offensive cyber capability exposure. Anthropic determined the restriction was commercially unworkable and withdrew the models entirely pending resolution with the government — a pivotal moment for sovereign AI access policies globally.youtube

Source: Bloomberg / YouTube — https://www.youtube.com/watch?v=U98FVsjvEkM


8. Google DeepMind Introduces Computer Use in Gemini 3.5 Flash
Google DeepMind announced the introduction of computer use capabilities in Gemini 3.5 Flash during June 2026, enabling the model to interact with desktop environments and execute multi-step tasks autonomously. This development directly expands the agentic AI surface for enterprise deployment but also introduces new classes of risk — including the AutoJack-style attack vectors that become viable whenever AI agents can interact with local system resources.deepmind+1

Source: Google DeepMind — https://deepmind.google/blog/


9. Microsoft Launches MDASH: 100+ Agent AI Security Scanning Harness
Microsoft announced expanded preview availability of the Microsoft Security Multi-Model Agentic Scanning Harness (codename MDASH) at Microsoft Build 2026, integrating with Microsoft Defender and GitHub Code Security. The system orchestrates over 100 specialized AI agents to discover, validate, and prove exploitability across enterprise codebases — representing a significant advance in AI-driven continuous vulnerability management at scale.microsoft

Source: Microsoft Security Blog — https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-develop-lifecycle/


10. OWASP GenAI Security v2.01 Released — Enterprise AI Governance Framework for Agentic Systems
OWASP’s GenAI Security Project released version 2.01 of its State of Agentic AI Security and Governance report in June 2026, introducing an Enterprise AI Governance Framework. Gartner simultaneously identified deepfakes, prompt injection, AI application compromise, and software supply chain attacks as the four threat categories in its 2026–2027 ThreatScape where attacker capability is measurably outpacing enterprise defences — directly relevant to CISO-level AI governance decisions in the UAE and globally.linkedin

Source: LinkedIn AI Security Executive Briefing — https://www.linkedin.com/pulse/ai-security-executive-briefing-friday-12-june-2026-spencer-j-dimbe

Week of June 15–june 21, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Microsoft June 2026 Patch Tuesday — Largest Ever: 206 Vulnerabilities, 6 Zero-Days
Microsoft released its June 2026 Patch Tuesday update, addressing 206 vulnerabilities — the largest single-cycle disclosure in the program’s 23-year history — including 39 rated Critical and six zero-days (five publicly disclosed, one actively exploited in the wild). Security teams should immediately prioritise patching Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, and Office components.talosintelligence+1
Source: Arctic Wolf — https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-security-recap-june-2026-edition/


2. FortiBleed Campaign: 74,000+ Fortinet Firewall Credentials Exposed Globally
A Russian-speaking threat actor systematically exfiltrated configuration files from internet-facing Fortinet FortiGate firewalls, cracking stored password hashes to yield verified admin credentials for approximately 73,932–86,600 devices across 194 countries. CISA issued an urgent advisory on 21 June urging immediate credential rotation, MFA enforcement, and FortiOS upgrades.arcticwolf+2
Source: Recorded Future — https://www.recordedfuture.com/blog/critical-fortibleed-campaign


3. Microsoft Defender Zero-Day RoguePlanet (CVE-2026-50656) — No Patch Available
Microsoft confirmed the “RoguePlanet” zero-day in the Microsoft Malware Protection Engine, assigned CVE-2026-50656 (CVSS 7.8), which allows a low-privilege local attacker to gain SYSTEM-level access via a race condition exploit on fully patched Windows 10 and Windows 11. No patch exists as of 21 June 2026; Microsoft stated it is “working to provide a high-quality security update.”securityaffairs+2
Source: The Hacker News — https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html


4. ShinyHunters Leaks 45 GB of Madison Square Garden Data — Class Action Filed
The ShinyHunters extortion group published 45 GB of data stolen from Madison Square Garden Entertainment after the company missed a 15 June ransom deadline. The dump reportedly includes facial recognition surveillance records, internal threat assessments, and personal data from 26 million customer and corporate records, triggering a federal class action lawsuit.thenextweb+1
Source: 404 Media — https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/


5. North Korean Sapphire Sleet Blamed for Mastra AI NPM Supply Chain Attack (145 Packages)
Microsoft attributed with “high confidence” a supply chain attack against the Mastra AI open-source npm framework to the North Korean state actor Sapphire Sleet (BlueNoroff) on 19 June 2026. Attackers hijacked a contributor npm account (“ehindero”) and published malicious updates to more than 140 packages injecting an infostealer payload called “easy-day-js” targeting developer credentials and CI/CD environment secrets.bleepingcomputer+1
Source: BleepingComputer — https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/


6. Trump Signs Executive Order Mandating Post-Quantum Cryptography Migration by 2030–2031
President Trump signed an executive order on 22 June 2026 directing all US federal agencies to transition high-value assets to NIST-approved post-quantum cryptography (PQC) algorithms: key establishment by 31 December 2030, and digital signatures by 31 December 2031. The order also directs a pilot PQC migration project to be completed by December 2027 and requires agencies to designate a PQC migration lead.whitehouse+1
Source: White House — https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/


7. Eastman Kodak Confirms ShinyHunters Breach — 2.2 Million Records at Risk
Kodak confirmed an ongoing data breach investigation after ShinyHunters threatened to publish 2.2 million records of customer PII and internal corporate data unless the company responded by 18 June 2026. Kodak stated the incident was “limited in scope and contained,” and that external cybersecurity experts and law enforcement have been engaged.malwarebytes
Source: Malwarebytes — https://www.malwarebytes.com/blog/news/2026/06/kodak-confirms-breach-as-shinyhunters-leak-threat-reaches-deadline


8. NAIC (National Association of Insurance Commissioners) Hit — 3.1 TB Stolen by ShinyHunters
ShinyHunters claimed responsibility for an attack on the National Association of Insurance Commissioners (NAIC) on approximately 18 June 2026, reportedly exfiltrating 3.1 terabytes of data. The breach is among the largest reported in US financial regulatory infrastructure this year and joins ShinyHunters’ broader wave of attacks targeting over 100 organisations via the Oracle PeopleSoft CVE-2026-35273 zero-day.research.checkpointyoutube
Source: Security Week (breach report) — https://www.securityweek.com


9. Global Law Enforcement Dismantles AudiA6 Crypto Money-Laundering Syndicate
A coordinated international operation involving the US DOJ, Secret Service, Europol, and Eurojust shut down “AudiA6,” a major cryptocurrency laundering platform that processed over €336 million in criminal proceeds from ransomware gangs between 2022 and 2025. Two suspected administrators (a Ukrainian national and a Russian national) were arrested in Georgia; authorities seized over 80 vehicles and froze €692,000 in cryptocurrency.chainalysis+1
Source: Eurojust — https://www.eurojust.europa.eu/news/cryptocurrency-money-laundering-site-shut-down-thanks-coordinated-investigation


10. 24 Billion Credential Dataset Exposed in Massive ElasticSearch Database
Security researchers discovered a massive exposed Elasticsearch database containing approximately 24 billion records and more than 8 terabytes of compiled stolen credentials and login data, primarily aggregated from infostealer malware and Telegram channels. The dataset represents one of the largest credential compilations ever identified and poses significant credential-stuffing and account-takeover risks globally, including to Gulf-region enterprises.haveibeenpwnedyoutube
Source: Have I Been Pwned / BleepingComputer — https://haveibeenpwned.com/Breach/June2026StealerLogs

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

1. ShinyHunters (UNC6240) — Global Enterprise Data Extortion Wave
ShinyHunters continued its highly active 2026 campaign this week, compromising the Council of Europe (297 GB claimed, 429,000 files, 10,000 employee records including payroll and medical data), Madison Square Garden, Eastman Kodak, NAIC, and the University of Nottingham (454,600 students). The group’s primary vector remains vishing attacks against Okta and Microsoft Entra accounts, followed by SaaS data theft and a “pay-or-leak” extortion model; active exploitation of Oracle PeopleSoft CVE-2026-35273 serves as an additional initial-access vector targeting education and financial sectors.youtubehuntress+4
Source: SecurityWeek — https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/


2. Qilin Ransomware — Exploiting Check Point VPN Zero-Day (CVE-2026-50751)
Qilin ransomware affiliates have been actively exploiting CVE-2026-50751, a CVSS 9.3 authentication bypass zero-day in Check Point Remote Access VPN and Mobile Access, since at least May 7 — weeks before public disclosure on June 8. At least one confirmed post-compromise incident is attributed to a Qilin affiliate; the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a June 11 deadline for federal agencies.securityweek+1
Source: Help Net Security — https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/


3. Iranian APT Cluster (313 Team, DieNet, Fatimion, ALTOUFAN) — UAE & Gulf Targeting
Iran-aligned hacktivist and APT groups continue to surge attacks against UAE targets, with daily attempt volumes reaching 500,000–700,000, attributed largely to state-backed Iranian actors retaliating for the US-Israel-Iran conflict. Targeted entities this period include UAE financial services, government portals, utilities (Sharjah EWGA), and the Dubai Land Department, Dubai Courts, and RTA — raising CISO-level concern across the Gulf.cxoinsightme+1
Source: UAE Cybersecurity Council / Economic Times — https://economictimes.com/news/international/world-news/cyberattacks-surge-across-uae-amid-iran-conflict-businesses-face-disrupt…


4. VerdantBamboo / UNC5221 (China-nexus) — 18-Month Undetected M365 Espionage
Volexity disclosed that UNC5221, also tracked as VerdantBamboo (Clay Typhoon/Warp Panda), maintained undetected access to a US victim network and Microsoft 365 environment for at least 18 months via a managed service provider pivot. The group deployed three malware families this period: a BSD variant of BRICKSTORM, PLENET (a .NET Core cross-platform backdoor), and AGENTPSD (a Python-based reverse shell fallback).linkedin+2
Source: The Hacker News — https://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html


5. FortiBleed — Russian-Nexus Credential Harvesting Campaign Against 194 Countries
A Russian-speaking threat actor systematically harvested configuration files from ~73,932 FortiGate devices via automated scanning, offline GPU password cracking, and exfiltration — yielding working admin and SSL VPN credentials. Researchers from SOCRadar confirmed 86,600+ credentials in the dataset, with NATO-affiliated organisations among primary targets; the campaign has been active since at least early 2026.recordedfuture+2
Source: Arctic Wolf — https://arcticwolf.com/resources/blog/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/


6. Luna Moth / UNC3753 (Silent Ransom Group) — IT Impersonation Targeting US Law Firms
Google Mandiant identified an active data-theft extortion campaign by UNC3753 (Luna Moth, Chatty Spider) running from January through May 2026, targeting dozens of US legal, professional, and financial services organisations through IT help-desk impersonation phone calls. The group does not deploy ransomware — instead, it steals sensitive data and extorts victims directly, making it particularly dangerous for high-value professional services sectors with regional GCC offices.youtube
Source: Emerging Threats Weekly (Mandiant) — https://www.youtube.com/watch?v=8Px4eaA3TBg


7. Sapphire Sleet / BlueNoroff (North Korea) — AI Framework Supply Chain Attack
North Korean state actor Sapphire Sleet demonstrated a significant evolution in TTPs this week by targeting the Mastra AI open-source ecosystem — a high-trust, low-verification environment ideal for bypassing traditional developer security controls. The malicious “easy-day-js” payload harvested API keys, tokens, cryptocurrency wallets, and environment variables from developer CI/CD runners globally.infosecurity-magazine+2
Source: Infosecurity Magazine — https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/


8. MuddyWater / Agrius / Nimbus Manticore (Iran-nexus) — European Infrastructure via WorkTitans
Check Point Research linked a Dutch law enforcement seizure of approximately 800 servers at hosting provider WorkTitans B.V. to Iranian cyber espionage operations. MuddyWater, Agrius, and Nimbus Manticore used this infrastructure for remote access, credential theft, and scanning operations — the same cluster actively targeting UAE and GCC organisations.research.checkpoint
Source: Check Point Research — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/


9. APT28 / Fancy Bear (Russia) — WinRAR Zero-Day Exploitation Against Ukraine
Russian-linked APT28 continued active exploitation of WinRAR flaw CVE-2025-8088, targeting Ukrainian military and government organisations through spear-phishing archives that deploy stealers harvesting browser passwords, cookies, and VPN configurations. This campaign represents ongoing hybrid warfare digital operations with potential spillover into Gulf-based organisations with Ukrainian or NATO affiliations.research.checkpoint
Source: Check Point Research — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/


10. Operation FlutterBridge — macOS Malvertising Campaign Distributing FlutterShell Backdoor
Unit 42 identified Operation FlutterBridge, a macOS-focused malvertising campaign that spreads a new backdoor called FlutterShell through malicious Google ads promoting fake-but-functional desktop applications. The campaign is attributed to financially motivated cluster CL-CRI-1089 and represents an evolution of earlier JSCoreRunner activity — posing a risk to macOS users in enterprise environments across the Gulf where BYOD policies are common.youtube
Source: Palo Alto Unit 42 (via Emerging Threats Weekly) — https://www.youtube.com/watch?v=8Px4eaA3TBg

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-50751 | CVSS 9.3 | Check Point Remote Access VPN / Mobile Access / Spark Firewall | Patched
Summary: A logic flow flaw in IKEv1 certificate validation allows unauthenticated remote attackers to establish VPN sessions without valid credentials. Qilin ransomware affiliates have exploited this zero-day since May 7, 2026 — a month before public disclosure on June 8.computerworks+1
Source: SecurityWeek — https://www.securityweek.com/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks/


2. CVE-2026-35273 | CVSS 9.8 | Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62 | Patched
Summary: An unauthenticated SSRF-to-RCE vulnerability in the Updates Environment Management component enables full server takeover over HTTP with no credentials required. ShinyHunters exploited this as a zero-day from May 27 before Oracle’s out-of-band patch on June 10, and CISA added it to the KEV catalog on June 12.esentire+1
Source: Rapid7 — https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273/


3. CVE-2026-47291 | CVSS Critical | Windows HTTP Protocol Stack (http.sys) | Patched
Summary: An integer overflow in http.sys allows an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to any server using the HTTP Protocol Stack, enabling wormable network propagation. This vulnerability is classified by Microsoft as “exploitation more likely” and should be prioritised across all IIS and Windows Server environments in the Gulf.arcticwolf+1
Source: Cisco Talos — https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/


4. CVE-2026-42985 | CVSS Critical | Windows Remote Desktop Client | Patched
Summary: A heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network — classified by Microsoft as “exploitation more likely”. With RDP being a primary remote access vector across UAE enterprise and government environments, this patch is high-priority for all Windows deployments.talosintelligence
Source: Cisco Talos — https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/


5. CVE-2026-44963 | CVSS 9.4 | Veeam Backup & Replication v12 (≤12.3.2.4465) | Patched
Summary: An authenticated domain user can achieve remote code execution on domain-joined Veeam backup servers — a critical risk given that backup infrastructure is a primary ransomware target. The fix is available in Veeam Backup & Replication v12.3.2.4854; v13.x is unaffected.thehackernews+1
Source: Veeam — https://www.veeam.com/kb4869


6. CVE-2026-50656 | CVSS 7.8 | Microsoft Defender (Microsoft Malware Protection Engine) |  UNPATCHED
Summary: A TOCTOU race condition in the Malware Protection Engine allows a low-privilege local attacker to obtain a SYSTEM-level shell on fully patched Windows 10 and Windows 11 systems via NTFS path redirections (junctions/symlinks). No patch exists; the only effective interim mitigation is Windows Defender Application Control (WDAC) in enforced mode.apolocybersecurity+1
Source: Security Affairs — https://securityaffairs.com/193830/security/microsoft-confirms-rogueplanet-zero-day-in-defender-patch-under-development.html


7. CVE-2026-45648 | CVSS Critical | Windows Active Directory Domain Services | Patched
Summary: A stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute malicious code over a network, posing a severe risk to domain controller integrity across enterprise environments. UAE organisations relying heavily on on-premises Active Directory and Azure hybrid joins must apply the June 2026 Patch Tuesday updates immediately.arcticwolf+1
Source: Cisco Talos — https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/


8. CVE-2026-44815 | CVSS Critical | Windows DHCP Client | Patched
Summary: A stack-based buffer overflow in the Windows DHCP Client enables an unauthenticated attacker to execute code over a network — impacting all Windows endpoints that rely on DHCP for IP assignment. This is particularly critical for large-scale UAE enterprise environments running Windows clients at scale in campus or data centre networks.talosintelligence+1
Source: CrowdStrike — https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/


9. CVE-2026-32193 | CVSS Critical | Azure Kubernetes Service (AKS) | Patched
Summary: A path traversal flaw in Azure Kubernetes Service allows an attacker who can run an untrusted container with host network privileges to break out of the container and gain control of the AKS worker node. Cloud-first UAE organisations leveraging AKS for containerised workloads must patch immediately to prevent container escape and lateral movement.talosintelligence
Source: Cisco Talos — https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/


10. CVE-2026-45456 / CVE-2026-45458 / CVE-2026-47635 | CVSS Critical | Microsoft Outlook & Word | Patched
Summary: Type-confusion flaws in Microsoft Outlook and Word allow an unauthorized attacker to execute malicious code locally when a user opens a crafted file — a direct phishing delivery vector heavily abused against UAE government and enterprise targets. These should be deployed as cumulative Office updates per Microsoft’s June 2026 Security Update Guide.arcticwolf+1
Source: Arctic Wolf — https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-security-recap-june-2026-edition/

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactPatch StatusSource
CVE-2026-50751securityweekCritical9.3Check Point Remote Access VPN / Mobile Access / Spark FWAuth bypass — full VPN session without password; Qilin ransomware exploitation confirmed Patched (June 8 hotfix)SecurityWeek
CVE-2026-35273arcticwolfCritical9.8Oracle PeopleSoft PeopleTools 8.61/8.62Unauthenticated SSRF-to-RCE; active exploitation by ShinyHunters since May 27; CISA KEVPatched (June 10, out-of-band)Arctic Wolf
CVE-2026-44963thehackernewsCritical9.4Veeam Backup & Replication ≤12.3.2.4465RCE by authenticated domain user on backup server; backup infrastructure ransomware riskPatched (v12.3.2.4854)Veeam
CVE-2026-47291talosintelligenceCriticalTBDWindows HTTP Protocol Stack (http.sys)Unauthenticated RCE via crafted HTTP packet; potential worm propagationPatched (June Patch Tuesday)Cisco Talos
CVE-2026-42985talosintelligenceCriticalTBDWindows Remote Desktop ClientNetwork RCE via heap-based buffer overflow; “exploitation more likely” designation Patched (June Patch Tuesday)Cisco Talos
CVE-2026-50656thehackernewsHigh7.8Microsoft Defender (Malware Protection Engine)Local privilege escalation to SYSTEM via TOCTOU race condition; public PoC; “RoguePlanet”Unpatched (patch in development)The Hacker News
CVE-2026-45648talosintelligenceCriticalTBDWindows Active Directory Domain ServicesNetwork RCE via stack-based buffer overflow; domain controller takeover riskPatched (June Patch Tuesday)Cisco Talos
CVE-2026-44815talosintelligenceCriticalTBDWindows DHCP ClientNetwork RCE via stack-based buffer overflow; “exploitation more likely” designationPatched (June Patch Tuesday)Cisco Talos
CVE-2026-45658 / CVE-2026-50507arcticwolfImportantTBDWindows BitLockerSecurity feature bypass (YellowKey / Bitskrieg); undermines full-disk encryption at pre-bootPatched (June Patch Tuesday)Arctic Wolf
CVE-2026-48579talosintelligenceCriticalTBDMicrosoft Exchange OnlineImproper authorisation allows unauthenticated information disclosure over a networkPatched (June Patch Tuesday)Cisco Talos

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

UAE & Gulf Region (Priority)

1. UAE | DDoS / Intrusion / Phishing | Iran-Aligned APT Clusters (313 Team, DieNet, ALTOUFAN)
Region/Country: UAE | Attack Type: Multi-vector (DDoS, ransomware, phishing, credential theft) | Threat Actor: Iran-aligned state/hacktivist groups
Summary: Cyberattack attempts on UAE infrastructure reached 500,000–700,000 per day during June 2026, nearly tripling from pre-conflict levels. The Dubai Land Department, Dubai Courts, RTA, Sharjah Electricity & Water, and the Ministry of Climate Change were all subjected to breach attempts during this ongoing campaign.economictimes+1
Source: UAE Cybersecurity Council / Economic Times — https://economictimes.com/news/international/world-news/cyberattacks-surge-across-uae-amid-iran-conflict-businesses-face-disruption


2. UAE (National Infrastructure) | Ransomware / Network Infiltration / Phishing | State-Backed Terrorist-Designated Actors
Region/Country: UAE | Attack Type: Ransomware + network infiltration + systematic phishing | Threat Actor: State-backed (AI-enabled)
Summary: The UAE Cybersecurity Council issued a guide during this period warning of AI-powered attacks using platforms such as ChatGPT for reconnaissance, phishing message enhancement, malware development, and deepfake-based information warfare. Dr. Al Kuwaiti stated hostile actors — including Iran — are leveraging AI to make attacks faster, more convincing, and cheaper to scale against UAE national platforms.cxoinsightme
Source: CXO Insight ME — https://www.cxoinsightme.com/business/industries/government/uae-warns-of-ai-driven-cyber-attacks-during-regional-crisis/


3. GCC / Middle East | Espionage & Credential Theft | MuddyWater / Agrius (Iran-nexus)
Region/Country: GCC/Middle East | Attack Type: Remote access, credential theft, network scanning | Threat Actor: MuddyWater, Agrius, Nimbus Manticore
Summary: Check Point Research confirmed that Iranian APT infrastructure at Dutch hosting provider WorkTitans B.V. (800 servers seized) was used to conduct ongoing espionage operations targeting Gulf and European organisations. MuddyWater, with known historical targeting of UAE and Saudi government and telecoms sectors, used this infrastructure for remote access operations throughout the period.research.checkpoint
Source: Check Point Research — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/


4. Gulf Region (Financial Sector) | Credential Harvesting / Account Takeover | ShinyHunters (Oracle PeopleSoft CVE-2026-35273)
Region/Country: Gulf / Global | Attack Type: Unauthenticated RCE → data exfiltration → extortion | Threat Actor: ShinyHunters
Summary: ShinyHunters’ exploitation of CVE-2026-35273 in Oracle PeopleSoft has impacted over 100 organisations globally, with the education, HR/payroll, and financial sectors disproportionately affected — sectors heavily represented in UAE and GCC organisations. GCC entities running exposed PeopleSoft PeopleTools 8.61/8.62 instances should assume compromise unless the out-of-band patch has been applied.arcticwolf+1
Source: eSentire — https://www.esentire.com/security-advisories/oracle-peoplesoft-zero-day-vulnerability-cve-2026-35273-exploited-by-shinyhunters


Global Attacks

5. United Kingdom | Data Breach | ShinyHunters
Region/Country: United Kingdom | Attack Type: Data exfiltration via Oracle PeopleSoft zero-day | Threat Actor: ShinyHunters
Summary: The University of Nottingham confirmed a cyberattack on its Campus Solutions student records platform via ShinyHunters, affecting approximately 454,600 current and former students — with passport numbers, enrollment data, and fee payment records exposed. The breach is part of ShinyHunters’ broader Oracle PeopleSoft exploitation campaign targeting 100+ organisations.linkedin+1
Source: Check Point Research — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/


6. USA | Data Exfiltration / Extortion | ShinyHunters
Region/Country: United States | Attack Type: Supply-chain social engineering → SaaS data theft | Threat Actor: ShinyHunters
Summary: ShinyHunters published 45 GB of stolen Madison Square Garden data on June 15 after the company missed its extortion deadline — including facial recognition records, New York Knicks player data, and 26 million customer records. A federal class action was filed the following day, and the National Association of Insurance Commissioners suffered a separate 3.1 TB data theft on approximately June 18.404mediayoutubethenextweb
Source: 404 Media — https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/


7. Australia | Ransomware | Gentlemen Ransomware Group
Region/Country: Australia | Attack Type: Ransomware | Threat Actor: Gentlemen Ransomware Group
Summary: Mackay Sugar, an Australian sugar cooperative, suffered a ransomware attack that disrupted operations at its Farley and Racecourse Mills locations and halted harvesting operations. The Gentlemen ransomware group claimed responsibility on June 15–16, 2026, illustrating continued expansion of ransomware operators targeting critical agricultural and food supply sectors.youtube
Source: SecurityWeek / YouTube Breach Recap — https://www.youtube.com/watch?v=T-lkUxwjwP8


8. Canada | Data Breach — Critical Infrastructure | Unknown Threat Actor
Region/Country: Canada | Attack Type: Data breach via system vulnerability | Threat Actor: Unknown
Summary: London Hydro, an electricity distributor serving 160,000+ customers in Ontario, disclosed a data security incident on June 20 after detecting unusual activity — exposing customer names, addresses, email addresses, phone numbers, billing numbers, pricing plans, and meter data. The breach is under investigation with law enforcement; banking and payment details were confirmed unaffected.theregister+1
Source: The Register / London Hydro — https://www.londonhydro.com/data


9. Europe (International Institution) | Data Exfiltration / Extortion | ShinyHunters
Region/Country: Europe (Strasbourg) | Attack Type: Large-scale data theft + extortion | Threat Actor: ShinyHunters
Summary: ShinyHunters listed the Council of Europe on their Tor-based data leak site on June 14, claiming 297 GB and 429,000 exfiltrated files including payroll data for 10,000 employees spanning 2011–2026, CVs, bank account details, and medical records. The Council stated it was “investigating the matter” with no further comment; the June 16 negotiation deadline passed without reported payment.securityweek
Source: SecurityWeek — https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/


10. Global (Developer Ecosystem) | AI Supply Chain Attack | Sapphire Sleet / BlueNoroff (North Korea)
Region/Country: Global | Attack Type: npm supply chain compromise — infostealer deployment | Threat Actor: Sapphire Sleet (North Korea)
Summary: North Korean hackers hijacked the “ehindero” npm maintainer account on June 17 and mass-published malicious updates to 145 Mastra AI packages injecting the “easy-day-js” infostealer, exfiltrating developer API keys, tokens, cryptocurrency wallets, and CI/CD secrets globally. Security teams running AI development pipelines should immediately audit for the presence of “easy-day-js” in node_modules and verify Mastra package versions.thehackernews+1
Source: Infosecurity Magazine — https://www.infosecurity-magazine.com/news/mastra-ai-supply-chain-attack/

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. Trump Signs Executive Orders on Post-Quantum Cryptography & Quantum Computing Investment
President Trump signed two landmark executive orders on June 22 mandating federal PQC migration by 2030–2031 and launching a national quantum computing initiative to develop a quantum computer capable of important scientific calculations within five years. For UAE and GCC organisations, this signals the imminent need to begin PQC readiness assessments — particularly those handling cross-border data with US Federal partners or participating in NIST FIPS-aligned security frameworks.whitehouse+1
Source: White House — https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/


2. OWASP Releases Agentic AI Security Governance Framework v2.01 — Top 10 for AI Agents
OWASP published the State of Agentic AI Security and Governance v2.01 in early June, introducing an Enterprise Adoption Maturity Model mapping six deployment levels (AT0 shadow AI through AT5 custom in-house agent) against four governance maturity levels. The framework also introduced the OWASP Top 10 for Agentic Applications (ASI), covering threats from Agent Goal Hijack (ASI01) through Rogue Agents (ASI10) — essential reading for UAE CISOs deploying AI copilots and automation agents.cybersecuritynews+2
Source: OWASP GenAI Security Project — https://genai.owasp.org/resource/state-of-agentic-ai-security-and-governance/


3. Microsoft Announces MDASH: Multi-Model Agentic Security Scanning Harness in Expanded Preview
Microsoft launched the Microsoft Security multi-model agentic scanning harness (codename MDASH) in expanded preview, orchestrating 100+ specialised AI agents to discover and validate exploitable vulnerabilities across code repositories. The system integrates with Microsoft Defender and GitHub Code Security to bring runtime context into development workflows, and includes Defender AI model scanning to detect and block vulnerable or compromised AI models across registries and CI/CD pipelines.microsoft
Source: Microsoft Security Blog — https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-developer-lifecycle/


4. Anthropic Launches Claude Fable 5 and Restricted Claude Mythos 5 for Cybersecurity Partners
Anthropic released Claude Fable 5 as a general-purpose Mythos-class model, alongside the restricted Claude Mythos 5 — a cybersecurity-focused model available via Project Glasswing for select technology partners including Google Cloud customers on Vertex AI. Claude Mythos is fine-tuned for vulnerability detection, incident response, and adversarial reasoning, positioning it as a direct competitor to OpenAI’s GPT-5.4-Cyber for enterprise SOC and red-team applications.infosecurity-magazine+1
Source: LinkedIn AI Digest / Infosecurity Magazine — https://www.infosecurity-magazine.com/news/google-gemini-over-cyber-specific/


5. Google Favors General-Purpose Gemini 3.5 Flash Over Cyber-Specific Models for Security Operations
Google Cloud’s COO stated that the company does not plan to release a separate frontier cybersecurity model, asserting that Gemini (with Gemini 3.5 Flash now generally available as the default for AI Mode with 1 billion+ monthly users) is “terrific for security” across all domains. Google’s strategy is to combine high-quality generalist models with task-specific security agents and governance — a significant architectural stance for SOC teams evaluating AI tooling.linkedin+1
Source: Infosecurity Magazine — https://www.infosecurity-magazine.com/news/google-gemini-over-cyber-specific/


6. European Commission Publishes Final AI Act Code of Practice on AI-Generated Content Labelling
The European Commission published its final Code of Practice on marking and labelling AI-generated content on June 10, providing providers and deployers of generative AI a structured compliance path before the AI Act’s transparency obligations become enforceable on 2 August 2026. UAE organisations with European data operations or EU-facing digital services should evaluate how these labelling obligations intersect with their AI governance frameworks under TDRA guidance.linkedin
Source: LinkedIn AI Security Executive Briefing — https://www.linkedin.com/pulse/ai-security-executive-briefing-friday-12-june-2026-spencer-j-dimbe


7. Gartner ThreatScape 2026–2027: Deepfakes, Prompt Injection & AI Supply Chain Attacks Outpacing Defences
Gartner’s Security and Risk Management Summit identified deepfakes, prompt injection, AI application compromise, and software supply chain attacks as the four 2026–2027 ThreatScape areas where attacker capability is outpacing enterprise defences. This framework should directly inform UAE CISO risk registers and AI governance policies, particularly given the UAE Cybersecurity Council’s warnings about AI-powered deepfake campaigns from Iranian actors.linkedin+1
Source: LinkedIn AI Security Executive Briefing — https://www.linkedin.com/pulse/ai-security-executive-briefing-friday-12-june-2026-spencer-j-dimbe


8. North Korean APT Weaponises AI Developer Trust — Mastra npm Attack Signals New Supply Chain Era
The Sapphire Sleet Mastra attack this week represents a pivotal escalation: attackers targeted the AI developer ecosystem specifically because it is a “high-trust, low-verification environment”. The attack harvested not just credentials but AI API keys, model tokens, and crypto wallets — assets unique to AI-native development pipelines — signalling that state actors now view AI infrastructure as a high-value intelligence target.youtube
Source: BleepingComputer — https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/


9. OpenAI Expands Trusted Access for Cyber (TAC) Program — GPT-5.4-Cyber Tiered Rollout
OpenAI’s Trusted Access for Cyber program continued its expansion this period, with the company committing to extend GPT-5.4-Cyber access to government agencies at the federal, state, and local level — including for national security missions and public health emergency response. The tiered program uses identity verification to unlock progressively more powerful cyber-defensive capabilities, including vulnerability research and red-team analysis.axios+1
Source: Infosecurity Magazine — https://www.infosecurity-magazine.com/news/openai-extend-cyber-program/


10. China-Based Phishing-as-a-Service Network “Outsider” Uses Google Gemini for Fake Site Generation
Check Point Research highlighted an active China-based phishing-as-a-service network called “Outsider” that allegedly used Google’s Gemini AI to generate fake websites and power large-scale SMS phishing campaigns. Google filed a lawsuit after linking the operation to thousands of phishing sites and over 1.5 million malicious URLs — demonstrating how AI model APIs are being weaponised for industrial-scale social engineering, a threat pattern directly relevant to UAE financial and government institutions.research.checkpoint
Source: Check Point Research — https://research.checkpoint.com/2026/15th-june-threat-intelligence-report/

Week of June 08–june 14, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Trump Signs AI Cybersecurity Executive Order, Establishing Voluntary Pre-Release Framework for Frontier Models

President Trump signed an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” on June 2, 2026, directing federal agencies to strengthen cybersecurity across government systems and critical infrastructure. The order establishes a voluntary pre-release engagement framework requiring AI developers to submit frontier models for up to 30 days of government cybersecurity testing before broader release — without creating a mandatory licensing regime. A Treasury-led “AI Cybersecurity Clearinghouse” is also mandated to coordinate vulnerability scanning, validation, and patch distribution across industry and critical infrastructure operators.

Source: White House — Executive Order Promoting Advanced AI Innovation and Security | White House Fact Sheet — https://www.whitehouse.gov/fact-sheets/2026/06/fact-sheet-president-donald-j-trump-promotes-advanced-artificial-intelligence-inn


2. Anthropic Expands Project Glasswing to 150+ Critical Infrastructure Organizations Across 15+ Countries

Anthropic significantly expanded access to its powerful Claude Mythos Preview AI vulnerability-hunting model on June 2, extending Project Glasswing to approximately 150 new organizations across more than 15 countries — including power, water, healthcare, and telecommunications sectors not well-represented in the initial cohort. Partner countries include Australia, Canada, France, Germany, Japan, India, and others friendly to the United States. Since the program launched, Mythos has reportedly found 23,019 vulnerabilities across 1,000+ open-source projects, with a 90.6% confirmation rate on independent sampling.

Source: Cybersecurity Dive — https://www.cybersecuritydive.com/news/ai-anthropic-claude-mythos-project-glasswing-expand/821714/ | TechCrunch — https://techcrunch.com/2026/06/02/anthropic-scales-claude-mythos-to-critical-infrastructure-in-15-countries/


3. Carnival Corporation Confirms Data Breach Affecting ~6 Million Customers

Carnival Corporation, the world’s largest cruise operator, confirmed a data breach affecting nearly 5,995,277 people after the ShinyHunters extortion group claimed responsibility for stealing customer data via social engineering of a single employee account on April 14, 2026. The exposed data includes names, email addresses, dates of birth, genders, loyalty program details, and government-issued identification numbers including passport and driver’s license numbers in some cases. Affected individuals in the United States are being offered 24 months of free credit monitoring through TransUnion, while ShinyHunters also leaked approximately 7.5 million Mariner Society loyalty program records.

Source: SecurityWeek — https://www.securityweek.com/carnival-data-breach-exposed-6-million-people/ | Malwarebytes — https://www.malwarebytes.com/blog/data-breaches/2026/05/carnival-confirms-data-breach-impacting-nearly-6-million


4. Google & FBI Warn of Silent Ransom Group Escalating to Physical In-Person Office Intrusions

Google’s Mandiant and Google Threat Intelligence Group published a joint report on June 5 accusing Silent Ransom Group (SRG) — also known as Luna Moth, Chatty Spider, and UNC3753 — of escalating its attacks on US law firms by sending imposters posing as IT support staff directly to victims’ offices to steal data using USB drives or enable remote access. The FBI separately confirmed “multiple instances of individuals impersonating IT support who gained or attempted to gain physical, in-person access to victim companies’ offices and/or devices.” The group, active since 2022, focuses on data theft and extortion without deploying ransomware encryption, and has targeted dozens of victims from January through May 2026.

Source: TechCrunch — https://techcrunch.com/2026/06/05/google-and-fbi-warn-of-ransomware-group-that-sends-fake-it-workers-to-hack-victims-in-person/ | FBI Advisory — https://www.ic3.gov/CSA/2026/260526.pdf


5. EU Cyber Resilience Act: Conformity Assessment Body Notification Rules Take Effect June 11, 2026

The EU Cyber Resilience Act’s (CRA) Chapter IV provisions — governing the notification of conformity assessment bodies — became applicable on June 11, 2026, marking the first major enforcement milestone of the regulation that entered into force in December 2024. This is immediately followed by manufacturers’ vulnerability reporting obligations taking effect September 11, 2026, with full compliance for all other CRA requirements due December 11, 2027. Organizations globally that sell digital products in the EU must ensure their supply chains, SBOM practices, and vulnerability handling processes align with these deadlines to avoid fines of up to €15 million or 2.5% of global annual turnover.

Source: European Commission — https://digital-strategy.ec.europa.eu/en/policies/cra-summary | Open Regulatory Compliance Working Group — https://orcwg.org/cra/


6. CISA Adds Oracle WebLogic CVE-2024-21182 to KEV Catalog with Emergency June 4 Deadline

CISA added CVE-2024-21182 — an unauthenticated remote access vulnerability in Oracle WebLogic Server (versions 12.2.1.4.0 and 14.1.1.0.0) via T3/IIOP protocols — to its Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026, with a tight federal agency remediation deadline of June 4. The two-year-old vulnerability (patched in Oracle’s July 2024 Critical Patch Update) being added to KEV now signals a significant population of unpatched WebLogic instances still in production enterprise and government environments. WebLogic’s widespread deployment in financial services, government, and large enterprise environments makes it a high-value target for both ransomware operators and nation-state espionage actors.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/ | CISA KEV Catalog — https://www.cisa.gov/known-exploited-vulnerabilities-catalog


7. CISA Adds SolarWinds Serv-U DoS Flaw CVE-2026-28318 to KEV Catalog

CISA added CVE-2026-28318 (CVSS 7.5), a high-severity denial-of-service vulnerability in SolarWinds Serv-U multi-protocol file server software, to its Known Exploited Vulnerabilities catalog on June 5, citing evidence of active exploitation via specially crafted unauthenticated POST requests using Content-Encoding: deflate. The issue has been addressed in SolarWinds Serv-U version 15.5.4 HF1, and FCEB agencies have until June 19, 2026 to remediate. This marks another critical Serv-U flaw to be actively exploited in the wild, following a history of Cl0p ransomware gang activity against Serv-U vulnerabilities.

Source: The Hacker News — https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html


8. ShinyHunters Leaks Charter Communications Data Affecting 4.9 Million Customers

Charter Communications (parent company of Spectrum) had its customer data published by ShinyHunters after the group’s May 27 ransom deadline passed without engagement from the company. The breach — which began with a vishing attack that compromised a Microsoft Entra account, enabling access to Charter’s Salesforce environment — exposed 4.9 million unique email addresses along with names, phone numbers, physical addresses, and an internal employee directory subset of approximately 85,000 records with job titles. Charter denied that CPNI or sensitive personal information was exfiltrated, but the data has since been confirmed in HaveIBeenPwned.

Source: eSecurity Planet — https://www.esecurityplanet.com/threats/shinyhunters-alleges-42m-records-stolen-from-charter-communications/ | HaveIBeenPwned — https://haveibeenpwned.com/Breach/Charter


9. Microsoft Confirms Exploitation of Exchange Server CVE-2026-42897 — No Patch Available Yet

Microsoft reported active exploitation of CVE-2026-42897, a critical CVSS 8.1 spoofing vulnerability affecting Microsoft Exchange Server’s Outlook Web Access component (a cross-site scripting issue). As of Patch Tuesday week, no patch is available; Microsoft’s interim mitigation relies on the Exchange Emergency Mitigation Service, which provides automatic protection and is enabled by default on most Exchange deployments. Organizations are urged to verify the service is running, and a formal patch is expected in the June 2026 Patch Tuesday cycle on June 9.

Source: Help Net Security — https://www.helpnetsecurity.com/2026/06/05/june-2026-patch-tuesday-forecast/


10. Italian Authorities Extradite Chinese Hacking Suspect to US in Connection with COVID Research Theft

Italy extradited a Chinese national to the United States this week sought by American authorities for hacking allegations that include the theft of medical research data related to COVID-19, according to Italian law enforcement. The case highlights the continued US-China cyber espionage confrontation and the ongoing role of allied law enforcement cooperation in pursuing nation-state-adjacent cybercriminals. The suspect’s identity and the specific targets of the stolen COVID research were not immediately publicly disclosed.

Source: Reuters — https://www.reuters.com/technology/cybersecurity/

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

1. ShinyHunters — Mass Credential-Phishing & Vishing Extortion Campaigns (Global/UAE Exposure)

ShinyHunters continued its aggressive vishing and social engineering campaigns this week, confirmed responsible for the Carnival Corporation (6M records) and Charter Communications (4.9M records) breaches, as well as the Instructure Canvas breach exposing data on 30+ million students. The group’s modus operandi — voice phishing (vishing) to compromise Microsoft Entra accounts, then pivot into Salesforce and cloud environments — poses direct risk to UAE enterprises with Microsoft 365 and Salesforce deployments. ShinyHunters operates a “pay-or-leak” dark web portal and has demonstrated a willingness to re-attack non-paying victims (as seen in the Instructure double-breach).

Source: eSecurity Planet — https://www.esecurityplanet.com/threats/shinyhunters-alleges-42m-records-stolen-from-charter-communications/


2. Qilin — Most Active Ransomware Group in May/June 2026 (97 Claimed Attacks)

Qilin remained the most active ransomware group globally in May 2026, claiming 97 attacks (a slight 10% decline from April’s 108) with nine independently confirmed incidents. Operating under a Ransomware-as-a-Service (RaaS) model with LockBit and DragonForce cartel ties, Qilin employs BYOVD (Bring Your Own Vulnerable Driver) attacks to disable EDR tools and uses double-extortion tactics. The group targets education, government, healthcare, and critical infrastructure globally — sectors heavily represented in the UAE’s digital transformation agenda.

Source: Industrial Cyber — https://industrialcyber.co/ransomware/global-ransomware-activity-rises-modestly-in-may-as-qilin-the-gentlemen-and-dragonforce-lead-attacks/


3. DragonForce — 20.8 TB of Stolen Data in May, Active UAE Targeting

DragonForce claimed the largest data haul of any ransomware group in May 2026, reporting more than 20.8 TB of stolen data across 51 claimed attacks — a 3x data advantage over competitors. The group has directly targeted UAE entities, most notably its March 2026 attack on Ahmed Mubarak Debt Collection in the UAE, and remains part of the LockBit–Qilin–DragonForce cartel sharing tools, infrastructure, and negotiation playbooks. DragonForce’s combination of hacktivist flair and criminal extortion makes it particularly relevant to Gulf region organizations.

Source: Industrial Cyber — https://industrialcyber.co/ransomware/global-ransomware-activity-rises-modestly-in-may-as-qilin-the-gentlemen-and-dragonforce-lead-attacks/ | Dexpose.io — https://www.dexpose.io/dragonforce-compromises-ahmed-mubarak-debt-collection-in-uae-cyberattack/


4. Webworm (China-Aligned APT) — EchoCreep & GraphWorm Backdoors Targeting European Governments

ESET Research disclosed this week that China-aligned Webworm has deployed two new custom backdoors — EchoCreep (using Discord for C2) and GraphWorm (using Microsoft Graph API/OneDrive for C2 and data exfiltration) — against government organizations in Belgium, Italy, Poland, Serbia, and Spain. The use of legitimate cloud platforms (Discord, Microsoft Graph) for C2 communications is a significant evasion technique that bypasses traditional network security detection relying on domain/IP blocklists. Researchers decrypted over 400 Discord messages and found evidence of reconnaissance against 50+ targets.

Source: ESET Research — https://www.eset.com/us/about/newsroom/research/eset-research-china-aligned-webworm-european-governments-targeted/ | The Hacker News — https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html


5. Silent Ransom Group (Luna Moth) — Physical Infiltration of Law Firms with USB-Based Data Exfiltration

Silent Ransom Group has escalated beyond remote social engineering to physically sending imposters dressed as IT support staff into victim law firms’ offices to insert USB drives or enable remote access directly on target computers. Active from January through May 2026 targeting “dozens” of law firms, the group also uses phishing emails and vishing calls as primary vectors, with physical intrusion as a fallback when remote attempts fail. FBI indicators include unauthorized remote access tool installations (Zoho Assist, AnyDesk, RustDesk) and unidentified individuals attempting computer access.

Source: FBI CSA — https://www.ic3.gov/CSA/2026/260526.pdf | Help Net Security — https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/


6. Iran-Aligned Threat Actors — Continued Surge in AI-Enhanced Espionage & Destructive Operations Against UAE/Gulf

Iran-linked threat actors remain in an elevated operational tempo targeting UAE and Gulf infrastructure, with between 500,000 to 700,000 daily cyberattack attempts recorded against UAE strategic sectors — many state-sponsored. Dr. Mohammed Al Kuwaiti (UAE Cybersecurity Council) confirmed that hostile actors, including Iran, are using AI platforms such as ChatGPT and other tools for reconnaissance, vulnerability identification, phishing message improvement, and malware development. Separate reporting from Proofpoint and Check Point shows groups like Handala (Void Manticore), MuddyWater, and TA453 (Charming Kitten/APT42) sustaining high-tempo operations.

Source: CXO Insight ME — https://www.cxoinsightme.com/business/industries/government/uae-warns-of-ai-driven-cyber-attacks-during-regional-crisis/ | Industrial Cyber — https://industrialcyber.co/critical-infrastructure/iran-linked-cyber-espionage-surges-across-middle-east/


7. GREYVIBE (Russia-Aligned) — First Confirmed Dual-Platform AI-Assisted Campaign Using ChatGPT & Gemini

Russia-aligned threat actor GREYVIBE is actively using both ChatGPT and Google Gemini to accelerate phishing content generation, malware development, and post-compromise activity — confirmed by Check Point Research as the first double-platform AI-assisted adversarial campaign in Check Point’s 2026 corpus. The group is primarily targeting Ukrainian organizations but the technique and infrastructure are transferable, representing a template for AI-augmented adversarial operations globally. This development validates the UAE Cybersecurity Council’s warnings about AI being weaponized by hostile state-linked actors.

Source: Cybersecurity Insiders — https://www.cybersecurity-insiders.com/carnival-corporation-data-breach-account-compromise-june-2026/


8. ChatGPhish — Cross-Site Prompt Injection Turns ChatGPT into a Phishing Delivery Surface

Permiso Security disclosed a technique dubbed “ChatGPhish” (XPIA) on May 29, 2026, demonstrating that any web page a user asks ChatGPT to summarize can inject attacker-controlled links, fake OpenAI security alerts styled in ChatGPT’s own UI, QR code redirects, and tracking pixels (leaking IP, User Agent, and timing) directly inside the trusted chatgpt.com interface. OpenAI marked the initial disclosure “Not Reproducible” and has not assigned a CVE or confirmed a patch timeline. With hundreds of millions of ChatGPT users globally — including corporate employees using it to summarize documents — this represents a significant, unpatched social engineering amplifier.

Source: Cloud Security Alliance — https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/06/CSA_research_note_chatgphish_prompt_injection_phishing_20260602.pdf | Gblock — https://www.gblock.app/articles/chatgphish-permiso-chatgpt-markdown-rendering-phishing-may-2026


9. Fortinet-Reported Large-Scale Exploitation of Citrix NetScaler CVE-2026-3055

Fortinet’s threat intelligence team confirmed large-scale active exploitation of CVE-2026-3055 (CVSS 9.8), an out-of-bounds memory read vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP). NetScaler appliances serve as the primary remote access and application delivery gateway for thousands of organizations — exploiting this vulnerability gives attackers a privileged perimeter position from which to intercept authentication, manipulate SAML assertions, and pivot into internal networks. This follows the well-established pattern of NetScaler vulns (cf. CVE-2023-4966 CitrixBleed) being aggressively weaponized at scale within days of public disclosure.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


10. TGR-STA-1030 (Likely China) — 70+ Government Agencies & Critical Infrastructure Breached Across 37 Countries

Palo Alto Networks Unit 42 reported that an Asian government-linked threat actor it tracks as TGR-STA-1030 has breached at least 70 government agencies and critical infrastructure organizations across 37 countries in an espionage campaign focused on rare earth minerals, trade deals, and economic partnerships — with reconnaissance conducted against government networks in 155 countries. The group has targeted law enforcement agencies, finance ministries, and trade departments. While not directly attributed to China, the objectives align closely with PRC strategic priorities, and Gulf states’ energy and trade departments fall within the reconnaissance perimeter.

Source: Cybersecurity Dive — https://www.cybersecuritydive.com/news/asian-governments-espionage-campaign-breached-critical-infrastructure-in-3/811472/

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-41089 | CVSS 9.8 | Microsoft Windows Netlogon (Windows Server 2012–2025) | Patched

Summary: A stack-based buffer overflow (CWE-121) in the Windows Netlogon service allows an unauthenticated remote attacker to execute arbitrary code on any domain-joined Windows Server via a crafted network packet — with a successful exploit against a domain controller granting full Active Directory control. The Belgian government’s Centre for Cybersecurity issued an urgent exploitation warning, confirming real-world attacks are underway; security researchers compare it to Zerologon (2020) in severity and impact.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/ | LinkedIn Intelligence Briefing — https://www.linkedin.com/pulse/june-1-2026-tech-ai-cybersecurity-intelligence-briefing-sanchez-3rywc


2. CVE-2026-3055 | CVSS 9.8 | Citrix NetScaler ADC & Gateway (All versions prior to 13.1-62.23 / 14.1-60.58) | Patched

Summary: An out-of-bounds memory read vulnerability in NetScaler ADC and Gateway when configured as a SAML Identity Provider allows remote code execution; Fortinet confirmed large-scale active exploitation is ongoing across the internet. Citrix appliances are the network perimeter gateway for thousands of organizations including UAE government and financial institutions — compromise provides privileged access to SAML authentication flows and internal networks.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


3. CVE-2026-0257 | CVSS 7.8 | Palo Alto Networks PAN-OS (GlobalProtect) — PAN-OS 10.2, 11.1, 11.2, 12.1 | Patched

Summary: An authentication bypass in the GlobalProtect portal and gateway allows unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN sessions; Rapid7 MDR confirmed active exploitation across “numerous customers” with the earliest observed attack on May 17, 2026. CISA added this to the KEV catalog on May 29 with a June 1 federal deadline — organizations still running unpatched versions are actively at risk of unauthorized network access.

Source: Palo Alto Unit 42 — https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/ | Rapid7 — https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/


4. CVE-2026-41103 | CVSS 9.1 | Microsoft SSO Plugin for Jira & Confluence | Patched (May 2026 Patch Tuesday)

Summary: A critical elevation of privilege vulnerability in the Microsoft Single Sign-On Plugin for Jira and Confluence allows an unauthorized attacker to forge identity and sign in without Microsoft Entra ID authentication, gaining full access to or the ability to modify data in Jira/Confluence environments. Rated “Exploitation More Likely” by Microsoft, this is particularly dangerous for UAE organizations and enterprises using Atlassian platforms integrated with Azure AD/Entra ID.

Source: Tenable — https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103


5. CVE-2026-41089 + CVE-2026-8644 / CVE-2026-9311 / CVE-2026-9319 | CVSS 9.0–9.1 | IBM WebSphere Application Server 8.5 & 9.0 | Patched

Summary: Three critical IBM WebSphere vulnerabilities disclosed simultaneously on June 1 include CVE-2026-8644 (identity spoofing/auth bypass), CVE-2026-9311 (RCE via security control bypass), and CVE-2026-9319 (RCE via deserialization of untrusted data in JAX-WS endpoints with WS-Security). A compromised WebSphere instance can expose backend databases, message queues, and integrated enterprise systems — particularly dangerous given WebSphere’s deep penetration in banking, insurance, government services, and ERP platforms.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


6. CVE-2024-21182 | CVSS 7.5 | Oracle WebLogic Server 12.2.1.4.0 & 14.1.1.0.0 | Patched (CISA KEV — Deadline June 4)

Summary: An unauthenticated remote access vulnerability in Oracle WebLogic’s Core component via T3/IIOP protocols allows unauthorized access to critical data or full server compromise; despite being patched in July 2024, CISA’s June 1 KEV addition confirms sustained exploitation of unpatched enterprise instances. Federal agencies faced a June 4 remediation deadline — non-federal organizations, particularly in Gulf financial and government sectors with WebLogic deployments, should treat this as emergency-patch status.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


7. CVE-2026-42897 | CVSS 8.1 | Microsoft Exchange Server (OWA) | Unpatched — Mitigation Available

Summary: A critical cross-site scripting spoofing vulnerability in Microsoft Exchange Server’s Outlook Web Access is being actively exploited with no patch yet available as of this reporting period; Microsoft’s Exchange Emergency Mitigation Service (EEMS) provides automatic protection and organizations must ensure this service is running and up to date. A formal patch is anticipated in June 9 Patch Tuesday — organizations should verify EEMS is enabled and monitor Exchange access logs for anomalous OWA activity.

Source: Help Net Security — https://www.helpnetsecurity.com/2026/06/05/june-2026-patch-tuesday-forecast/


8. CVE-2026-44825 | CVSS 8.1 | Apache Solr 9.4.0–9.10.1, 10.0.0 | Patched

Summary: Apache Solr’s Basic Authentication setup tool silently installs additional template user accounts (superadmin, admin, solr, readonly) with publicly known default credentials alongside user-specified accounts — allowing unauthenticated remote attackers with internet access to an exposed Solr instance to authenticate with full administrative privileges. Solr is widely deployed as the search backend for e-commerce platforms, content management systems, and enterprise data lakes including those in use across UAE’s digital economy sectors.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


9. CVE-2026-8206 | CVSS 9.8 | Kirki WordPress Plugin (v6.0.0–6.0.6) | Patched

Summary: An unauthenticated account takeover vulnerability in the Kirki WordPress page builder plugin allows any attacker to trigger a password reset for any WordPress user including administrators by supplying a valid username with an attacker-controlled email address — requiring just a single HTTP request with no prior authentication. This trivially executable attack endangers any WordPress site running affected Kirki versions, with implications for the thousands of UAE business and government websites built on WordPress.

Source: Threat Modeling — https://threat-modeling.com/vulnerability-intelligence-report-june-2-2026/


10. CVE-2026-28318 | CVSS 7.5 | SolarWinds Serv-U 15.5.4 and prior | Patched (CISA KEV — Deadline June 19)

Summary: A denial-of-service vulnerability in SolarWinds Serv-U multi-protocol file server (CWE-400: Uncontrolled Resource Consumption) crashes the service via unauthenticated POST requests with Content-Encoding: deflate — actively exploited in the wild and added to CISA KEV on June 5, 2026, with a federal agency deadline of June 19. Serv-U has a history of critical vulnerabilities exploited by the Cl0p ransomware gang, making this platform a high-priority patching target for any organization running it for MFT or file transfer services.

Source: The Hacker News — https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactPatch StatusSource
CVE-2026-41089Critical9.8Microsoft Windows Netlogon (Server 2012–2025)Unauthenticated RCE via stack buffer overflow; full AD domain takeover. Belgian CCB exploitation warning confirmed.Patched — Apply latest CUThreat Modeling
CVE-2026-3055Critical9.8Citrix NetScaler ADC & Gateway (SAML IDP)RCE via out-of-bounds read; large-scale active exploitation confirmed by Fortinet. Perimeter network compromise.Patched — v13.1-62.23 / 14.1-60.58Threat Modeling
CVE-2026-8206Critical9.8Kirki WordPress Plugin v6.0.0–6.0.6Unauthenticated account takeover via password reset to attacker email; full site admin access.Patched — Update beyond v6.0.6Threat Modeling
CVE-2026-41103Critical9.1Microsoft SSO Plugin for Jira & ConfluenceForged identity bypass of Entra ID authentication; unauthorized data access/modification in Atlassian suite.Patched — May 2026 Patch TuesdayTenable
CVE-2026-8644Critical9.1IBM WebSphere App Server 8.5 & 9.0Identity spoofing / authentication bypass via CWE-290; enables impersonation of any authenticated user.Patched — IBM Fix PackThreat Modeling
CVE-2026-9311Critical9.0IBM WebSphere App Server 8.5 & 9.0RCE via security control bypass (CWE-94 Code Injection); unauthenticated remote code execution.Patched — IBM Fix PackThreat Modeling
CVE-2026-9319Critical9.0IBM WebSphere App Server 8.5 & 9.0RCE via deserialization of untrusted data in JAX-WS endpoints with WS-Security (CWE-502).Patched — IBM Fix PackThreat Modeling
CVE-2026-42897Critical8.1Microsoft Exchange Server (OWA / XSS)Active exploitation of cross-site scripting in Outlook Web Access; spoofing/session hijack. No patch yet — EEMS mitigation active.Unpatched — EEMS Mitigation ActiveHelp Net Security
CVE-2026-44825High8.1Apache Solr 9.4.0–9.10.1 / 10.0.0Hardcoded default admin credentials silently installed by setup tool; full unauthenticated admin access.Patched — Upgrade or delete template usersThreat Modeling
CVE-2026-0257High7.8Palo Alto PAN-OS GlobalProtectAuthentication bypass via forged cookie; unauthorized VPN sessions established. CISA KEV. Actively exploited.Patched — See Unit 42 AdvisoryPalo Alto Unit 42

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

1. UAE | DDoS & Hacktivist Operations | 313 Team / Liwa Thar Allah / Iranian-linked Groups

Region/Country: UAE | Attack Type: DDoS, Website Defacement, Financial Services Disruption | Threat Actor: 313 Team, Liwa Thar Allah, Fad Team (Iran-linked hacktivist collectives)

Summary: CloudSEK documented coordinated cyber disruption attempts against 10 financial institutions including major UAE and Saudi banks, seven aviation entities, government ministries, and telecoms providers between late May and early June 2026, in response to regional geopolitical tensions. In the UAE, some online and phone banking services experienced disruptions attributed to region-wide IT service disruptions, with the Iranian-linked hacktivist groups publicly claiming the operations on Telegram channels.

Source: The National News — https://www.thenationalnews.com/future/technology/2026/03/02/cyberwar-and-military-escalation-converge-as-middle-east-digital-infrastructure-under-attack/


2. UAE | AI-Enhanced Ransomware & Phishing | Iran-Linked APT Groups

Region/Country: UAE (Strategic Sectors) | Attack Type: AI-Enhanced Phishing, Ransomware Attempts, Network Infiltration | Threat Actor: Iran-Linked State-Sponsored Actors

Summary: The UAE Cybersecurity Council publicly confirmed that the country continues to face 500,000 to 700,000 cyberattack attempts daily against strategic sectors, with state-backed actors leveraging AI platforms including ChatGPT to develop offensive tools, conduct reconnaissance, and execute deepfake-based social engineering. Dr. Mohammed Al Kuwaiti confirmed that attempts include network infiltration, ransomware deployment, and systematic phishing campaigns targeting national platforms — representing a “qualitative shift” in threat sophistication.

Source: CXO Insight ME — https://www.cxoinsightme.com/business/industries/government/uae-warns-of-ai-driven-cyber-attacks-during-regional-crisis/ | Reuters — https://www.reuters.com/world/uae-foils-cyber-attacks-state-news-agency-says-2026-02-21/


3. UAE | Ransomware (Prior Week Context) | DragonForce

Region/Country: UAE — Dubai Financial Services | Attack Type: Ransomware, Data Exfiltration | Threat Actor: DragonForce

Summary: DragonForce’s March 2026 attack on Ahmed Mubarak Debt Collection (AMDC) — a UAE-licensed debt collection firm — remained active in dark web leak threat status during the current week, with the group warning of data publication if demands were not met. With over 20.8TB claimed stolen globally in May 2026 alone and the LockBit–Qilin–DragonForce cartel structure in full operation, UAE financial services firms remain a primary regional target for this group’s double-extortion campaigns.

Source: Dexpose.io — https://www.dexpose.io/dragonforce-compromises-ahmed-mubarak-debt-collection-in-uae-cyberattack/


4. Gulf Region (Saudi Arabia, UAE, Jordan) | Espionage Campaign | OilRig (APT34)

Region/Country: Gulf Region (Saudi Arabia, UAE, Jordan, Israel) | Attack Type: Spear-Phishing, Multi-Stage Espionage | Threat Actor: APT-C-49 / OilRig / APT34 (Iran-linked)

Summary: Help AG’s threat intelligence for the Middle East documented APT34 (OilRig) conducting spear-phishing campaigns using macro-enabled Excel files themed on regional events, with multi-stage attack chains leveraging compiled C# code, GitHub data retrieval, Google Drive steganography, and Telegram Bot API for C2 with persistence via scheduled tasks. The group continues to systematically target Gulf government, energy, and defense sectors as part of Iran’s sustained regional intelligence collection campaign.

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


5. Middle East / UAE (Military Personnel) | Wiper Malware, Social Engineering | Handala (Void Manticore)

Region/Country: UAE, Israel, Jordan, Regional Military Personnel | Attack Type: Social Engineering, Wiper Malware, Data Theft | Threat Actor: Handala (Void Manticore / Storm-0842 / BANISHED KITTEN)

Summary: Handala continued targeting military personnel across the Middle East this week via WhatsApp messages from spoofed business numbers warning of missile and drone strikes, combined with the publication of personal data from 2,379 personnel on Telegram. The group has previously claimed to have wiped over 200,000 systems globally by leveraging compromised Microsoft Intune Global Administrator accounts, using multiple wiper variants including BiBi Wiper, Hamsa, CoolWipe, and ChillWipe.

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


6. Global / USA | Data Breach via Social Engineering | ShinyHunters

Region/Country: Global (USA) | Attack Type: Vishing, Social Engineering, Data Exfiltration | Threat Actor: ShinyHunters

Summary: The ShinyHunters group’s breach of Carnival Corporation (5.99 million customers affected) via a single compromised employee account used on April 14, 2026, was formally disclosed this week after the group published the data and sent notifications to affected customers starting May 27. This breach — combined with the Charter Communications (4.9M records), Instructure Canvas (30M+ students), and other ShinyHunters campaigns — establishes the group as the most prolific data extortion threat actor of 2026.

Source: SecurityWeek — https://www.securityweek.com/carnival-data-breach-exposed-6-million-people/


7. USA | Supply Chain Attack on Open Source Ecosystem | Unknown (Suspected Nation-State)

Region/Country: Global (impacting OpenAI, Vercel, Bitwarden, Aqua Security Trivy, Checkmarx) | Attack Type: Supply Chain Attack, Backdoor Injection, Credential Theft | Threat Actor: Unknown / Suspected Nation-State

Summary: A series of ongoing, overlapping supply chain attacks on open source developers compromised major tools including Aqua Security’s Trivy vulnerability scanner, Bitwarden password manager, and Checkmarx, allowing attackers to steal credentials, passwords, and sensitive tokens from any user of the backdoored software — then using stolen credentials to breach downstream companies including OpenAI and Vercel. With a new hack almost every week throughout 2026, the open source software ecosystem remains a critical vulnerability surface for organizations relying on third-party dependencies.

Source: TechCrunch — https://techcrunch.com/2026/06/03/the-worst-hacks-and-breaches-of-2026-so-far/


8. USA | FBI Wiretap System Breach | China (Suspected Salt Typhoon / PRC-linked)

Region/Country: USA (FBI, Virgin Islands) | Attack Type: Espionage, Surveillance System Compromise | Threat Actor: PRC-linked / Suspected Chinese State Actors

Summary: The FBI’s April 2026 classification of the breach of its DCS-3000 (Red Hook) Digital Collection System Network as a “major incident” under FISMA — attributed to Chinese hackers who accessed the system via a third-party commercial ISP — continued to reverberate this week during Congressional oversight activities. Phone numbers of FBI wiretap surveillance targets were confirmed exposed, with intelligence agencies still assessing whether active counterintelligence cases were compromised.

Source: NextGov — https://www.nextgov.com/cybersecurity/2026/04/suspected-chinese-breach-fbi-system-exposed-surveillance-targets-phone-numbers/ | HS Today — https://www.hstoday.us/fbi/fbi-labels-china-linked-hack-of-surveillance-system-a-major-cyber-incident/


9. USA (Legal Sector) | In-Person Physical Intrusion + Data Exfiltration | Silent Ransom Group

Region/Country: USA (Law Firms) | Attack Type: Social Engineering, Physical Intrusion, Data Theft & Extortion | Threat Actor: Silent Ransom Group (Luna Moth / UNC3753)

Summary: Silent Ransom Group’s campaigns targeting US law firms from January–May 2026 involved dozens of victims across insurance, finance, and healthcare in addition to legal firms, with physical infiltration — fake IT support personnel entering offices to connect USB drives or enable remote access — representing a novel and alarming escalation of ransomware-adjacent extortion tactics. Google Mandiant and the FBI jointly published threat assessment reports this week, with FBI confirming multiple confirmed instances of physical office intrusions.

Source: TechCrunch — https://techcrunch.com/2026/06/05/google-and-fbi-warn-of-ransomware-group-that-sends-fake-it-workers-to-hack-victims-in-person/


10. Europe (Belgium, Italy, Poland, Serbia, Spain) | Government Espionage | Webworm (China-Aligned APT)

Region/Country: Europe — Multiple EU Governments + South Africa | Attack Type: APT Espionage, Backdoor Deployment, C2 via Legitimate Platforms | Threat Actor: Webworm (China-Aligned)

Summary: ESET Research disclosed this week that Webworm — a China-aligned APT — deployed custom backdoors (EchoCreep via Discord C2 and GraphWorm via Microsoft Graph API/OneDrive) against government organizations in Belgium, Italy, Poland, Serbia, Spain, and a South African university, with over 400 Discord C2 messages decrypted and reconnaissance confirmed against 50+ targets. The use of legitimate cloud platforms to masquerade C2 traffic is a direct challenge to organizations relying solely on domain/IP-based detection — including UAE government entities using Microsoft 365 environments.

Source: ESET Research — https://www.eset.com/us/about/newsroom/research/eset-research-china-aligned-webworm-european-governments-targeted/

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. Trump Executive Order on AI & Cybersecurity — Voluntary Pre-Release Benchmarking Framework for Frontier AI Models

President Trump’s June 2 executive order establishes a classified 60-day benchmarking process to assess the advanced cyber capabilities of AI models, led by NSA with support from CISA, NIST, Treasury, and the White House. AI developers are asked to voluntarily provide government access for up to 30 days of review before releasing frontier models to “other trusted partners” — without creating a mandatory licensing or clearance requirement. A Treasury-led AI Cybersecurity Clearinghouse will coordinate AI-identified vulnerability scanning, validation, and patch distribution across critical infrastructure. This fundamentally changes how enterprise security teams should model AI model risk.

Source: White House — https://www.whitehouse.gov/presidential-actions/2026/06/promoting-advanced-artificial-intelligence-innovation-and-security/ | Axios — https://www.axios.com/2026/06/02/trump-signs-new-ai-executive-order


2. Anthropic Expands Project Glasswing — Claude Mythos Preview Now Covering Power, Water, Healthcare & Telecom

Anthropic’s June 2 Project Glasswing expansion to 150 new organizations in 15+ countries represents the single most consequential AI-in-cybersecurity development this week, extending autonomous vulnerability hunting into power grids, water utilities, healthcare systems, and telecommunications networks globally. Claude Mythos Preview has demonstrated the ability to chain multiple vulnerabilities into sophisticated exploit paths that in sequence achieve outcomes no single bug could achieve alone — a capability that, if turned adversarially, would fundamentally compress defensive response windows. The new cohort is required to meet specific security criteria before access is granted.

Source: CNBC — https://www.cnbc.com/2026/06/02/anthropic-mythos-ai-project-glasswing.html | Cybersecurity Dive — https://www.cybersecuritydive.com/news/ai-anthropic-claude-mythos-project-glasswing-expand/821714/


3. AI Models Now Face Government Cyber Test Benchmarks — Security Assurance Becomes a Release Gate

This week’s White House directive moves frontier AI model distribution beyond capability announcements: security evaluation, usage controls, patch coordination, and trusted-partner access are now part of the pre-release calculus. The NSA is expected to take the lead on the classified benchmarking process, with CISA developing the operational clearinghouse framework within 30 days. For enterprise security leaders, this signals that AI model adoption plans should now include a review-buffer window and that frontier models may not be available on announced timelines pending security evaluation outcomes.

Source: YouTube Research Signal — https://www.youtube.com/watch?v=p1B_iJQsSms


4. Google Gemini 3.5 Flash Generally Available — Frontier Agentic Performance at 4× Speed, Default in Gemini App

Google launched Gemini 3.5 Flash at Google I/O 2026 (May 19), making it generally available globally this week as the default model across the Gemini app, AI Mode in Google Search, Google Antigravity, and the Gemini API. 3.5 Flash outperforms Gemini 3.1 Pro on challenging coding and agentic benchmarks including Terminal-Bench 2.1 (76.2%), GDPval-AA (1,656 Elo), and MCP Atlas (83.6%), while running at 4× the output speed of comparable frontier models — making it immediately relevant for security automation, threat intelligence processing, and agentic security workflows. Gemini 3.5 Pro, expected in June, promises to address 3.5 Flash’s regression on long-context and hard-reasoning benchmarks.

Source: Google Blog — https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/


5. OpenAI Daybreak Initiative — Secure-by-Design AI Coding Assistant Compresses Security Review from Hours to Minutes

OpenAI launched the Daybreak initiative (unveiled May 12, fully operational this week) based on GPT-5.5-Cyber and Codex Security to help developers build secure software from the ground up — covering threat model generation from codebases, vulnerability discovery in isolated environments, automated patch proposals, and regression test generation. The initiative’s promise of compressing “hours of manual security analysis into minutes” has direct implications for AppSec teams and DevSecOps pipelines in UAE organizations managing large codebases and compliance requirements. As of May 2026, OpenAI’s Trusted Access for Cyber (TAC) program includes hundreds of organizations and thousands of individual defenders.

Source: Infosecurity Magazine — https://www.infosecurity-magazine.com/news/openai-daybreak-secure-by-design/


6. ChatGPhish — Cross-Site Prompt Injection Against ChatGPT Exposes Hundreds of Millions of Users to Phishing

Permiso Security’s ChatGPhish disclosure (published May 29, widely propagated this week) demonstrates that ChatGPT’s web summarization feature can be weaponized to inject phishing links, fake OpenAI security alerts, QR code redirects, and passive tracking pixels directly inside the trusted chat interface — with no patch from OpenAI and no CVE assigned. The Cloud Security Alliance published a formal research note on June 2 documenting the four distinct attack primitives, confirming the vulnerability class affects any LLM assistant that auto-renders Markdown from third-party context. For UAE enterprises that have deployed ChatGPT for employee productivity, this is an unpatched social engineering vector requiring immediate user awareness action.

Source: Cloud Security Alliance — https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/06/CSA_research_note_chatgphish_prompt_injection_phishing_20260602.pdf


7. GREYVIBE Threat Actor Demonstrates Production-Grade Dual-Platform AI-Assisted Adversarial Operations

Check Point Research’s confirmation of GREYVIBE as the first threat actor to operationally combine ChatGPT and Google Gemini for phishing content generation, malware development, and post-compromise activity marks a qualitative shift in the adversarial AI threat landscape. This is no longer a theoretical or experimental capability — AI-generated phishing is confirmed as production-grade adversarial infrastructure. For UAE security teams, this reinforces the UAE Cybersecurity Council’s warnings and validates the urgency of deploying AI-powered defensive tools to match AI-empowered offensive capabilities.

Source: Cybersecurity Insiders — https://www.cybersecurity-insiders.com/carnival-corporation-data-breach-account-compromise-june-2026/


8. EU OpenAI Access Offer — OpenAI Proactively Offers EU Cybersecurity Model Access, Anthropic Lags

The European Commission this week confirmed OpenAI’s proactive offer to provide EU access to its cybersecurity-focused models through the OpenAI EU Cyber Action Plan — positioning OpenAI ahead of Anthropic in European regulatory engagement while Anthropic has not yet discussed model access with EC officials. This development has direct implications for UAE organizations pursuing EU market access and for multi-national security teams weighing AI vendor selection based on regulatory alignment. OpenAI’s TAC program provides tiered access based on trust level and mission needs.

Source: Reuters/Sahm Capital — https://www.sahmcapital.com/news/content/update-1-eu-says-openai-offers-to-open-access-to-cybersecurity-model-anthropic-not-there-yet/


9. Gemini Spark — Google Launches 24/7 Autonomous Personal AI Agent Operating Continuously Across Apps

Google introduced Gemini Spark at I/O 2026 — a 24/7 autonomous personal AI agent powered by Gemini 3.5 Flash that runs continuously on phones and laptops (even while turned off), operating across Gmail, Calendar, Drive, YouTube, Maps, and third-party apps. Currently in trusted tester rollout with a beta opening to AI Ultra subscribers in the US, Gemini Spark represents the first mass-market deployment of agentic AI with autonomous background action capability. For security professionals, this raises critical questions about data sovereignty, enterprise DLP policy enforcement, and the expanded attack surface created by always-on AI agents with broad app permissions.

Source: Google Blog — https://blog.google/innovation-and-ai/models-and-research/gemini-models/gemini-3-5/


10. xAI Grok 5 on Track for Q3 2026 — Colossus 2 (1.5 GW) Training with ~6T Parameter MoE Architecture

xAI’s Grok 5 remains in training on the expanded Colossus 2 supercomputer (scaled from 1 GW to 1.5 GW in April 2026), with reported specifications including ~6 trillion parameters Mixture-of-Experts (MoE) architecture, 1.5 million token context, and native multimodal capabilities — positioning it as a potential rival to Claude Mythos and GPT-5.5 in advanced cyber capability benchmarks. Current probability assessments place a June 2026 release at low probability (12–33%), with Q3 2026 the most likely window. For UAE sovereign AI initiatives and enterprise AI strategy, Grok 5’s eventual release will materially reshape the frontier model landscape.

Source: WaveSpeed AI — https://wavespeed.ai/blog/posts/june-2026-ai-launch-wave/

Week of may 25–May 31, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. FBI Warns of Kali365 — AI-Powered PhaaS Bypasses M365 MFA

The FBI issued an official Public Service Announcement (PSA260521) on May 21, 2026 warning about Kali365, an emerging Phishing-as-a-Service (PhaaS) platform first observed in April 2026. Kali365 is distributed via Telegram and enables attackers to steal Microsoft 365 OAuth access and refresh tokens through device-code phishing — bypassing MFA entirely without needing to intercept user credentials. The FBI advised organizations to disable device-code authentication flow where not needed and to review active M365 sessions for unauthorized devices.

Source: FBI IC3 PSA / Cybersecurity Dive — https://www.ic3.gov/PSA/2026/PSA260521


2. Nimbus Manticore (IRGC) Returns with AI-Assisted MiniFast Backdoor

Check Point Research published an extensive report on May 25, 2026 detailing how Nimbus Manticore (IRGC-affiliated, also tracked as UNC1549) has re-emerged with significantly upgraded capabilities. The group deployed a new AI-assisted backdoor called MiniFast, replacing its prior MiniJunk malware family, and introduced SEO poisoning as a malware delivery method for the first time — ranking fake download pages for Oracle SQL Developer on Bing and DuckDuckGo. The campaign uses AppDomain hijacking, trojanized Zoom installers, and career-themed phishing targeting defense, aerospace, and telecom sectors in the U.S., Europe, and the Middle East.

Source: Check Point Research / Security Affairs — https://industrialcyber.co/ransomware/irgc-linked-nimbus-manticore-group-attacks-defense-aerospace-telecom-sectors-using-minifast-malware-toolkit/


3. Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited — CISA KEV

On May 29, 2026, CISA added CVE-2026-0257 — a PAN-OS GlobalProtect authentication bypass — to its Known Exploited Vulnerabilities catalog, ordering FCEB agencies to remediate by June 1. Rapid7 confirmed active exploitation beginning May 17, escalating to full VPN IP assignments by May 21, with a public proof-of-concept released May 29. The vulnerability exploits a cryptographic blind-trust flaw when authentication override cookie certificates are reused with the public-facing HTTPS service, allowing forged VPN sessions without credentials.

Source: Rapid7 / The Hacker News — https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/


4. GREYVIBE: New Russian APT Uses ChatGPT & Gemini to Attack Ukraine

WithSecure Labs formally attributed a previously undocumented threat actor, GREYVIBE, responsible for persistent attacks against Ukrainian military, government, civilian, and business organizations since August 2025. What distinguishes GREYVIBE from other Russian-aligned APTs is its documented use of commercial AI tools — ChatGPT for obfuscation scripts and loader development, Google Gemini for building its primary implant LegionRelay, and Ideogram AI for generating phishing lure imagery. The group operates five parallel attack chains under code names PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo.

Source: WithSecure / CSO Online — https://www.csoonline.com/article/4178879/russia-aligned-crime-group-greyvibe-extensively-uses-ai-in-attacks.html


5. World’s First LLM Agent Post-Exploitation Attack — Marimo RCE (CVE-2026-39987)

Sysdig’s Threat Research Team documented the first confirmed in-the-wild attack using an LLM agent for autonomous post-exploitation. On May 10, 2026, an attacker exploited a pre-authentication RCE in Marimo notebooks (CVE-2026-39987, all versions ≤ 0.20.4), then handed off control to an AI agent that — with no human direction — exfiltrated cloud credentials, queried AWS Secrets Manager, retrieved SSH keys, and dumped an internal PostgreSQL database across four pivots in under two minutes. This represents a milestone: fully autonomous AI-driven intrusion without human direction between steps.

Source: Sysdig / The Hacker News — https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html


6. Ghost CMS CVE-2026-26980 Exploited in 700+ ClickFix Campaigns

A critical unauthenticated SQL injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) — affecting versions 3.24.0 through 6.19.0 — was exploited in a large-scale ClickFix campaign that injected malicious JavaScript into over 700 websites to serve fake CAPTCHA pages delivering malware. First detected May 7, 2026, with escalating exploitation through the week, two distinct threat clusters have been documented. The Content API key is publicly embedded in every Ghost theme’s HTML, making it trivially discoverable — leaving nearly every unpatched Ghost site fully exposed.

Source: BleepingComputer / The Hacker News — https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/


7. 7-Eleven Breach — ShinyHunters Steals 600,000 Salesforce Records

7-Eleven confirmed an unauthorized access incident in which ShinyHunters claimed responsibility for stealing more than 600,000 Salesforce records containing personal and corporate information belonging to 7-Eleven franchisee partners. The breach exposed franchisee contact information, financial documentation, and business records. Affected individuals were offered identity protection services. ShinyHunters continues its 2026 streak following the earlier Canvas LMS attack impacting 275 million educational users.

Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


8. GitHub Breach via TanStack Supply Chain — 3,800 Internal Repos Exfiltrated

GitHub disclosed this week that attackers had weaponized a Visual Studio Code extension (Nx Console, 2.2 million installs) to compromise an employee device, exfiltrating approximately 3,800 internal repositories. GitHub confirmed no evidence of impact on customer-facing systems or production environments. The attack is tied to the ongoing TeamPCP/Shai-Hulud supply chain wave that also compromised Grafana Labs the prior week. GitHub has since rotated affected credentials and enhanced monitoring on its developer tool pipeline.

Source: Check Point Research / HelpNet Security — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


9. AI-Driven Phishing Bypasses AI Email Filters via Invisible Text Injection

Researchers published findings this week on a novel attack technique called indirect prompt injection in AI email security tools. Attackers embed invisible text inside phishing emails — using zero-size fonts or background-matched colors — so the email appears legitimate to human recipients while the hidden text carries adversarial instructions that manipulate AI-powered email scanning tools into bypassing the message. The technique effectively exploits the trust AI security tools place in structured text analysis, creating a new category of AI vs. AI security arms race.

Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


10. U.S. OMB M-26-10 Directive: Federal AI Governance & IT Contract Oversight

The U.S. Office of Management and Budget (OMB) published its M-26-10 directive this week, requiring Chief Information Officers at major federal agencies to review and approve all IT contracts. The directive has three core goals: eliminate duplicate software purchases, improve pricing transparency, and strengthen oversight of government technology spending — with implications for how federal AI and cybersecurity tools are procured. This reflects growing federal recognition that AI tool proliferation is creating uncontrolled security and governance risks across government.

Source: Illumio / May 2026 Cybersecurity Roundup — https://www.illumio.com/blog/top-cybersecurity-news-stories-from-may-2026

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

 1. Nimbus Manticore (UNC1549 / IRGC) — AI-Assisted Wartime Cyber Ops

IRGC-affiliated Nimbus Manticore is one of the most technically sophisticated Iranian threat actors in 2026, now operating AI-assisted malware development cycles. The MiniFast backdoor — its latest weapon — uses AppDomain hijacking for execution, offers stealthy C2, and was partially engineered with AI-assisted coding tools to accelerate wartime adaptability. The group’s SEO poisoning campaigns are now generating top-ranking fake download pages on Bing and DuckDuckGo, marking a pivot from purely spear-phishing to passive mass-scale infection.industrialcyber+2

Source: Check Point Research — https://industrialcyber.co/ransomware/irgc-linked-nimbus-manticore-group-attacks-defense-aerospace-telecom-sectors-using-minifast-malware-toolkit/


2. GREYVIBE (Russia-Linked) — Five-Chain AI-Powered Espionage Campaign

Newly attributed GREYVIBE is the first Russian-language threat actor documented to have used commercial AI tools — ChatGPT, Gemini, and Ideogram AI — across the full attack lifecycle, from spear-phishing drafting to malware compilation to cover-site imagery. Its primary implant LegionRelay is a custom backdoor with AI-generated components. The group’s five attack chains span PhantomMail (spear-phishing), PhantomClick (fake CAPTCHA), PrincessClub (fraudulent Ukrainian adult sites), DroneLink (fake FPV drone charities), and Nebo (counterfeit Russian military portals).securityaffairs+2

Source: WithSecure / Gblock — https://www.gblock.app/articles/greyvibe-russian-ai-phishing-ukraine-withsecure-may-2026


3. Kali365 PhaaS Platform — M365 Token Hijacking via Telegram

Kali365, first observed April 2026, is a purpose-built Phishing-as-a-Service platform sold via Telegram subscriptions that allows low-skill threat actors to conduct device-code phishing against Microsoft 365 targets. Successful attacks harvest OAuth access and refresh tokens — enabling persistent, credential-free access to Outlook, Teams, OneDrive, and SharePoint while bypassing MFA. Proofpoint reports device-code phishing is surging with new toolkit variants appearing weekly on criminal marketplaces.cybersecuritydive+2

Source: FBI IC3 / HelpNet Security — https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/


4. Qilin Ransomware — Q1 2026 Leader with 338 Victims

Qilin maintained its position as the world’s most active ransomware group in Q1 2026 with 338 disclosed victims — far outpacing competitors. It leads the 2,122 Q1 2026 leak-site victims reported by Check Point (the second-highest Q1 on record), with the top 10 groups accounting for 71% of total victims. Qilin’s double-extortion model, BYOVD-based EDR bypass, and now-standard DDoS pressure capability make it the most dangerous ransomware threat for enterprise security teams globally.research.checkpoint+1

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/


5. The Gentlemen RaaS — 332 Victims in 5 Months, Internal Breach Exposes 1,570+

The Gentlemen ransomware group has claimed 332 victims in the first five months of 2026 alone, ranking it third behind Qilin and LockBit 5.0 among active groups. A May 2026 breach of its internal C2 infrastructure exposed over 1,570 linked victims — 3.7x more than publicly listed. The group offers affiliates a 90% revenue share and includes “Call Lawyer” support in its RaaS toolkit. Data from the breach is now circulating on dark web forums with victim negotiation logs, affiliate credentials, and C2 infrastructure details.ransomware+2

Source: Check Point Research — https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/


6. Nitrogen Ransomware — Foxconn 8TB Breach Including Apple/Nvidia IP

Nitrogen ransomware targeted Foxconn’s North American manufacturing operations, stealing 8 terabytes of data across over 11 million files — including product schematics and project details for major clients including Apple, Nvidia, Google, AMD, and Intel. The breach represents a significant supply chain IP theft risk. Foxconn confirmed operational disruption at several North American factories, which are now returning to normal operations. Nitrogen added Foxconn to its dark web breach site on May 12.iansresearch+2

Source: IANS Research / Wired — https://www.iansresearch.com/resources/all-blogs/post/security-blog/2026/05/18/foxconn-confirms-cyberattack-by-nitrogen-ransomware-gang/


7. LockBit 5.0 — Resurgence with 163 Q1 2026 Victims

LockBit 5.0 returned to active operations in Q1 2026 with 163 disclosed victims, ranking second among active ransomware groups after a period of disruption by law enforcement in 2025. The resurgence confirms that law enforcement takedowns produce only temporary suppression of mature RaaS operations. LockBit 5.0 features improved anti-analysis capabilities and has adopted AI-assisted target profiling for victim selection and ransom negotiation optimization.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/


8. FamousSparrow (China) — Months-Long OT/Energy Sector Intrusion

Check Point Research attributed a months-long intrusion campaign against an Azerbaijani oil and gas company to FamousSparrow, a Chinese-linked APT. Attackers exploited an unpatched Microsoft Exchange server to deploy web shells, then alternated between the Deed RAT and TernDoor implants across three distinct waves of persistent activity — maintaining access for months without detection. The campaign is consistent with China’s documented strategy of targeting critical energy infrastructure in former Soviet states and the MENA region.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/


9. Showboat — Chinese-Linked Linux Malware Targeting Telecom Providers

Researchers uncovered Showboat, a new Linux malware family attributed to Chinese-aligned threat actors, being deployed against international telecommunications providers. Showboat is a modular post-exploitation framework capable of hiding processes, transferring files, spawning remote shells, and operating as a SOCKS5 proxy for persistent covert network access. Its modular design allows operators to customize capabilities based on target environment, making detection with static signatures alone insufficient.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


10. MENA Telecom Abuse — 1,350 C2 Servers Across 98 Hosting Providers

Researchers identified large-scale abuse of Middle Eastern telecom and hosting networks, with more than 1,350 active command-and-control servers catalogued across 98 hosting providers in the region. Linked activity included the Phorpiex botnet, Eagle Werewolf espionage operations, exploitation of a React Native CLI flaw, and RondoDox botnet activity at significant scale. The use of legitimate regional hosting infrastructure for C2 provides threat actors with geographic cover and complicates attribution — particularly relevant for UAE and Gulf organizations.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass (CVSS 10.0)

Affected: Cisco Catalyst SD-WAN Controller and SD-WAN Manager (all deployment modes) | Patch Status: Patched; CISA KEV deadline May 17, 2026. A perfect-score (10.0) authentication bypass in the SD-WAN control-plane handshake allows unauthenticated remote attackers to gain full administrative access by claiming to be a vHub device — bypassing certificate verification. Cisco Talos confirmed active exploitation by threat cluster UAT-8616, who injected SSH keys, modified NETCONF configurations, and escalated to root. A public Metasploit module is available for testing.socprime+3

Source: Cisco Talos / SOC Prime — https://socprime.com/blog/cve-2026-20182-analysis/


2. CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect Authentication Bypass (CVSS 7.8)

Affected: PAN-OS 10.2–12.1, Prisma Access 10.2/11.2 (with authentication override + certificate reuse) | Patch Status: Patched; CISA KEV added May 29, 2026. Despite a “medium” CVSS score of 7.8, Rapid7 urges treating this as Critical due to edge-facing VPN impact. Exploitation allows unauthenticated attackers to forge authentication override cookies by harvesting the reused public key from the HTTPS service — granting full VPN access without credentials. First exploitation observed May 17; escalated to full VPN sessions by May 21.security.paloaltonetworks+2youtube

Source: Rapid7 / The Hacker News — https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html


3. CVE-2026-26980 — Ghost CMS Unauthenticated SQL Injection (CVSS 9.4)

Affected: Ghost CMS v3.24.0–6.19.0 (SQLite and MySQL backends) | Patch Status: Patched (Ghost 6.19.1). A critical unauthenticated blind SQL injection in Ghost’s Content API ORDER BY clause allows attackers to dump the entire database — including admin credentials, bcrypt password hashes, session secrets, and API keys — with a single HTTP GET request. The Content API key is publicly embedded in every theme’s HTML, requiring zero reconnaissance. Over 700 sites have been weaponized in ClickFix campaigns this week.thehackernews+3

Source: SonicWall / BleepingComputer — https://www.sonicwall.com/blog/ghost-cms-content-api-blind-sql-injection


4. CVE-2026-39987 — Marimo Notebook Pre-Auth RCE (CVSS Critical)

Affected: Marimo all versions ≤ 0.20.4 | Patch Status: Patched (Marimo 0.23.0). A pre-authentication remote code execution vulnerability in the Marimo Python notebook platform that requires no credentials and no user interaction. Already exploited in the world’s first confirmed LLM agent-driven post-exploitation attack (May 10, 2026), where an AI agent autonomously pivoted from initial RCE to full PostgreSQL database exfiltration in under two minutes across four pivots.breached+2

Source: Sysdig / Cybersecurity News — https://cybersecuritynews.com/hackers-use-llm-agent-to-move-from-marimo-rce/


5. CVE-2026-34926 — Trend Micro Apex One Directory Traversal (RCE)

Affected: Trend Micro Apex One on-premises servers | Patch Status: Patched by Trend Micro. A directory traversal flaw in Apex One that allows attackers with administrator access to push malicious code to all managed endpoints — turning a compromised management console into a mass deployment channel for malware. Exploitation attempts observed against Windows systems in corporate environments this week. Organizations running Apex One should apply the patch and audit recent administrative activity.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


6. CVE-2026-42945 — F5 NGINX Rewrite Module Memory Flaw (Critical)

Affected: NGINX versions 0.6.27 through 1.30.0 | Patch Status: Patched by F5. A critical memory corruption vulnerability in NGINX’s rewrite module affecting a wide range of versions used in enterprise web infrastructure, load balancers, and API gateways. Given NGINX’s near-ubiquitous deployment as a reverse proxy and web server across cloud-native and on-premises environments, unpatched instances represent a significant attack surface for unauthenticated exploitation.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/


7. CVE-2026-20224 — Cisco SD-WAN Manager XXE File Read (CVSS 8.6)

Affected: Cisco Catalyst SD-WAN Manager (all deployment modes) | Patch Status: Patched alongside CVE-2026-20182. An unauthenticated XML External Entity (XXE) injection flaw in Cisco SD-WAN Manager’s web UI allows attackers to read arbitrary files from the underlying system without credentials. While less severe than the authentication bypass (CVE-2026-20182), this flaw can be exploited independently to exfiltrate SSH keys, configuration files, and credentials — providing valuable reconnaissance data for a subsequent full compromise.ccb.belgium

Source: Belgium CCB — https://ccb.belgium.be/advisories/warning-authentication-bypass-cisco-catalyst-sd-wan-can-be-exploited-gain-administrative


8. Windows YellowKey & GreenPlasma Zero-Days (Unpatched)

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/


9. CVE-2026-20209/20210 — Cisco SD-WAN Privilege Escalation (CVSS 5.4)

Affected: Cisco Catalyst SD-WAN Manager web UI | Patch Status: Patched. Two privilege escalation vulnerabilities allowing low-privileged read-only users to escalate to high-privileged accounts: CVE-2026-20209 exploits sensitive session tokens recorded in audit logs; CVE-2026-20210 exposes privileged credentials in device configuration templates accessible to read-only accounts. Both are chaining risks when combined with the critical authentication bypass CVE-2026-20182.ccb.belgium

Source: Belgium CCB — https://ccb.belgium.be/advisories/warning-authentication-bypass-cisco-catalyst-sd-wan-can-be-exploited-gain-administrative


10. CVE-2026-28819 — Apple iOS/iPadOS/macOS Wi-Fi Kernel Code Execution

Affected: iOS, iPadOS, and macOS (all versions before the security update) | Patch Status: Patched by Apple. An out-of-bounds write vulnerability in Apple’s Wi-Fi component that allows a malicious app to execute code with kernel privileges. The flaw requires a malicious app already installed on the device, making it a critical post-delivery exploitation vector — particularly relevant for enterprise mobile device management environments where sideloaded or compromised apps represent a persistent threat.research.checkpoint

Source: Check Point Research — https://research.checkpoint.com/2026/18th-may-threat-intelligence-report/

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactSource
CVE-2026-20182Critical10.0Cisco Catalyst SD-WAN Controller & ManagerUnauthenticated RCE / admin takeover; actively exploited by UAT-8616; CISA KEVCisco Talos
CVE-2026-0257High7.8Palo Alto PAN-OS / Prisma Access GlobalProtectAuth bypass → unauthorized VPN connection; exploited in wild since May 17; CISA KEVRapid7
CVE-2026-26980Critical9.4Ghost CMS v3.24.0–6.19.0Unauthenticated SQLi → admin credential/key dump; 700+ sites weaponized in ClickFix campaignBleepingComputer
CVE-2026-39987CriticalCriticalMarimo Notebook (all ≤ 0.20.4)Pre-auth RCE; world’s first LLM agent post-exploitation attack; full DB exfil in <2 minsSysdig
CVE-2026-34926HighHighTrend Micro Apex One (on-prem)Admin-triggered directory traversal → malware push to all managed endpointsCheck Point
CVE-2026-42945CriticalCriticalNGINX 0.6.27–1.30.0Critical memory flaw in rewrite module; affects wide enterprise reverse proxy infrastructureCheck Point
CVE-2026-20224High8.6Cisco SD-WAN Manager web UIUnauthenticated XXE → arbitrary file read; credential exfiltration riskBelgium CCB
YellowKey (no CVE yet)HighN/AWindows 11 / Server (recent)BitLocker bypass via WinRE (physical access); PoC public; UNPATCHEDCheck Point
CVE-2026-28819HighHighApple iOS/iPadOS/macOS Wi-FiOut-of-bounds write → kernel code execution via malicious appCheck Point
CVE-2026-20209 / 20210Medium5.4Cisco SD-WAN Manager web UIRead-only privilege escalation via audit log token / config template exposure; chaining riskBelgium CCB

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

1. UAE — Ongoing Iranian AI-Powered Attacks: 600,000–800,000 Daily

The UAE Cyber Security Council continued to confirm this week that the country faces between 600,000 and 800,000 cyberattacks daily, with Iran deploying AI tools to engineer attacks against UAE government, energy, and critical infrastructure sectors. Three coordinated credential-attack waves against Microsoft 365 have been documented in 2026, while Iranian-linked groups use AI for reconnaissance automation, phishing enhancement, malware development, and deepfake-based information warfare targeting the Gulf.

Region: UAE | Type: AI-powered credential attacks, espionage | Actor: Iran-linked APTs
Source: Conflict Advisory / Rescana — https://conflictadvisory.com/news/uae-cyberattacks-2026-recovering-assets-from-800-000-daily-threats


2. Gulf/MENA — Nimbus Manticore Targets Gulf Defense & Telecom

IRGC-linked Nimbus Manticore’s latest campaign (published May 25) includes specific targeting of defense, aerospace, and telecommunications sectors across the Middle East, using career-themed phishing lures impersonating aviation firms and software companies. The group’s new SEO poisoning vector — which ranked fake Oracle SQL Developer downloads prominently on Bing — is particularly dangerous for Gulf organizations with BYOD policies and mixed-use enterprise devices.

Region: Middle East (incl. Gulf) | Type: Espionage / malware delivery | Actor: Nimbus Manticore (IRGC)
Source: Security Affairs — https://securityaffairs.com/192689/apt/nimbus-manticore-expanded-attacks-with-ai-assisted-malware-and-fake-zoom-installers.html


3. MENA Region — 1,350 C2 Servers Abusing Regional Telecom Infrastructure

Researchers documented this week that threat actors are actively abusing Middle Eastern telecom and hosting networks as C2 infrastructure — with over 1,350 active C2 servers catalogued across 98 MENA-region hosting providers. Campaigns linked to this infrastructure include Phorpiex botnet operations, Eagle Werewolf espionage, and RondoDox botnet activity. UAE and Gulf security teams should prioritize outbound traffic analysis to detect unauthorized C2 communications routing through legitimate regional providers.

Region: MENA (UAE, Saudi, Jordan, Egypt) | Type: Botnet / espionage infrastructure | Actor: Multiple
Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


4. GitHub — 3,800 Internal Repos Exfiltrated via TanStack/Nx Console Attack

GitHub suffered a breach through the weaponized Nx Console VS Code extension (Mini Shai-Hulud campaign), with attackers compromising an employee device and exfiltrating approximately 3,800 internal private repositories. While GitHub stated no customer-facing systems were affected, the breach represents a significant intellectual property and internal security risk. The attack is the continuation of the TeamPCP supply chain wave that hit Grafana Labs the prior week.

Region: Global | Type: Supply chain / IP theft | Actor: TeamPCP
Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


5. Foxconn — Nitrogen Ransomware Steals 8TB Including Apple & Nvidia IP

Nitrogen ransomware confirmed a massive breach at Foxconn’s North American factories, stealing 8TB of data across 11+ million files containing confidential product schematics, customer project details, and internal documentation for clients including Apple, Nvidia, Google, AMD, and Intel. Several North American factories experienced operational disruptions. The attack represents one of the most significant manufacturing IP thefts of 2026 and highlights the ongoing ransomware threat to tier-1 technology supply chain providers.

Region: United States (North American operations) | Type: Ransomware + IP theft | Actor: Nitrogen
Source: TechCrunch / Shieldworkz — https://techcrunch.com/2026/05/13/ransomware-hackers-claim-breach-at-foxconn-a-major-electronics-manufacturer-for-apple-google-and-others/


6. 7-Eleven — ShinyHunters Steals 600,000 Salesforce Franchisee Records

ShinyHunters breached 7-Eleven and stole more than 600,000 Salesforce records containing personal and corporate information from franchisee accounts. The data includes contact details, financial documents, and business records for 7-Eleven franchise partners worldwide. This breach — combined with ShinyHunters’ earlier Canvas LMS attack affecting 275 million education users — confirms the group as the most prolific high-volume data exfiltration actor of 2026.

Region: Global | Type: Data breach | Actor: ShinyHunters
Source: Check Point Research — https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/


7. Ukraine — GREYVIBE Russia-Linked APT — 9-Month AI-Enabled Espionage Campaign

GREYVIBE has been running a persistent, AI-enabled espionage campaign against Ukrainian military, government, and civilian organizations since August 2025. This week’s WithSecure attribution confirmed five parallel attack chains targeting military personnel, government employees, and diaspora Ukrainians — using AI-generated Ukrainian-language lures, fake drone charity sites, and spoofed military communications portals. The LegionRelay implant maintains persistent access to compromised military and government networks.

Region: Ukraine | Type: State-sponsored espionage | Actor: GREYVIBE (Russia-aligned)
Source: WithSecure / Security Affairs — https://securityaffairs.com/192877/apt/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-money.html


8. Ghost CMS — 700+ Sites Hijacked for ClickFix Malware Distribution

Two distinct threat clusters exploited CVE-2026-26980 to compromise over 700 Ghost CMS-powered websites, injecting malicious JavaScript that serves fake CAPTCHA pages (ClickFix attack flows) to visitors. Victims who follow the fake CAPTCHA instructions unknowingly execute malware that installs infostealers or ransomware precursors. Organizations using Ghost for corporate blogs, documentation sites, or customer-facing portals should patch immediately and audit recent site activity.

Region: Global | Type: Web compromise / malware distribution | Actor: Multiple
Source: BleepingComputer — https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/


9. Palo Alto Networks Customers — CVE-2026-0257 GlobalProtect Exploitation Wave

From May 17 to May 29, 2026, threat actors exploited CVE-2026-0257 against Palo Alto Networks customers in two escalating waves — first probing authentication bypass (May 17) and then achieving full VPN IP assignments (May 21). Rapid7 MDR observed successful exploitation across multiple customers. A single threat actor using the hosting provider Volter (Wave 1, Linux) and Dramatic Systems (Wave 2, Windows) — identified by a shared spoofed MAC address (AA:BB:CC:DD:EE:FF) — was responsible.

Region: Global (enterprise VPN) | Type: Authentication bypass / network intrusion | Actor: Unknown
Source: Rapid7 — https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/


10. Marimo Notebook Attack — World’s First Autonomous LLM Post-Exploitation

In the most technically significant attack documented this week, an attacker used CVE-2026-39987 to exploit a publicly accessible Marimo notebook, then deployed an LLM agent that autonomously — without human direction — navigated from initial RCE to cloud credential extraction, AWS Secrets Manager queries, SSH key retrieval, and full PostgreSQL database exfiltration in under two minutes and four pivots. This is the world’s first confirmed in-the-wild autonomous AI post-exploitation attack.

Region: Global | Type: LLM-autonomous post-exploitation | Actor: Unknown
Source: Sysdig TRT / The Hacker News —

Week of may 18–May 24, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Google I/O 2026: AI Security Features Dominate Keynote

Google held its annual I/O developer conference starting May 19, 2026, announcing a sweeping set of AI-powered tools including Gemini Spark (a personal 24/7 AI agent), Gemini 3.5 Flash, and a Managed Agents API — all with significant implications for enterprise security governance. Google also integrated AI Mode into Google Search globally, powered by Gemini 3.5 Flash, marking a major shift in how billions of users interact with AI systems.

Source: The Verge / Google Blog — https://www.theverge.com/tech/932454/google-io-2026-news-announcements


2. “Megalodon” Supply Chain Attack Backdoors 5,561 GitHub Repos

On May 18, 2026, a threat actor linked to the TeamPCP syndicate launched the “Megalodon” campaign, pushing 5,718 malicious commits to 5,561 open-source GitHub repositories in a six-hour window. The attack injected Base64-encoded bash payloads into GitHub Actions workflow files, targeting cloud credentials, SSH keys, API tokens, and GitHub Actions OIDC tokens. Attackers forged commit identities to appear as routine CI maintenance bots.

Source: StepSecurity / The Hacker News — https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html


3. Microsoft Patches RedSun & UnDefend Defender Zero-Days

Microsoft released emergency patches on May 20, 2026, for two actively exploited Windows Defender zero-days: CVE-2026-41091 (RedSun, CVSS 7.8) and CVE-2026-45498 (UnDefend, CVSS 4.0), both of which had been publicly dropped and exploited since April 10. Federal agencies were given until June 3 to apply patches under CISA directive. These two vulnerabilities, when chained with the earlier BlueHammer (CVE-2026-33825), allow full SYSTEM-level compromise and silent disabling of antivirus signature updates.

Source: SecurityWeek — https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/


4. Law Enforcement Shuts Down “First VPN” Used by 25 Ransomware Groups

An international coalition (Operation Saffron) led by France and the Netherlands, supported by Eurojust and Europol, dismantled First VPN — a criminal VPN service used by at least 25 ransomware gangs. Over 33 servers were seized, domain names taken down, and the service’s administrator was arrested on May 20–21, 2026. First VPN provided anonymization infrastructure for network reconnaissance and ransomware intrusions for nearly five years.

Source: TechCrunch / The Hacker News — https://techcrunch.com/2026/05/21/law-enforcement-shuts-down-vpn-service-used-by-two-dozen-ransomware-gangs/


5. Grafana Source Code Stolen via TanStack npm Supply Chain Attack

Grafana Labs disclosed on May 19–21, 2026 that hackers had accessed its GitHub environment and stolen its codebase and internal repository data — traced back to the TanStack npm supply chain attack (Mini Shai-Hulud campaign, May 11). The malicious Nx Console VS Code extension (2.2 million installs) was weaponized to steal developer credentials, allowing the threat group TeamPCP to also exfiltrate ~3,800 of GitHub’s private repositories.

Source: SecurityWeek / HelpNet Security — https://www.securityweek.com/grafana-says-codebase-and-other-data-stolen-via-tanstack-supply-chain-attack/


6. Drupal CVE-2026-9082 SQL Injection Exploited in the Wild

Drupal released a highly critical patch (SA-CORE-2026-004) on May 20, 2026 for an unauthenticated SQL injection in its database abstraction API, affecting PostgreSQL-backed installations. CISA immediately added CVE-2026-9082 to its Known Exploited Vulnerabilities (KEV) catalog. By May 22, SecurityWeek reported over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries, with Imperva confirming active scanning at scale.​

Source: Tenable / SecurityWeek — https://www.securityweek.com/drupal-vulnerability-in-hacker-crosshairs-shortly-after-disclosure/


7. KimWolf DDoS Botnet Operator Arrested in Canada

U.S. authorities unsealed a criminal complaint on May 20–21, 2026 charging Jacob Butler, 23, of Ottawa, Canada (alias “Dort”) with operating the KimWolf IoT botnet — a DDoS-for-hire service responsible for 25,000 attack commands and attacks up to 31.4 Tbps. Butler was arrested in Canada following a joint investigation, and the U.S. is seeking extradition. If convicted, he faces up to 10 years in prison.

Source: U.S. DOJ / The Hacker News — https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html


8. OpenAI Prepares Confidential IPO Filing

OpenAI is reportedly preparing to confidentially file for an initial public offering (IPO) in the coming weeks, working with Goldman Sachs and Morgan Stanley. If filed imminently, the IPO could take place as early as September 2026, making it one of the most significant public offerings by an AI company in history. The company has simultaneously launched the “OpenAI Deployment Company” to help enterprises deploy AI systems.

Source: The New York Times — https://www.nytimes.com/2026/05/20/technology/openai-ipo.html


9. UAE Faces 600,000 Daily AI-Powered Cyberattacks

Dr. Mohammed Al Kuwaiti, Chairman of the UAE Government Cybersecurity Council, confirmed that the UAE faces between 500,000 and 700,000 cyberattacks daily, with Iran deploying AI tools — including ChatGPT — to engineer attacks targeting UAE government and critical infrastructure sectors. Iran-linked groups are using AI for reconnaissance, phishing enhancement, malware development, and deepfake-based information warfare.

Source: Gulf News — https://gulfnews.com/uae/government/uae-issues-warning-as-iran-deploys-ai-for-cyber-attacks-1.500525604


10. CISA Launches Crowdsourced KEV Nomination Form

CISA introduced a new online Nomination Form this week, allowing security researchers, vendors, and industry partners to submit known exploited vulnerabilities for faster review and inclusion in its Known Exploited Vulnerabilities (KEV) catalog. The new tool complements existing email submissions and strengthens rapid response to actively exploited flaws, reflecting CISA’s effort to improve public-private information sharing on imminent threats.

Source: SecurityWeek — https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

1. Qilin Ransomware (RaaS) — Most Active Global Threat

Qilin (also known as Agenda) remains the world’s most active ransomware group in 2026, leading both disclosed and undisclosed attack charts. It was responsible for 22% of Q1 2026 ransomware attacks in disclosed incidents (22/264 attacks) and 339 undisclosed attacks (16% share). Qilin targets healthcare, manufacturing, government, and education using double-extortion, BYOVD (Bring Your Own Vulnerable Driver) for EDR bypass, and a 2025-added DDoS pressure capability.

Source: BlackFog Q1 2026 Report / CybelAngel — https://www.blackfog.com/the-state-of-ransomware-2026/


2. The Gentlemen RaaS — Internal Breach Reveals 1,570+ Victims

The Gentlemen ransomware-as-a-service group, which emerged in mid-2025, suffered a significant internal C2 infrastructure breach in early May 2026, revealing over 1,570 linked victims — far more than the 412 publicly listed on their leak site. The group offers affiliates a 90% revenue share and has claimed ~332 published victims in just the first five months of 2026 alone. Check Point Research confirmed 8 unique affiliate TOX IDs and 29 documented campaigns.

Source: Check Point Research / Shieldworkz — https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/


3. TeamPCP — New Threat Syndicate Behind Supply Chain Wave

TeamPCP is a newly identified threat syndicate responsible for the Megalodon GitHub Actions attack, the TanStack/Mini Shai-Hulud npm supply chain campaign, and the related Grafana and GitHub breaches this week. The group uses information stealer infections to harvest developer GitHub credentials, then automates mass repository backdooring via CI/CD pipelines. The Cloud Security Alliance has designated this as a two-wave AI developer supply chain attack.

Source: Cloud Security Alliance / Ossprey — https://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/


4. Salt Typhoon (PRC) — Persistent Telecom & Government Espionage

Salt Typhoon, the China-aligned APT, achieved confirmed deep, persistent access to U.S. government communications networks in January 2026 and continues to expand its footprint. The related group UAT-7290 is simultaneously targeting U.S. and allied telecoms through edge-device vulnerability exploitation. Salt Typhoon was one of the dominant APT groups of 2025 and has continued sustained operations in 2026 targeting government and telecommunications networks.

Source: Trend Micro / CloudSEK — https://www.trendmicro.com/en_us/research/26/d/us-public-sector-under-siege.html


5. Handala (Iranian MOIS) — Targeting Military Personnel via WhatsApp

Handala (also known as Void Manticore, Storm-0842, BANISHED KITTEN) is conducting active campaigns targeting military personnel in the Gulf region, sending spoofed WhatsApp business messages warning of missile and drone strikes to deliver malware. The group previously conducted the infamous Stryker attack (March 2026), wiping 200,000 devices through compromised Microsoft Intune in under five hours — with no malware deployed, using only legitimate MDM commands.

Source: Help AG / CovertSwarm — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


6. APT34 / OilRig (Iran) — MENA Spear-Phishing Escalation

APT-C-49 / OilRig (APT34) is conducting sophisticated spear-phishing campaigns using macro-enabled Excel files themed on Middle East regional events, with macros triggering multi-stage C# attacks that retrieve data from GitHub, extract steganographic content from Google Drive images, and establish persistence via scheduled tasks with Telegram Bot API C2 channels. The campaign specifically targets Gulf government, financial, and telecom sectors.

Source: Help AG / RH-ISAC — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


7. Lazarus / BlueNoroff (DPRK) — Web3 & Crypto Deep Fake Attacks

BlueNoroff (a Lazarus Group sub-cluster) is conducting targeted attacks against Web3 and cryptocurrency organizations using fake Zoom invitations that redirect victims to malicious webcam-capture interfaces. The group steals cryptocurrency wallet credentials, hijacks Telegram sessions, and then uses the stolen data to generate deepfake content for more convincing follow-on social engineering. This activity is part of North Korea’s continued state-sponsored cryptocurrency theft operations.

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


8. Interlock Ransomware — Exploiting Cisco FMC CVE-2026-20131

Recorded Future’s Insikt Group confirmed that the Interlock ransomware group is actively exploiting CVE-2026-20131, a critical deserialization-of-untrusted-data vulnerability in Cisco Secure Firewall Management Center (FMC), to execute arbitrary Java code as root on vulnerable perimeter devices. This technique allows unauthenticated remote initial access without any user interaction, giving Interlock a highly efficient network entry vector for enterprises running unpatched Cisco FMC.

Source: Recorded Future — https://www.recordedfuture.com/blog/march-2026-cve-landscape


9. Dark Web: Gentlemen RaaS Breach & Affiliate Data Leak

The May 2026 breach of The Gentlemen’s internal Rocket database has created significant dark web activity, with affiliate profiles, victim lists, and negotiation logs now circulating on underground forums. The breach exposes the professional RaaS operational model including legal support features (“Call Lawyer”), affiliate recruitment channels, and the full scope of double-extortion operations across manufacturing, healthcare, and insurance sectors in APAC, MENA, and the Americas.

Source: Ransomware.live / Check Point Research — http://www.ransomware.live/group/thegentlemen


10. Agentic AI in Attack Chains — Fully Autonomous Ransomware Recon

Threat actors are now deploying agentic AI to autonomously handle reconnaissance, vulnerability scanning, victim prioritization, and ransom negotiations — dramatically reducing the human effort required per attack. The Tsundere Bot, a purpose-built initial access tool, automates credential theft and persistence as a ransomware precursor. IBM X-Force reports a 49% year-on-year increase in active ransomware groups, many now leveraging AI as part of their operational pipeline.​​

Source: Trend Micro / IBM X-Force 2026 — https://www.trendmicro.com/en_us/research/26/d/us-public-sector-under-siege.html

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-9082 — Drupal Core SQL Injection (PostgreSQL)

CVSS: 6.5 (NVD) / Drupal-rated 20/25 “Highly Critical” | Affected: Drupal 10.x and 11.x on PostgreSQL | Patch Status: Patched (SA-CORE-2026-004, May 20, 2026). An unauthenticated SQL injection in Drupal’s database abstraction API (PostgreSQL EntityQuery condition handler). Allows remote attackers to bypass authentication, exfiltrate user credentials, and in some configurations achieve RCE. CISA added to KEV catalog with active exploitation confirmed — over 15,000 attempts against ~6,000 sites.

Source: Tenable / Akamai — https://www.tenable.com/blog/cve-2026-9082-highly-critical-sql-injection-vulnerability-in-drupal-core-sa-core-2026-004


2. CVE-2026-41089 — Windows Netlogon Remote Code Execution

CVSS: 9.8 (Critical) | Affected: Windows 11, Windows Server 2022, 2025 | Patch Status: Patched (May 2026 Patch Tuesday). A stack-based buffer overflow in the Netlogon component allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Rated wormable with no credentials or user interaction required — patching domain controllers must be treated as the highest priority.​

Source: Zero Day Initiative / Arctic Wolf — https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review


3. CVE-2026-42898 — Microsoft Dynamics 365 On-Premises RCE

CVSS: 9.9 (Critical) | Affected: Microsoft Dynamics 365 On-Premises | Patch Status: Patched (KB5078943, May 2026 Patch Tuesday). The highest CVSS score in this month’s update — a code injection flaw in Dynamics 365 allowing any authenticated user to execute code with a scope change, breaking out of the vulnerable component to affect adjacent resources. Organizations running on-premises Dynamics 365 must apply this patch immediately.

Source: Zero Day Initiative / Arctic Wolf — https://arcticwolf.com/resources/blog/microsoft-patch-tuesday-may-2026/


4. CVE-2026-41096 — Windows DNS Client Remote Code Execution

CVSS: Critical (heap-based buffer overflow) | Affected: Virtually all Windows systems | Patch Status: Patched (May 2026 Patch Tuesday). A malicious DNS response can trigger memory corruption in the Windows DNS Client, allowing unauthenticated RCE. Since the DNS Client runs on every Windows machine, the attack surface is enormous; an attacker with a rogue DNS server can exploit this without authentication or user interaction.

Source: Belgium CCB / Lansweeper — https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-may-2026-patches-118-vulnerabilities-16-critical-102


5. CVE-2026-41091 & CVE-2026-45498 — Microsoft Defender Zero-Days (RedSun & UnDefend)

CVSS: 7.8 and 4.0 respectively | Affected: Windows 10, 11, Server 2016–2025 | Patch Status: Patched May 20, 2026 (Defender platform 4.18.26040.7). Actively exploited zero-days: RedSun (CVE-2026-41091) allows SYSTEM-level privilege escalation via Defender’s cloud file rollback mechanism; UnDefend (CVE-2026-45498) silently blocks Defender signature updates, leaving systems unprotected while reporting healthy status. Federal agencies must patch by June 3.

Source: SecurityWeek / Picus Security — https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/


6. CVE-2026-41103 — Microsoft SSO Plugin for Atlassian Jira/Confluence (EoP)

CVSS: 9.1 (Critical) | Affected: Microsoft SSO plugin for Atlassian Jira and Confluence | Patch Status: Patched (May 2026 Patch Tuesday). A network-exploitable elevation of privilege flaw requiring no privileges and no user interaction. An unauthenticated attacker can gain elevated access to Jira or Confluence environments by sending a crafted SSO response. Microsoft flagged this as “Exploitation More Likely.”

Source: Lansweeper — https://www.lansweeper.com/blog/patch-tuesday/microsoft-patch-tuesday-may-2026/


7. CVE-2026-7359 — Chrome ANGLE Use-After-Free (Sandbox Escape)

CVSS: High | Affected: Chrome versions prior to 147.0.7727.138 | Patch Status: Patched (Chrome 147.0.7727.138). A use-after-free vulnerability in ANGLE (Chrome’s WebGPU backend) that allows a remote attacker who has already compromised the renderer process to escape the sandbox via a crafted HTML page. Chromium rates this High severity and exploitation requires a prior renderer compromise.

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


8. CVE-2024-9643 — Four-Faith F3x36 Industrial Router Auth Bypass

CVSS: Critical | Affected: Four-Faith F3x36 industrial cellular routers | Patch Status: Exploited in wild; mass exploitation since mid-May 2026. An authentication bypass flaw stemming from hardcoded administrative credentials in Four-Faith industrial routers. CrowdSec tracked a surge in exploitation since late April 2026, with compromised devices being folded into botnets for further campaigns. Critical infrastructure operators using these routers are at immediate risk.

Source: SecurityWeek — https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/


9. CVE-2026-40365 — Microsoft SharePoint Server RCE

CVSS: Critical | Affected: Microsoft SharePoint Server | Patch Status: Patched (May 2026 Patch Tuesday). An authenticated attacker can exploit this vulnerability over a network to execute code remotely on a vulnerable SharePoint server. Given the widespread enterprise deployment of SharePoint, particularly internet-facing instances, organizations should prioritize this patch alongside Netlogon and Dynamics 365.

Source: LinkedIn / Microsoft — https://www.linkedin.com/pulse/microsoft-may-2026-patch-tuesday-fixes-120-vulnerabilities-qpgse


10. CVE-2026-22745 / CVE-2026-22740 / CVE-2026-22741 — Spring Framework DoS & Cache Poisoning

CVSS: Medium | Affected: Spring MVC, Spring WebFlux applications | Patch Status: Patched by VMware/Spring. Three Spring Framework vulnerabilities affecting web applications: CVE-2026-22745 enables DoS via resource exhaustion on Windows systems; CVE-2026-22740 causes disk exhaustion via undeleted temp files; CVE-2026-22741 allows cache poisoning when static resource caching is misconfigured. Organizations running Java-based web applications should review Spring version usage immediately.

Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverityCVSSProductImpactSource
CVE-2026-9082Critical6.5 (NVD) / 20/25 DrupalDrupal Core (PostgreSQL)Unauthenticated SQL injection → data theft, potential RCE; CISA KEV; 15,000+ exploit attemptsTenable
CVE-2026-41089Critical9.8Windows Netlogon (Server 2022/2025, Win11)Unauthenticated wormable RCE on domain controllers; stack buffer overflowZDI
CVE-2026-42898Critical9.9Microsoft Dynamics 365 On-PremisesAuth’d user RCE with scope change; cross-component exploitation possibleArctic Wolf
CVE-2026-41096CriticalCriticalWindows DNS Client (all Windows)Malicious DNS response → heap overflow → unauthenticated RCE on all Windows systemsCCB Belgium
CVE-2026-41091High7.8Microsoft Defender AntivirusRedSun zero-day; privilege escalation to SYSTEM via link-following; exploited in wildSecurityWeek
CVE-2026-45498Medium4.0Microsoft Defender AntivirusUnDefend zero-day; DoS → silent blocking of Defender signature updates; exploited in wildSecurityWeek
CVE-2026-41103Critical9.1Microsoft SSO for Atlassian Jira/ConfluenceUnauthenticated network-based EoP; no user interaction required; “Exploitation More Likely”Lansweeper
CVE-2026-7359HighHighGoogle Chrome (< 147.0.7727.138)Use-after-free in ANGLE/WebGPU; sandbox escape via crafted HTML pageHelp AG
CVE-2024-9643CriticalCriticalFour-Faith F3x36 Industrial RoutersHardcoded credential auth bypass; mass exploitation mid-May; botnet foldingSecurityWeek
CVE-2026-40365CriticalCriticalMicrosoft SharePoint ServerAuthenticated network-based RCE on internet-facing SharePoint serversMicrosoft/LinkedIn

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

 1. UAE — 600,000 Daily AI-Powered Attacks Including Iranian Password-Spraying

The UAE Cybersecurity Council confirmed the country is facing between 500,000 and 700,000 daily cyberattacks, significantly elevated during geopolitical tension periods. Iran-linked groups are conducting multi-wave password-spraying campaigns against Microsoft 365, UAE government portals, energy sector cloud infrastructure, and strategic organizations. Three waves of coordinated credential attacks have been documented in 2026, with possible account compromise impacts across UAE government entities.

Region: UAE | Type: Credential attack / AI-powered | Actor: Iran-linked APTs
Source: Gulf News / Eventus Security — https://gulfnews.com/uae/government/uae-issues-warning-as-iran-deploys-ai-for-cyber-attacks-1.500525604


2. UAE/Gulf — MuddyWater APT Multi-Sector Espionage Campaign

MuddyWater (Iranian MOIS-linked APT) continues ongoing cyber espionage targeting UAE critical sectors including government, transport, and industrial organizations across the MENA region. The group abuses Remote Monitoring and Management (RMM) tools and PowerShell loaders for persistence, operating as a persistent stealth threat across Gulf states. The campaign is documented as one of the most sustained Iranian APT operations in the region.

Region: UAE/MENA | Type: Cyber espionage | Actor: MuddyWater (Iran)
Source: Eventus Security — https://eventussecurity.com/uae/cyber-attacks/


3. Gulf States — Handala WhatsApp Military Social Engineering

Handala (Iranian MOIS-linked, also known as Void Manticore) escalated its targeting of military personnel in the Gulf region this week, sending spoofed WhatsApp business messages purportedly warning of missile and drone strikes. The campaign is designed to install malware on military-linked devices, steal credentials, and establish persistent access to defense-related communications. Help AG flagged this as a top active threat to the MENA region.

Region: Gulf States | Type: Social engineering / malware delivery | Actor: Handala
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/


 4. Gulf/Saudi Arabia — Iranian Hybrid Cyber-Physical Infrastructure Attacks

Iranian-linked groups launched kinetic and cyber hybrid attacks against cloud and technology infrastructure, including documented strikes on AWS data centers in UAE and Bahrain that disrupted cloud services across the region. 313 Team (Cyber Islamic Resistance in Iraq), DieNet, and related groups claimed coordinated attacks against Gulf government portals, financial institutions, and aviation systems.

Region: UAE, Bahrain, Saudi Arabia | Type: Hybrid warfare (cyber + physical) | Actor: Iranian state-aligned groups
Source: RH-ISAC / Halcyon — https://rhisac.org/threat-intelligence/middle-east-conflict/


5. GitHub — 5,561 Repositories Backdoored (Megalodon/TeamPCP)

On May 18, 2026, TeamPCP executed the Megalodon campaign, pushing 5,718 malicious commits in 6 hours to 5,561 GitHub repositories. The attack targeted CI/CD credentials, OIDC tokens, AWS/GCP/Azure credentials, and SSH deploy keys. The follow-up Hudson Rock analysis revealed the attack originated from infostealer infections that provided the initial GitHub credential access.

Region: Global | Type: Supply chain attack | Actor: TeamPCP
Source: The Hacker News — https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html


6. Grafana Labs — Source Code Theft via TanStack Supply Chain

A cybercrime group (TeamPCP) stole Grafana Labs’ entire codebase and internal GitHub repositories, including business contact data, through a weaponized Nx Console VS Code extension (Mini Shai-Hulud campaign). The breach was limited to the GitHub environment with no confirmed impact on customer production systems, but represents a significant intellectual property theft and potential supply chain risk for Grafana’s millions of users.

Region: Global / Software Supply Chain | Type: Supply chain / IP theft | Actor: TeamPCP
Source: SecurityWeek — https://www.securityweek.com/grafana-says-codebase-and-other-data-stolen-via-tanstack-supply-chain-attack/


7. Drupal Websites (6,000+ Sites) — CVE-2026-9082 Mass Exploitation

Within hours of Drupal’s advisory release on May 20, attackers began targeting CVE-2026-9082 at scale — with Imperva recording 15,000+ exploitation attempts against nearly 6,000 Drupal sites across 65 countries. The attacks target PostgreSQL-backed CMS installations to steal user credentials, modify content, and in some cases attempt privilege escalation to remote code execution.

Region: Global | Type: Web application exploitation | Actor: Multiple threat actors
Source: SecurityWeek — https://www.securityweek.com/drupal-vulnerability-in-hacker-crosshairs-shortly-after-disclosure/


8. U.S. Gas Stations — Iranian Hackers Breach ATG Fuel Monitoring Systems

U.S. officials revealed this week that Iranian hackers breached automatic tank gauge (ATG) systems at gas stations across multiple U.S. states. ATG systems monitor fuel levels in underground storage tanks and are part of critical energy distribution infrastructure. The breach raises serious concerns about physical infrastructure tampering, fuel safety, and the expanding scope of Iranian hybrid operations targeting U.S. critical infrastructure.

Region: United States | Type: Critical infrastructure / OT/ICS attack | Actor: Iranian state-linked
Source: SecurityWeek — https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/


9. Canvas LMS — ShinyHunters Ransomware Targets 275 Million Education Users

ShinyHunters re-attacked Canvas LMS on May 7, 2026, replacing its login page with a ransomware message after a prior breach on April 25. The group claimed to have stolen 3.65 terabytes of data from approximately 275 million users across 8,809 universities and educational institutions worldwide. The U.S. House Homeland Security Committee launched an official investigation, with Canvas used by 41% of U.S. higher education institutions.

Region: Global / Education | Type: Ransomware / Data breach | Actor: ShinyHunters
Source: Wikipedia / House Homeland Security Committee — https://en.wikipedia.org/wiki/2026_Canvas_data_breach


10. Windows Enterprise — RedSun/UnDefend Zero-Day Exploitation Chain

Threat actors actively exploited the RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) Windows Defender zero-days in the wild before patches became available on May 20. These vulnerabilities, when chained with the previously patched BlueHammer (CVE-2026-33825), enable full SYSTEM-level access and silent disabling of endpoint protection — representing a complete compromise of Windows defenses across Windows 10, 11, and Server 2016–2025.

Region: Global | Type: Zero-day exploitation | Actor: Multiple threat actors
Source: SecurityWeek / Petri.com — https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. Google I/O 2026: Gemini 3.5 Flash & Gemini Omni Launched

At Google I/O 2026 (May 19–20), Google launched Gemini 3.5 Flash as the new default model for the Gemini app and Google Search AI Mode globally — described as 4x faster than other frontier models by output tokens per second. Simultaneously, Google unveiled Gemini Omni Flash, a world-model capable of creating photorealistic video from any input with physics understanding. Gemini 3.5 Pro is slated for next month.

Source: Google Blog / Mashable — https://mashable.com/tech/all-the-gemini-announcements-google-io-2026


2. Google Gemini Spark — Personal 24/7 Agentic AI Launched

Google announced Gemini Spark at I/O 2026 as its most ambitious innovation: a personal 24/7 AI agent that integrates with Gmail, Chat, and over 30 third-party applications (Adobe, Dropbox, Uber) via MCP protocol. Spark can autonomously aggregate emails, manage documents, and prepare updates — operating entirely in the cloud. It rolled out to Google AI Ultra subscribers in the U.S. immediately, representing a major step into persistent, production agentic AI.​

Source: Mashable / Google — https://mashable.com/tech/all-the-gemini-announcements-google-io-2026


3. OpenAI GPT-5.5 Instant — Smarter Default Model for All Users

OpenAI released GPT-5.5 Instant on May 4–5, 2026, replacing GPT-5.3 Instant as the default ChatGPT model for all users. The update delivers a 52.5% reduction in hallucinated claims versus GPT-5.3 Instant on high-stakes domains (medicine, law, finance), a 37.3% reduction in inaccurate claims, and improved personalization using Gmail, past chats, and memory sources. OpenAI also introduced “memory sources” across all ChatGPT consumer plans for greater transparency.

Source: OpenAI — https://openai.com/index/gpt-5-5-instant/


4. OpenAI Files Confidential IPO — Could List September 2026

OpenAI is preparing to confidentially file IPO paperwork in the coming weeks, working with Goldman Sachs and Morgan Stanley, with a potential September 2026 listing. The company simultaneously launched the “OpenAI Deployment Company” (acquiring Tomoro for forward-deployed engineering) to help enterprises build production AI systems. This would be the most significant AI company IPO in history, reflecting the industry’s rapid maturation from research to commercial enterprise.

Source: New York Times / OpenAI — https://www.nytimes.com/2026/05/20/technology/openai-ipo.html


5. Google DeepMind AlphaEvolve — AI Solving Complex Scientific Problems

Google DeepMind’s AlphaEvolve was highlighted at I/O 2026 as making significant strides in scientific research — autonomously solving complex mathematical problems and participating in discovery across physics, chemistry, and biology. AlphaEvolve can generate hypotheses, use tools to control scientific experiments, and collaborate with both human and AI research colleagues, representing a qualitative leap beyond summarizing research into actively participating in it.​​

Source: Microsoft Source / Google DeepMind — https://news.microsoft.com/source/features/ai/whats-next-in-ai-7-trends-to-watch-in-2026/


6. Google TurboQuant — Solving AI’s Memory Bottleneck

Google researchers unveiled TurboQuant this week, a breakthrough technology that significantly reduces the KV (key-value) cache memory overhead for large language models. By optimizing memory usage, TurboQuant speeds up long-context AI deployment and reduces operational costs, making large-context AI applications more affordable for developers. This could transform how large-context AI is deployed at enterprise scale.

Source: YouTube/Google — https://www.youtube.com/watch?v=6qzk4kTINUQ


7. Sovereign AI: MIT Report — 5x ROI for Data-Sovereign AI Leaders

A landmark MIT Technology Review Insights report (released May 13, 2026, produced with EnterpriseDB) found that AI and data sovereignty is the single strongest predictor of enterprise AI success — with a 0.93 correlation coefficient. Organizations “deeply committed” to controlling their data, infrastructure, models, and governance are delivering 5x the ROI on generative and agentic AI compared to peers. Over half of enterprises already have autonomous AI agents in production.

Source: MIT Technology Review / EnterpriseDB — https://www.prnewswire.com/news-releases/sovereignty-is-the-new-operating-system-for-agentic-ai


8. DeepSeek V4 — Open-Source Frontier Model at 1/7th the Cost

DeepSeek’s V4-Pro and V4-Flash models (launched April 24, 2026 preview) are now in broad enterprise adoption, offering 1M-token context windows at $0.145/million input tokens — approximately 1/7th the cost of competing frontier models. DeepSeek V4-Pro scores 80.6% on SWE-bench Verified (matching Claude Opus 4.6 at 80.8%) and leads on Terminal-Bench 2.0 for multi-step shell tasks. Both models are MIT-licensed open weights.

Source: TechCrunch / MIT Technology Review — https://techcrunch.com/2026/04/24/deepseek-previews-new-ai-model-that-closes-the-gap-with-frontier-models/


9. NVIDIA Ising — World’s First Open Quantum AI Models

NVIDIA launched Ising in April 2026, the world’s first family of open-source AI models purpose-built for quantum computing — addressing the two largest engineering bottlenecks: processor calibration and error correction. The Ising Calibration model (35B parameters) shrinks quantum calibration from days to hours; Ising Decoding achieves up to 2.5x faster and 3x more accurate error correction than open-source benchmarks. Models are available on GitHub, Hugging Face, and NVIDIA’s platform.

Source: NVIDIA / Silicon Republic — https://thequantuminsider.com/2026/04/14/nvidia-launches-ising-the-worlds-first-open-ai-models-to-accelerate-the-path-to-useful-quantum-computing/


10. Google I/O 2026: Managed Agents API & Google Antigravity 2.0

Google announced a Managed Agents API at I/O 2026, providing a Google-hosted platform for enterprises to run custom AI agents in secure, isolated environments — comparable to self-hosted agent frameworks but without infrastructure overhead. Alongside this, Google Antigravity 2.0 (its agentic coding platform) received a major update with deeper Gemini 3.5 Flash integration. These announcements signal Google’s intent to dominate the enterprise agentic AI deployment market in 2026.​

Source: Google I/O 2026 / YouTube — https://io.google


© CyberMentor365 Weekly Brief | cybermentor365.blog | cybermentor365.com
All information sourced from publicly available threat intelligence and vendor advisories. For educational and awareness purposes only.

Week of may 11–May 17, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Microsoft May 2026 Patch Tuesday: 118–137 CVEs, No Zero-Days
Microsoft released its May 2026 Patch Tuesday fixes addressing between 118 and 137 vulnerabilities (counts vary slightly by vendor) across 20+ product families, including 16–31 marked Critical. Notably, this is the first Patch Tuesday since June 2024 with no zero-days actively exploited in the wild.
Source: BleepingComputer — https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/crowdstrike+2

2. Foxconn Ransomware Attack: Nitrogen Gang Claims 8TB of Data Stolen
Foxconn confirmed on May 12, 2026 that its North American manufacturing plants (primarily Mount Pleasant, Wisconsin) were hit by the Nitrogen ransomware group. The attackers claimed to have exfiltrated 8TB / 11+ million files including schematics tied to Apple, Google, Nvidia, Dell, and Intel. Production disruptions began as early as May 1 before public disclosure.
Source: TechCrunch / WIRED — https://techcrunch.com/2026/05/13/ransomware-hackers-claim-breach-at-foxconn/ | https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/ techcrunch+2

3. Instructure (Canvas LMS) Breach: ShinyHunters Claims 275 Million Records
Instructure, maker of the Canvas learning management system, confirmed a major data breach after ShinyHunters claimed to have stolen data from approximately 8,809 schools worldwide, affecting an estimated 275 million students, teachers, and staff. Exposed data includes names, email addresses, student IDs, and private messages. The attackers escalated by defacing hundreds of school login portals with ransom messages.
Source: LinkedIn / Check Point Research — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc | https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/ linkedin+1

4. Cisco Catalyst SD-WAN CVSS 10.0 Auth Bypass Actively Exploited
A maximum-severity authentication bypass vulnerability (CVE-2026-20182, CVSS 10.0) in Cisco Catalyst SD-WAN Controller and Manager was confirmed as actively exploited in May 2026. An unauthenticated remote attacker can abuse DTLS on UDP port 12346 to bypass authentication and gain full administrative privileges over the SD-WAN fabric. Cisco has released patches and urged immediate action.
Source: The Hacker News — https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.htmlthehackernews+1

5. Verizon 2026 DBIR Published: Ransomware Now in 44% of Breaches
Verizon released its 2026 Data Breach Investigations Report, finding ransomware present in approximately 44% of all breaches (up from 32% the prior year), while third-party involvement in breaches doubled year-over-year. Credential abuse remains the top entry vector, and AI-generated phishing text in malicious emails doubled over the past two years.
Source: Verizon / DIESEC — https://www.verizon.com/business/resources/reports/dbir/ | https://diesec.com/2026/05/top-5-cybersecurity-news-stories-may-15-2026/ verizon+2

6. Palo Alto PAN-OS CVE-2026-0300: Critical RCE Being Actively Exploited
Palo Alto Networks disclosed and confirmed active exploitation of CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal). Unauthenticated attackers can achieve root-level remote code execution on PA-Series and VM-Series firewalls. No user interaction or credentials are required; CISA added it to the Known Exploited Vulnerabilities (KEV) catalog.
Source: Wiz / Help Net Security — https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300 | https://www.helpnetsecurity.com/2026/05/06/palo-alto-firewalls-vulnerability-exploited-cve-2026-0300/ wiz+1

7. Best Western (BWH Hotels) Data Breach: Guest Data Exposed for 6 Months
BWH Hotels (parent of Best Western, WorldHotels, and SureStays) confirmed that hackers lurked inside its reservation web application from October 14, 2025 to April 22, 2026 — over six months — before detection. Stolen data includes guest names, emails, phone numbers, postal addresses, reservation numbers, dates of stay, and special requests. Payment data was not affected.
Source: Cybernews / TechRadar — https://cybernews.com/security/best-western-bwh-hotels-guest-data-breach/ | https://www.techradar.com/pro/security/best-western-hotels-warns-customers-reservation-data-may-have-been-spilled-in-breach cybernews+1

8. Exim Mail Server Critical RCE (CVE-2026-45185 “Dead.Letter”)
A critical use-after-free RCE vulnerability (CVE-2026-45185, CVSS 9.8) nicknamed “Dead.Letter” was disclosed in Exim mail transfer agent versions 4.97–4.99.2 on GnuTLS-compiled builds. An unauthenticated remote attacker can execute arbitrary code by sending a crafted TLS close_notify alert mid-BDAT transfer. Exim 4.99.3 patches the flaw; OpenSSL-based builds are not affected.
Source: BleepingComputer / runZero — https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/ | https://www.runzero.com/blog/exim-mail-servers/ bleepingcomputer+1

9. NuGet Supply Chain Attack: 65,000 Downloads of Infostealer Packages
Five malicious NuGet packages (published by account “bmrxntfj”) impersonating popular Chinese .NET UI libraries accumulated nearly 65,000 downloads. The packages embed an infostealer that harvests browser credentials from 12 browsers, SSH keys, cryptocurrency wallet data, and local files — targeting both developer workstations and CI/CD pipelines. The campaign is ongoing.
Source: Cyberpress / SOC Prime — https://cyberpress.org/nuget-malware-steals-secrets/ | https://socprime.com/active-threats/malicious-nuget-packages-steal-wallets-and-credentials/ cyberpress+2

10. Zara (Inditex) Data Breach: 197,400 Customer Records Exposed
Spanish fashion giant Zara confirmed unauthorized access to a database hosted by a former third-party technology provider. Have I Been Pwned confirmed 197,400 unique email addresses were exposed, along with product SKUs, order IDs, and support ticket data. ShinyHunters claimed responsibility and leaked a 140GB archive, though names, phone numbers, payment card data, and credentials were not exposed.
Source: Check Point Research / LinkedIn — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/ | https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts

1. Nitrogen Ransomware — Active Double-Extortion Group Hits Foxconn
Nitrogen ransomware (active since 2023, linked to Conti 2 leaked code and ALPHV/BlackCat cartel) claimed its most high-profile attack yet against Foxconn’s North American operations, stealing 8TB of data and deploying double-extortion tactics. The group typically targets supply-chain entry points and uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable AV tools before deployment.
Source: Hoplon InfoSec / Cybersecurity Dive — https://hoploninfosec.com/foxconn-ransomware-attack-nitrogen-breach | https://www.cybersecuritydive.com/news/foxconn-confirms-cyberattack-affecting-some-north-american-facilities/820120/ hoploninfosec+1

2. ShinyHunters — Prolific Extortion Group Targeting Education & Retail
ShinyHunters continued its rampage this week, claiming attacks against Instructure/Canvas (275M records), Zara (197K records), and NVIDIA GeForce NOW (Armenia region). The group leverages compromised authentication tokens (including Anodot tokens used in the Zara attack) and cloud infrastructure abuse to exfiltrate large-scale datasets from BigQuery and similar cloud databases.
Source: LinkedIn SecureFact / Check Point — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxcresearch.checkpoint+1

3. MuddyWater (Iran) — False Flag Ransomware Deployed as Espionage Cover
Iran-linked MuddyWater (Mango Sandstorm / Seedworm / Static Kitten), operating under Iran’s Ministry of Intelligence and Security (MOIS), ran a sophisticated false-flag operation using Microsoft Teams social engineering. Attackers impersonated IT support staff, convinced victims to grant remote access, deployed infostealers, altered MFA settings, and deployed Chaos ransomware as cover — while the real objective was credential theft and data exfiltration.
Source: The Hacker News / TechRadar — https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html | https://www.techradar.com/pro/security/iranian-hackers-launch-ransomware-campaign-looking-to-steal-details-via-microsoft-teams thehackernews+1

4. Handala (Iran-Linked Hacktivists) — Targeting UAE & Gulf Critical Infrastructure
Handala, an Iran-aligned hacktivist group, escalated operations against UAE and Gulf targets. The group claimed to have breached the Port of Fujairah (releasing 430,000 classified documents including oil pipeline maps and ship movement data) and previously conducted cyberattacks on Gulf steel producers (Foulath Holding, Bahrain and SULB) targeting industrial SCADA systems.
Source: YouTube / Cyble — https://www.youtube.com/watch?v=SpGEkq7hS24 | https://cyble.com/blog/middle-east-cyber-warfare-2026-hybrid-conflict/ YouTube​cyble

5. BARADAI Ransomware — Newly Identified File-Encrypting Strain
CYFIRMA researchers identified BARADAI ransomware this week while monitoring underground forums. It is a file-encrypting malware strain that appends a distinct extension to compromised files, targets local systems and network resources, and supports a double-extortion model with a Tor-based leak site. Initial access vectors include phishing, social engineering, and vulnerability exploitation.
Source: CYFIRMA — https://www.cyfirma.com/news/weekly-intelligence-report-08-may-2026/cyfirma

6. Silver Fox APT — Tax-Themed Phishing Delivering ABCDoor Backdoor
Researchers detailed a Silver Fox campaign targeting organizations in India and Russia with tax-themed phishing emails delivering the previously undocumented ABCDoor backdoor, ValleyRAT, and related malware. The campaign affected industrial, consulting, retail, and transportation sectors through more than 1,600 socially engineered messages.
Source: Check Point Research — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/research.checkpoint

7. Sandworm (Russia GRU) — OT/ICS Lateral Movement Activity Detected
Russian state-linked Sandworm was reported moving from IT networks toward operational technology (OT) and industrial control system (ICS) environments, raising critical infrastructure alarms. The concern centers on leveraging existing footholds, unresolved vulnerabilities, and weak segmentation to approach energy, utilities, and manufacturing systems — where attacks can have physical-world consequences.
Source: LinkedIn Weekly Cyber Update — https://www.linkedin.com/pulse/weekly-update-cyber-news-week-ending-may-15th-2026-dr-jason-wrt6elinkedin

8. Qilin Ransomware (RaaS) — Ongoing Operations with In-House Legal Services
Qilin, operating a mature Ransomware-as-a-Service model, continued active operations against US, Canadian, French, UK, and Italian targets. Notably, the group has innovated with in-house legal services to increase pressure on victims, alongside AI chatbot integrations to streamline victim communications. Their RaaS infrastructure provides affiliates with full tooling and support ecosystems.
Source: CYFIRMA / ISACA — https://www.cyfirma.com/news/weekly-intelligence-report-08-may-2026/ | https://www.isaca.org/resources/news-and-trends/industry-news/2026/ai-driven-ransomware-fuels-rise-in-new-cyberthreat-groups cyfirma+1

9. BlueNoroff (DPRK) — Social Engineering Targeting Crypto Organizations
North Korea-linked BlueNoroff was reported conducting targeted intrusions against Web3 and cryptocurrency organizations using fake Zoom meeting invitations that redirect to malicious interfaces. Attacks enable webcam capture, credential theft from cryptocurrency wallets, Telegram session hijacking, and persistence. Stolen data is reused to build more convincing deepfake lures.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/helpag

10. RansomHouse — Claims Attack on Trellix Source Code Repository
The RansomHouse threat group claimed responsibility for attacking cybersecurity vendor Trellix’s source code repository, leaking a small set of images as proof of intrusion. The breach reportedly occurred on April 17, involving data encryption and exfiltration representing a double-extortion approach. The attack on a major security vendor’s code repository raises significant supply-chain concerns.
Source: LinkedIn SecureFact — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc

Patch Priority: Top 10 Critical Vulnerabilities to Watch

  1. CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass
  • CVSS Score: 10.0 (Critical)
  • Affected Products: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager (On-Prem, Cloud-Pro, Cloud, FedRAMP)
  • Patch Status: Patches available — immediate patching required; active exploitation confirmed
  • Details: Unauthenticated remote attacker can bypass authentication via DTLS on UDP port 12346 to gain full administrative privileges over the SD-WAN fabric.
    Source: The Hacker News — https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.htmlthehackernews

2. CVE-2026-42826 — Azure DevOps Information Disclosure

3. CVE-2026-0300 — Palo Alto PAN-OS Captive Portal RCE

4. CVE-2026-41089 — Windows Netlogon RCE (Wormable)

  • CVSS Score: 9.8 (Critical)
  • Affected Products: Windows Server (Domain Controllers)
  • Patch Status: Patched via May 2026 Patch Tuesday
  • Details: Stack-based buffer overflow allowing unauthenticated remote code execution on domain controllers. No credentials or user interaction required — classified as wormable. A compromised DC means a compromised domain.
    Source: Zero Day Initiative — https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-reviewthezdi

5. CVE-2026-45185 — Exim Mail Server RCE (“Dead.Letter”)

6. CVE-2026-7482 — Ollama “Bleeding Llama” Memory Leak

7. CVE-2026-33109 — Azure Managed Instance for Apache Cassandra RCE

8. CVE-2026-31431 — Linux Kernel “Copy Fail” Local Privilege Escalation

  • CVSS Score: 8.8 (High)
  • Affected Products: Linux distributions using kernel versions released since 2017
  • Patch Status: Kernel patch required; PoC available
  • Details: Allows an unprivileged local user to gain full root access. Exploitation requires only a lightweight Python script with no race conditions or complex kernel offsets — significantly lower barrier than typical LPE flaws.
    Source: Integrity360 — https://www.integrity360.com/cyber-news-roundup-may-1st-2026integrity360

9. CVE-2026-42823 — Azure Logic Apps Elevation of Privilege

  • CVSS Score: 9.9 (Critical)
  • Affected Products: Azure Logic Apps
  • Patch Status: Patched by Microsoft via cloud infrastructure (no customer action needed)
  • Details: Allows privilege escalation within Azure Logic Apps workflows, potentially enabling an attacker to gain unauthorized access to connected services and data.
    Source: Sophos Patch Tuesday — https://www.sophos.com/en-us/blog/may-patch-tuesday-hauls-out-132-cvessophos

10. CVE-2026-41109 — GitHub Copilot & VS Code Security Feature Bypass

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE IDSeverity (CVSS)ProductImpactSource
CVE-2026-20182Critical (10.0)Cisco Catalyst SD-WAN Controller & ManagerAuth bypass → full admin control over SD-WAN fabric; actively exploitedThe Hacker Newsthehackernews
CVE-2026-42826Critical (10.0)Microsoft Azure DevOpsInformation disclosure of sensitive pipeline secrets and dataCrowdStrikecrowdstrike
CVE-2026-33109Critical (9.9)Azure Managed Instance for Apache CassandraUnauthenticated Remote Code Execution on Azure cloud serviceSophossophos
CVE-2026-42823Critical (9.9)Azure Logic AppsElevation of Privilege on cloud workflow automation serviceSophossophos
CVE-2026-41096Critical (9.8)Windows DNS ClientHeap buffer overflow → unauthenticated RCE via malicious DNS responseCrowdStrikecrowdstrike
CVE-2026-41089Critical (9.8)Windows Netlogon (Domain Controllers)Wormable RCE — stack-based buffer overflow; unauthenticated, no user interactionZero Day Initiativethezdi
CVE-2026-45185Critical (9.8)Exim Mail Server 4.97–4.99.2 (GnuTLS)UAF-based RCE via BDAT/TLS handling; unauthenticated; patched in 4.99.3BleepingComputerbleepingcomputer
CVE-2026-0300Critical (9.8)Palo Alto PAN-OS (PA-Series/VM-Series)RCE with root privileges via Captive Portal buffer overflow; KEV listed; actively exploitedNVD / Wiznvd.nist
CVE-2026-7482Critical (9.1)Ollama < 0.17.1 (GGUF model loader)Memory leak — API keys, system prompts, conversations exfiltrated; 300K servers at riskNVDnvd.nist
CVE-2026-35428Critical (9.6)Azure Cloud ShellCommand injection/spoofing; unauthenticated remote attacker; patched by Microsoft cloud updateCrowdStrikecrowdstrike

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

1.  UAE — 600,000 Daily AI-Powered Cyberattacks as Regional Conflict Escalates
The UAE Cyber Security Council confirmed that daily cyberattack volumes have tripled to approximately 600,000 per day since the regional escalation in late February 2026. Authorities have identified 350 organized groups, 320 amateur hackers, and 120 malware-linked entities actively targeting UAE government systems, financial services, ports, and public utilities. Iranian actors using AI-powered deepfakes and wiper viruses pose the greatest risk.
Source: Analytics Insight UAE / Gulf News — https://www.analyticsinsight.ae/news/uae-cyberattacks-triple-to-600000-a-day-as-gulf-financial-hubs-become-conflict-target | https://gulfnews.com/uae/government/uae-issues-warning-as-iran-deploys-ai-for-cyber-attacks-1.500525604 analyticsinsight+1

2.  UAE — Handala Claims Breach of Port of Fujairah, 430K Documents Leaked
Iran-linked Handala hacker group claimed to have breached the Port of Fujairah ahead of missile and drone strikes on the strategic oil hub. The group alleged it exfiltrated over 430,000 classified documents including oil pipeline maps, ship movement data, and financial records, which it claimed were shared with IRGC-linked military units. The group warned Abu Dhabi to cease cooperation with the US and Israel.
Source: YouTube / Cyble — https://www.youtube.com/watch?v=SpGEkq7hS24 | https://cyble.com/blog/middle-east-cyber-warfare-2026-hybrid-conflict/ YouTube​cyble

3.  UAE /  Bahrain — DieNet Pro-Iran Group DDoS Attacks on Gulf Airports & Banks
Pro-Iran hacktivist group DieNet claimed responsibility for DDoS attacks targeting airports and financial institutions across the Gulf, including an airport in the UAE, Sharjah Airport in Saudi Arabia, Riyadh Bank, the Bank of Jordan, and a Bahrain airport. The group publicizes attacks via its Telegram board as part of a coordinated digital pressure campaign aligned with Iran’s regional posture.
Source: Palo Alto Unit 42 — https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/unit42.paloaltonetworks

4.  Bahrain /  Saudi Arabia — 800% Surge in Cyberattacks Post-Iran Conflict
Cyberattacks targeting Bahrain and Gulf neighbours surged 800% during March 2026 compared to February, with the trend continuing into May. Digital campaigns heavily targeted Israel (36% of strikes), UAE (21%), and Bahrain (14%), with the heaviest hits landing on public sector, banking, and telecommunications. Iranian-aligned hacktivists conducted DDoS campaigns against US-aligned Gulf states hosting American military installations.
Source: Gulf Daily News — https://www.gdnonline.com/Details/1380549gdnonline

 Global

5.  Foxconn — Nitrogen Ransomware Disrupts North American Manufacturing
The Nitrogen ransomware gang hit Foxconn’s North American operations (confirmed May 12), causing a two-week network collapse at the Mount Pleasant, Wisconsin plant. The attackers claimed to have stolen 8TB / 11 million files including confidential project data tied to Apple, Google, Nvidia, Dell, and Intel. The double-extortion attack underscores supply-chain vulnerability in global electronics manufacturing.
Source: TechCrunch / WIRED — https://techcrunch.com/2026/05/13/ransomware-hackers-claim-breach-at-foxconn/ | https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/ techcrunch+1

6.  Instructure / Canvas LMS — 275 Million Education Records Compromised
ShinyHunters breached Instructure’s cloud environment serving Canvas LMS, compromising data from 8,809 schools, colleges, and universities worldwide. Beyond data theft, attackers defaced hundreds of school login portals with ransom messages, escalating pressure on the educational technology company. The incident represents one of the largest education-sector breaches in history.
Source: LinkedIn SecureFact / Check Point — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxclinkedin+1

7.  Best Western (BWH Hotels) — 6-Month Undetected Intrusion into Reservation Systems
Hackers infiltrated BWH Hotels’ guest reservation system in October 2025 and remained undetected for over six months, exfiltrating reservation data for tens of thousands of guests. The breach exposed names, email addresses, phone numbers, postal addresses, and full reservation details. The long dwell time raises serious concerns about detection gaps in the hospitality sector.
Source: Cybernews — https://cybernews.com/security/best-western-bwh-hotels-guest-data-breach/cybernews

8.  Water Infrastructure — Hackers Access Industrial Controls at Public Water Plants
Researchers and responders reported active intrusions into water facility industrial control systems, with attackers testing access to programmable logic controllers and SCADA systems. The incidents coincide with Sandworm activity targeting OT environments, raising physical-world safety concerns as hackers probe the boundary between cyber and operational disruption in critical infrastructure.
Source: LinkedIn Daily Cyber News — https://www.linkedin.com/pulse/daily-cyber-news-may-11th-2026-dr-jason-edwards-dm-cissp-crisc-f0neelinkedin

9.  MuddyWater (Iran) — Microsoft Teams Social Engineering Espionage Campaign
Iran’s MuddyWater executed a false-flag ransomware campaign using Microsoft Teams, impersonating IT support staff via a deceptive Microsoft 365 tenant domain (e.g., “sarahwilson@seqhelpsitdevsupportops.onmicrosoft.com“). Victims were tricked into executing a malicious MSI installer (Dindoor backdoor), followed by credential theft, MFA modification, data exfiltration, and Chaos ransomware deployment as cover.
Source: The Hacker News / CyberProof — https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html | https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/ thehackernews+1

10.  Hungarian Mediaworks — World Leaks Posts 8.5TB of Internal Files
Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The World Leaks group posted 8.5TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications. The attack demonstrates the continued targeting of media organizations in geopolitically sensitive regions.
Source: Check Point Research — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. OpenAI Launches GPT-5.5 Instant as Default ChatGPT Model
OpenAI released GPT-5.5 Instant on May 5, 2026 as the new default model for all ChatGPT users, replacing GPT-5.3 Instant. The model reduces hallucinations in sensitive domains (law, medicine, finance), scores 81.2 on AIME 2025 (vs. 65.4 for predecessor), and achieves 76 on MMMU-Pro multimodal reasoning. It also introduces stronger personalization based on user conversation history.
Source: TechCrunch / OpenAI — https://techcrunch.com/2026/05/05/openai-releases-gpt-5-5-instant-a-new-default-model-for-chatgpt/ | https://openai.com/index/introducing-gpt-5-5/ techcrunch+1

2. OpenAI Launches GPT-5.5-Cyber: Security-Focused AI Model
On May 7, 2026, OpenAI announced GPT-5.5-Cyber, a limited-preview variant available to vetted cybersecurity teams under its “Trusted Access for Cyber” program. The model is purpose-built for vulnerability analysis, secure code review, and threat assessment workflows, becoming the first OpenAI model with a dedicated cybersecurity use case designation.
Source: Wikipedia / YouTube — https://en.wikipedia.org/wiki/GPT-5.5 | https://www.youtube.com/watch?v=8IzqzUQYqzE wikipedia​YouTube​

3. OpenAI Releases Three New Real-Time Voice Models
OpenAI launched three new real-time API voice models this week: GPT-Realtime-2 (GPT-5 class reasoning for real-time speech), GPT-Realtime-Translate (live speech-to-speech translation across 70+ languages), and GPT-Realtime-Whisper (live transcription). These models transition voice AI from “demo-ready” to production-grade, enabling complex multi-step voice agents.
Source: YouTube API Week Coverage — https://www.youtube.com/watch?v=8IzqzUQYqzEyoutube+1

4. Anthropic Releases Claude Opus 4.7 Fast Mode + Claude for Small Business & Legal
Anthropic released Fast mode for Claude Opus 4.7 in research preview, available through the API and top coding IDEs (Cursor, Windsurf, Warp). The company also launched Claude for Small Business (workflow automation across finance, ops, HR) and Claude for Legal (12 plugins + 20+ MCP connectors for legal practice areas), extending its enterprise footprint significantly.
Source: LinkedIn AI Daily Briefing — https://www.linkedin.com/pulse/ai-daily-briefing-thursday-14th-may-2026-david-wright-z3dlelinkedin

5. Anthropic Secures SpaceX Compute Partnership, Raises Usage Limits
Anthropic announced a partnership with SpaceX for substantially expanded compute capacity, allowing it to raise usage limits for Claude Code and the Claude API. Anthropic’s annualized revenue had crossed $24 billion by April 2026 (vs. OpenAI’s ~$19B), and the company has received investment offers valuing it above $710 billion.
Source: Anthropic — https://www.anthropic.com/news/higher-limits-spacexanthropic+1

6. Google Unveils “Gemini Intelligence” Platform at Android Show 2026
On May 12, 2026, Google unveiled a major paradigm shift at the Android Show 2026, moving away from traditional operating systems toward an “intelligence system” powered by Gemini. Android devices will feature agentic workflows that proactively execute multi-step tasks across apps (e.g., auto-converting a grocery list image to a delivery cart). Google also launched the Googlebook laptop running “Aluminium OS” with an AI-enhanced Magic Pointer cursor built with DeepMind.
Source: Champaign Magazine AI Weekly — https://champaignmagazine.com/2026/05/17/ai-by-ai-weekly-top-5-may-11-17-2026/champaignmagazine

7. xAI Grok 4.3: Multimodal AI with 2M Token Context Window
xAI’s Grok 4.3 reached broader API availability in early May 2026, featuring native video understanding, expanded context windows of up to 2 million tokens, improved multi-step reasoning and instruction following, voice generation and voice-cloning tools, and support for generating PDFs, spreadsheets, and presentations. It tops Artificial Analysis leaderboards in agentic tool calling and ranks #1 on enterprise domains (case law, corporate finance).
Source: Times of AI / Oracle OCI Blog — https://www.timesofai.com/news/grok-4-3-all-new-features-explained/ | https://blogs.oracle.com/ai-and-datascience/whats-new-in-ai-may-2026 timesofai+1

8. Stanford 2026 AI Index: Cybersecurity Agent Accuracy Reaches 93%
The Stanford HAI 2026 AI Index Report revealed that AI cybersecurity agent accuracy jumped from 15% to 93% in one year; SWE-bench performance (real GitHub bugs) rose from 60% to near 100%; global AI investment reached $581.7 billion (up 130%); and generative AI reached 53% population adoption — faster than the PC or the internet. The UAE achieved 54% genAI adoption, ranking above the US average.
Source: Stanford HAI / Reddit — https://hai.stanford.edu/ai-index/2026-ai-index-report | https://www.reddit.com/r/ArtificialInteligence/comments/1sncv1j/the_stanford_ai_index_report_of_2026_has_some/ hai.stanford+1

9. MIT Technology Review: Sovereign AI Delivers 5x ROI for Enterprises
A new MIT Technology Review Insights report (published May 14, 2026, in partnership with EnterpriseDB) found that enterprises “deeply committed” to AI and data sovereignty deliver 5x the ROI from generative and agentic AI initiatives, with a 0.93 correlation between sovereignty commitment and AI success. Over half of enterprises already have AI agents in production. Security and resilience (85%), data localization (74%), and ownership/control (72%) are the top sovereignty drivers.
Source: PR Newswire / MIT Tech Review — https://www.prnewswire.com/news-releases/sovereignty-is-the-new-operating-system-for-agentic-ai-new-mit-technology-review-insights-reportprnewswire

10. Sakana AI Unveils “RL Conductor”: Reinforcement Learning for Multi-Model Orchestration
Sakana AI introduced RL Conductor, a 7B parameter orchestration model trained through reinforcement learning to dynamically coordinate multiple frontier AI systems (GPT-5, Claude Sonnet 4, Gemini 2.5 Pro, and open-source models). Rather than rigid workflows, the model automatically routes tasks based on each model’s strength — representing a significant step toward autonomous multi-agent AI systems at production scale.
Source: MarketingProfs AI Update — https://www.marketingprofs.com/opinions/2026/54786/ai-update-may-15-2026-ai-news-and-views-from-the-past-weekmarketingprofs


Week of may 04–May 10, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

  1. Palo Alto PAN-OS Zero-Day (CVE-2026-0300) Actively Exploited — Internet-exposed Palo Alto firewalls face root-level takeover risk after state-linked actors began exploiting the User-ID/Captive Portal authentication flaw. CISA added it to the KEV catalog this week. Source: Dr. Jason Edwards Weekly – May 8linkedin
  2. MuddyWater Uses Microsoft Teams for Espionage Masquerading as Chaos Ransomware — Iranian state-linked MuddyWater operators used Microsoft Teams to socially engineer credential theft, MFA manipulation, and data exfiltration — disguising espionage as a ransomware campaign. Source: Dr. Jason Edwards Weekly – May 8linkedin
  3. DAEMON Tools Supply Chain Attack Hits 100+ Countries — Attackers poisoned official DAEMON Tools installers with a backdoor starting April 8, reaching thousands of systems worldwide. Second-stage payloads were selectively deployed to high-value targets. Source: Cybersecurity Help – May 8cybersecurity-help
  4. 35,000 Users Hit in 48-Hour Global Phishing Blitz — A rapid token-theft phishing campaign targeted 35,000 users across 26 countries in just two days, hitting 13,000+ organisations including healthcare, finance, and tech sectors. Source: Dr. Jason Edwards Weekly – May 8linkedin
  5. Microsoft Edge Dumps Passwords in Cleartext Memory — A serious flaw in Edge’s password manager exposes Azure logins and site credentials in cleartext memory on shared desktops or compromised sessions. No CVE assigned and no patch planned yet. Source: Cyber Recaps – May 5cyberrecaps
  6. Ollama “Bleeding Llama” Bug Exposes AI Server Memory (CVE-2026-7482, CVSS 9.3) — An unauthenticated heap out-of-bounds read in Ollama’s GGUF model loader allows attackers to dump process memory from exposed AI servers. Public PoC available. Source: Cyber Recaps – May 5cyberrecaps
  7. Ivanti EPMM Zero-Day Abused in Limited Attacks — Ivanti Endpoint Manager Mobile contained a flaw being actively exploited in limited real-world attacks, placing enterprise mobile fleets, policies, and certificates at risk. Source: Dr. Jason Edwards Weekly – May 8linkedin
  8. Progress Software MOVEit Automation Auth Bypass Fixed — Progress issued urgent patches for MOVEit Automation addressing a high-severity authentication bypass. MOVEit remains a top target following its 2025 mass-exploitation campaign. Source: Cybersecurity Help – May 8cybersecurity-help
  9. BARADAI Ransomware Discovered on Underground Forums — CYFIRMA researchers identified a new double-extortion ransomware called BARADAI, using AES-256+RSA-2048 encryption, Tor-based infrastructure, and targeting IT, government, and finance sectors. Source: CYFIRMA Weekly Intel – May 8cyfirma
  10. UAE Cautions Against “Rushed Digital Decision-Making” Amid AI Attack Surge — Abu Dhabi’s cybersecurity guidelines urge citizens and businesses not to act hastily on AI-powered phishing and deepfake attacks, as Microsoft Threat Intelligence confirmed phishing remains the leading attack vector. Source: The National Newsthenationalnews

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts

  1. Handala Wiper Group Claims 200,000 Systems Wiped Across 79 Countries — Handala used compromised Microsoft Intune Global Admin accounts to deploy BiBi Wiper, Hamsa (Linux), CoolWipe, and ChillWipe variants. C2 infrastructure runs via Telegram Bot API. Source: Help AG – May 5helpag
  2. Brain Cipher Ransomware Targeting UAE, Finance & Government — CYFIRMA’s May 8 report confirms Brain Cipher uses double-extortion with AES-256/RSA-2048 encryption. UAE is a primary target, alongside Canada, US, Spain, and France. Source: CYFIRMA Weekly Intel – May 8cyfirma
  3. Qilin RaaS Continues Dominant Activity — Qilin ransomware, operating a cross-platform RaaS model (Windows, Linux, VMware ESXi), remains among the most active threat actors with double-extortion campaigns across US, Canada, France, UK, and Italy. Source: CYFIRMA Weekly Intel – May 8cyfirma
  4. PCPJack Cloud Credential Stealer Targets Exposed Infrastructure — A newly tracked tool “PCPJack” is actively scanning for exposed cloud infrastructure services to harvest access keys — potentially opening lateral movement pathways across enterprise environments. Source: Dr. Jason Edwards Weekly – May 8linkedin
  5. Firestarter Backdoor Persists After Cisco Patches — US/UK Joint Advisory — A joint US/UK advisory warns that the Firestarter backdoor maintains persistence even after patching affected Cisco devices, attributed to a sophisticated state-linked actor that targeted a federal agency. Source: Senthorus Weekly Reviewsenthorus
  6. MuddyWater (Iran) Pivots to Teams-Based Hybrid Espionage-Ransomware TTPs — MuddyWater is evolving its playbook, using Microsoft Teams as a social engineering vector to steal credentials and mimic Chaos ransomware behavior, making attribution and incident classification significantly harder. Source: Dr. Jason Edwards Weekly – May 8linkedin
  7. North Korea (Lazarus) Continues Targeting Web3 Executives — North Korean actors are conducting tailored spear-phishing and social engineering campaigns against crypto wallet holders and Web3 company founders, consistent with Lazarus Group’s ~$2B in 2025 crypto theft. Source: Senthorus Weekly Reviewsenthorus
  8. RMM Tool Abuse Campaign Hits 80+ Organisations Globally — A sophisticated phishing campaign is abusing legitimate Remote Monitoring & Management (RMM) tools to blend with normal IT activity, establishing persistence across 80+ organisations while bypassing traditional security controls. Source: Senthorus Weekly Reviewsenthorus
  9. ShinyHunters Widens Salesforce-Linked Data Extortion Spree — ShinyHunters continued targeting organisations via compromised Salesforce integrations, adding Udemy (1.4M records), Canada Life (70,000 individuals), Vimeo, and Zara to its dark web leak site this week. Source: LinkedIn Cybersecurity Daily Digestlinkedin
  10. Red Piranha 2026 TI Report: Cyber Espionage Replaces Disruption as Primary Goal — Analysis of 80M+ security events and 110 APT campaigns reveals attackers now prioritise long-term stealth and intelligence gathering over immediate disruption, using identity-based attacks and living-off-the-land techniques. Source: Red Piranha 2026 TI Reportredpiranha

Patch Priority: Top 10 Critical Vulnerabilities to Watch

  1. Palo Alto PAN-OS — CVE-2026-0300 (Critical) — Unauthenticated RCE at root level via the Captive Portal/User-ID service on PA-Series and VM-Series firewalls. State-linked actors actively exploiting exposed management portals. Patch immediately. Source: Dr. Jason Edwards Weekly – May 8linkedin
  2. Ollama “Bleeding Llama” — CVE-2026-7482 (CVSS 9.3) — Heap out-of-bounds read in GGUF model loader allowing unauthenticated memory dump and data exfiltration from exposed Ollama AI servers. Public PoC available. No auth required. Source: Cyber Recaps – May 5cyberrecaps
  3. Ivanti EPMM — Zero-Day (Active Exploitation) — Flaw in Ivanti Endpoint Manager Mobile exploited in limited attacks, enabling attackers to compromise enterprise mobile management platforms, certificates, and user policies. Source: Dr. Jason Edwards Weekly – May 8linkedin
  4. Weaver E-cology CMS — CVE-2026-22679 (High) — Critical RCE vulnerability in the Weaver E-cology office automation platform actively exploited since mid-March for post-compromise reconnaissance across enterprise networks. Source: Cyber Recaps – May 5cyberrecaps
  5. MOVEit Automation — Authentication Bypass (High) — Progress Software patched a high-severity auth bypass in MOVEit Automation this week. MOVEit remains an active target following the mass-exploitation incidents of 2025. Source: Cybersecurity Help – May 8cybersecurity-help
  6. MetInfo CMS — CVE-2026-29014 (RCE, Active Exploitation) — Exploitation of this RCE in the MetInfo enterprise CMS spiked on May 1, with attack traffic originating from IPs in China and Hong Kong. Source: Cybersecurity Help – May 8cybersecurity-help
  7. SimpleHelp — CVE-2024-57726 (CVSS 9.9) — Missing authorization vulnerability allowing full service takeover. CISA federal deadline was May 8, 2026. Linked to ransomware delivery campaigns. Source: The Hacker News / CISA KEVthehackernews
  8. WordPress MStore API — CVE-2021-47933 (CVSS 9.8) — Critical unauthenticated arbitrary file upload vulnerability in MStore API 2.0.6 allowing PHP file uploads and remote code execution via REST API. Source: Red Hot Cyberredhotcyber
  9. Samsung MagicINFO 9 — CVE-2024-7399 (CVSS 8.8) — Path traversal flaw allowing attackers to write arbitrary files as SYSTEM on MagicINFO digital signage servers. CISA federal deadline passed May 8. Source: The Hacker News / CISA KEVthehackernews
  10. Microsoft Edge — Cleartext Password Memory Exposure — Edge’s password manager leaks credentials in cleartext process memory on shared desktops. No CVE assigned, no patch scheduled — a significant risk for shared/enterprise workstations. Source: Cyber Recaps – May 5cyberrecaps

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

#CVE IDCVSSProductImpactSource
1CVE-2026-0300CriticalPalo Alto PAN-OSUnauth RCE at root via Captive PortalLinkedIn linkedin
2CVE-2026-74829.3Ollama AI ServerHeap OOB read — memory dump & data exfiltrationCyber Recaps cyberrecaps
3CVE-2024-577269.9SimpleHelp RMMMissing auth — full impersonation takeoverThe Hacker News thehackernews
4CVE-2026-22679HighWeaver E-cologyRCE via office automation exploitCyber Recaps cyberrecaps
5CVE-2026-29014HighMetInfo CMSRCE — active exploitation spike from China/HK IPsCybersecurity Help cybersecurity-help
6CVE-2021-479339.8WordPress MStore APIUnauth arbitrary file upload → RCERed Hot Cyber redhotcyber
7CVE-2024-73998.8Samsung MagicINFO 9Path traversal → SYSTEM-level file writeThe Hacker News thehackernews
8CVE-2025-32975CriticalQuest KACE SMAImproper auth — impersonate any userCISA KEV / CVEFeed cvefeed
9CVE-2026-20131CriticalCisco FMC / SCCJava deserialization → arbitrary code as rootRecorded Future recordedfuture
10CVE-2025-296357.5D-Link DIR-823XCommand injection on EOL routers — botnet recruitmentThe Hacker News thehackernews

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

  1.  UAE — Handala Wiper Hits Local Organisation, 200K Systems Wiped Globally — Iran-linked Handala group targeted a UAE-connected organisation as part of its ongoing wiper campaign that disrupted over 200,000 systems in 79 countries using compromised Microsoft Intune admin accounts. Source: Help AG – May 5helpag
  2.  UAE — 600,000–700,000 Daily Attacks Continue Amid Iran Conflict — UAE remains under sustained assault with cyberattack attempts holding at triple pre-conflict levels. Banks, financial services, e-commerce, oil & gas, and government platforms remain top targets. Source: Economic Timeseconomictimes
  3.  DAEMON Tools Supply Chain Attack — 100+ Countries — Attackers compromised the official DAEMON Tools website to distribute backdoor-laced installers, silently infecting thousands of systems globally since April 8, with targeted second-stage payloads on high-value victims. Source: Cybersecurity Help – May 8cybersecurity-help
  4.  35,000-User Phishing Campaign — 26 Countries in 48 Hours — A Microsoft-tracked credential-theft blitz impersonating compliance/regulatory alerts stole authentication tokens across 13,000+ organisations in healthcare, finance, and tech sectors. Source: Dr. Jason Edwards Weekly – May 8linkedin
  5.  Canada Life Breach — 70,000 Individuals Exposed (ShinyHunters) — ShinyHunters gained access via a compromised employee account at Canada Life, exposing names, DOBs, addresses, and income-related data of up to 70,000 individuals. Source: LinkedIn Cybersecurity Daily Digestlinkedin
  6.  Udemy Breach — 1.4 Million Records Leaked (ShinyHunters) — ShinyHunters listed Udemy on its dark web leak site claiming 1.4 million records stolen. The deadline for negotiations passed April 27, raising likelihood of full data release. Source: LinkedIn Cybersecurity Daily Digestlinkedin
  7.  eBay DDoS Attack — $200M/Day in Estimated Lost Transactions — The 313 Team pro-activist group claimed a large-scale DDoS attack that disrupted eBay’s marketplace for 42–48 hours, causing estimated losses of $200M per day in transactions. Source: LinkedIn Cybersecurity Daily Digestlinkedin
  8.  Venezuelan Energy Sector — Lotus Wiper Destroys Critical Systems — The Lotus Wiper malware destroyed critical operational data across Venezuelan utility firms on April 29, reflecting a growing trend of sabotage-focused attacks on energy infrastructure in geopolitically sensitive regions. Source: Senthorus Weekly Reviewsenthorus
  9.  Vimeo Breach via Third-Party Vendor Anodot (ShinyHunters) — ShinyHunters exploited Vimeo’s analytics vendor Anodot to steal technical data, video metadata, and customer email addresses, threatening to release stolen data unless a ransom is paid. Source: LinkedIn Cybersecurity Daily Digestlinkedin
  10.  Sandhills Medical — Ransomware Breach Affecting 170,000 Patients Disclosed — The Inc Ransom group breached Sandhills Medical Foundation in May 2025 but the healthcare provider only publicly disclosed the incident a full year later in April 2026, exposing SSNs, health records, and financial data. Source: LinkedIn Cybersecurity Daily Digestlinkedin

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

  1. GPT-5.5 Rolls Out to Enterprise & API — OpenAI’s Smartest Model Yet — OpenAI’s GPT-5.5, released April 23, is now broadly available via API and to Plus/Pro/Enterprise users. It leads in agentic coding, computer use, parallel reasoning, and scientific research tasks. Source: AI Tools Recap – May 2026aitoolsrecap
  2. Anthropic Claude Opus 4.7 Generally Available — Anthropic’s Claude Opus 4.7 launched with notable improvements in advanced software engineering and safety. Claude Mythos — designed to autonomously find software flaws — remains in limited internal testing. Source: Anthropicanthropic
  3. Anthropic NLA: AI “Thoughts” Now Translatable to Human Text — Anthropic’s Natural Language Autoencoders (NLAs) can now translate internal model activations into readable human text, allowing auditors to detect hidden AI motivations — a breakthrough for AI interpretability. Source: LinkedIn AI Highlights – May 9linkedin
  4. AlphaEvolve (Gemini-Powered) Solving Open Problems in Maths & Physics — Google DeepMind’s AlphaEvolve is now designing advanced algorithms to solve previously unsolved mathematical and physics problems autonomously — moving well beyond code generation into original scientific discovery. Source: LinkedIn AI Highlights – May 9linkedin
  5. OpenAI Realtime Suite Goes Live — GPT-Realtime-2, Translate & Whisper — OpenAI launched three new real-time audio models for conversational AI agents, enabling live voice reasoning, real-time translation, and enterprise-grade conversational AI at scale. Source: MarketingProfs AI Update – May 8marketingprofs
  6. Mistral 128B Flagship + Agentic Work Mode in Le Chat — Mistral launched its 128B model with async cloud coding sessions and a new “Work” agentic mode in Le Chat, targeting HR, finance, and customer support automation at enterprise scale. Source: AI Tools Recap – May 2026aitoolsrecap
  7. AWS Bedrock High-Speed — Sub-100ms Inference for Claude & Llama — Amazon Web Services launched Bedrock High Speed using specialised hardware clusters to drive inference latency below 100 milliseconds for massive models like Claude 3.5 and Llama 3. Source: YouTube – May 6 AI Daily Newsyoutube
  8. Zhipu AI GLM-4.7 — Frontier AI Without NVIDIA, 1.2% Hallucination Rate — China’s Zhipu AI released GLM-4.7 trained entirely on Huawei Ascend chips, achieving a 1.2% hallucination rate — the lowest reported by any frontier lab — at just $0.11/M tokens vs Claude Opus at $15/M. Source: AI Model Releases – May 2026mean
  9. IBM Predicts Quantum Outperforms Classical Computers in 2026 — IBM stated that 2026 will mark the first time a quantum computer solves problems better than all classical methods, unlocking breakthroughs in drug development, materials science, and financial optimization. Source: IBM Thinkibm
  10. Ambient AI Emerges as the Architecture Winner of 2026 — AI industry observers are converging on “Ambient AI” — always-on, context-aware AI embedded invisibly into workflows — as the dominant paradigm replacing traditional chatbot interfaces, with Grok Voice Mode and Claude Code leading adoption. Source: LinkedIn AI Highlights – May 9linkedin

Week of April 28–May 4, 2026

Cyber Pulse: Top 10 Cybersecurity Stories This Week

  1. UAE Issues Critical AI-Driven Cyberattack Warning — Dr. Mohammed Al Kuwaiti confirmed Iranian hackers are using ChatGPT to craft phishing emails, build malware, and deploy deepfakes, with up to 700,000 daily attack attempts on the UAE. Source: CXO Insight MEcxoinsightme
  2. ADT Breach Exposes 5.5 Million Records — The ShinyHunters extortion group stole names, phone numbers, addresses, SSN fragments, and dates of birth from home security giant ADT. Notified via Have I Been Pwned. Source: Integrity360integrity360
  3. Windows Shortcut Zero-Day (CVE-2026-32202) Exploited by Russian APT — Microsoft confirmed active exploitation of this LNK file bypass vulnerability by a Russian-linked campaign targeting Ukraine and European entities. Source: LinkedIn / Dr. Jason Edwards Weekly Updatelinkedin
  4. Salesforce-Linked ShinyHunters Breaches Widen — Udemy, Zara, and 7-Eleven were named in dark web leak claims tied to Salesforce integrations, highlighting third-party cloud data exposure risks. Source: LinkedIn Cyber Weeklylinkedin
  5. Social Media Scam Losses Hit $2.1 Billion in US — Fake investment and CAPTCHA SMS fraud schemes are draining bank accounts at scale across the US, per the FTC’s latest data. Source: Integrity360integrity360
  6. Cloudflare 2026 Threat Report: AI Automating Attacks — Cloudflare’s annual report highlights AI being used for real-time network mapping, exploit development, and deepfakes — enabling low-skill actors to run high-impact campaigns. Source: Cloudflare Blogcloudflare
  7. LiteLLM SQL Injection (CVE-2026-42208) Actively Abused — Attackers are exploiting a pre-login SQL injection flaw in the LiteLLM AI gateway to steal cloud credentials and master API keys from OpenAI, Anthropic, and AWS Bedrock integrations. Source: LinkedIn Cyber Weeklylinkedin
  8. UK 2025/26 Cyber Breaches Survey: 43% of Businesses Hit — The UK Government’s annual survey shows phishing remains the #1 attack vector, with nearly half of businesses experiencing incidents. Source: Cyber News Centrecybernewscentre
  9. Venezuelan Energy Firms Hit by Data-Wiping Malware — Critical utility operators in Venezuela were targeted with wiper malware designed to destroy data and impair recovery, elevating OT/ICS threat levels globally. Source: Dr. Jason Edwards Weeklylinkedin
  10. North Korea Controls 76% of All Crypto Stolen in 2026 — Dark Reading reports that DPRK-linked actors have stolen the vast majority of global crypto assets this year via sophisticated exchange and DeFi attacks. Source: Dark Reading

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts

  1. KRYBIT Ransomware Identified on Underground Forums — CYFIRMA’s research team discovered a new structured double-extortion ransomware using Tor-based infrastructure, shadow copy deletion, and credential harvesting. Active since April 3, 2026. Source: CYFIRMA Weekly Intel Reportcyfirma
  2. DragonForce Leads Ransomware Activity at 12.3% — Red Piranha’s weekly report shows DragonForce is the most active ransomware operator, followed by Coinbase Cartel (11.23%), ShinyHunters (8.56%), and Qilin (5.88%). Source: Red Piranharedpiranha
  3. APT28 (Fancy Bear) Exploiting Windows Shortcut Files — Recorded Future’s Insikt Group tracked APT28 using CVE-2026-21513 malicious LNK files for multi-stage payload delivery. Source: Recorded Futurerecordedfuture
  4. Iran-Aligned Groups Targeting UAE Infrastructure — Groups including 313 Team, DieNet, Fatimion Cyber Team, and ALTOUFAN TEAM are conducting campaigns against UAE/GCC airports, telecoms, government portals, and media. Source: Economic Timeseconomictimes
  5. UNC6201 (China-Nexus) Deploying BRICKSTORM Backdoor — Suspected Chinese threat actor exploited CVE-2026-22769 in Dell RecoverPoint, deploying the SLAYSTYLE web shell and BRICKSTORM C# backdoor. Source: Recorded Futurerecordedfuture
  6. Qilin Ransomware Joins DragonForce Cartel — Qilin, now part of DragonForce’s RaaS cartel alongside LockBit, targets healthcare, manufacturing, and real estate with double-extortion tactics. Source: FortiGuard Labsfortiguard
  7. Supply Chain Extortion Up 63% in 2025–2026 — Intel 471’s 2026 Cyber Threat Outlook reports supply chain-driven extortion surged 63%, with Qilin as the dominant RaaS force. Top stealers: Lumma, Stealc, Vidar. Source: Intel 471intel471
  8. WallStealer & ShadowLink: Two New Threats Identified — Red Piranha’s April 14–20 report flagged two new tools — WallStealer (credential theft) and ShadowLink (C2 tunneling) — circulating on cybercrime forums. Source: Red Piranharedpiranha
  9. Lotus Blossom APT Exploiting Notepad++ Updater — CVE-2025-15556 (Risk Score: 99) was used over 6 months to replace Notepad++ update packages with Cobalt Strike + Chrysalis backdoor installers. Added to CISA KEV February 12, 2026. Source: Recorded Futurerecordedfuture
  10. Medusa Ransomware Affiliate Using Zero-Days (Storm-1175) — Microsoft linked Storm-1175 to zero-day exploitation enabling rapid network infiltration, data theft, and Medusa ransomware deployment across healthcare, education, and finance. Source: CM Alliancecm-alliance.

Patch Priority: Top 10 Critical Vulnerabilities to Watch

  1. Microsoft Office Remote Code Execution (CVSS 8.4) — CVEs 2026-32190, 2026-33114, 2026-33115: Unauthenticated RCE via use-after-free and untrusted pointer dereference in Office/Word. Patched in April 2026. Source: CrowdStrikecrowdstrike
  2. Windows Shell Zero-Day — LNK File Bypass (CVE-2026-32202) — Attackers use malicious shortcut files to bypass Windows protection checks. Actively exploited by Russian-linked APT, patched in April 2026 Patch Tuesday. Source: LinkedIn Cyber Weeklylinkedin
  3. SimpleHelp CVSS 9.9 Flaw — Remote Code Execution — A critical flaw in SimpleHelp remote support software added to CISA KEV with a May 8, 2026 federal deadline. Actively linked to ransomware delivery. Source: The Hacker Newsthehackernews
  4. Samsung MagicINFO 9 Path Traversal (CVE-2024-7399, CVSS 8.8) — Allows attackers to write arbitrary files as SYSTEM, enabling full server takeover. Added to CISA KEV. Source: The Hacker Newsthehackernews
  5. Microsoft SharePoint Zero-Day Spoofing (CVE-2026-32201) — Actively exploited improper input validation vulnerability used in spoofing attacks. Included in April’s CISA KEV alerts. Source: LinkedIn KEV Reportlinkedin
  6. Fortinet FortiClient EMS SQL Injection (CVE-2026-21643) — Unauthenticated remote code execution via crafted HTTP requests in FortiClient EMS. Added to CISA KEV. Source: LinkedIn KEV Reportlinkedin
  7. ConnectWise ScreenConnect Auth Bypass — Exploited zero-click flaw allowing credential theft and remote access abuse. Federal patching deadline issued by CISA. Source: Dr. Jason Edwards Weeklylinkedin
  8. Linux Zero-Day “Copy Fail” — Root Access — Critical Linux kernel vulnerability enabling local privilege escalation to root. Confirmed exploitation in the wild as of May 1, 2026. Source: Integrity360integrity360
  9. nginx-ui Authentication Bypass (CVE-2026-33032) — Full service takeover via authentication bypass in the popular nginx management UI. Actively exploited. Source: LinkedIn KEVlinkedin
  10. .NET Framework DoS — CVE-2026-23666 (CVSS 7.5) — Critical denial-of-service in .NET Framework allowing unauthenticated remote DoS, no user interaction required. Patched April 2026. Source: CrowdStrike Patch Tuesdaycrowdstrike

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

#CVE IDSeverityProductImpact
1CVE-2026-32202CriticalWindows ShellLNK bypass, actively exploited by APT28 linkedin
2CVE-2026-32190Critical (CVSS 8.4)Microsoft OfficeUnauthenticated RCE via use-after-free crowdstrike
3CVE-2025-32975Critical (CVSS 10.0)Quest KACE SMAAuth bypass — impersonate any user, no credentials needed thehackernews
4CVE-2026-42208HighLiteLLMPre-auth SQL injection — AI gateway credential theft linkedin
5CVE-2024-7399High (CVSS 8.8)Samsung MagicINFOPath traversal — write arbitrary files as SYSTEM thehackernews
6CVE-2026-21643HighFortinet FortiClient EMSSQL injection, unauthenticated RCE linkedin
7CVE-2026-32201HighMicrosoft SharePointZero-day spoofing via improper input validation linkedin
8CVE-2026-33032Highnginx-uiAuthentication bypass → full service takeover linkedin
9CVE-2025-29635High (CVSS 7.5)D-Link DIR-823XCommand injection in EOL routers — botnet recruitment thehackernews
10CVE-2026-23666High (CVSS 7.5).NET FrameworkUnauthenticated remote DoS, no interaction required crowdstrike

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

  1.  UAE — 700,000 Daily AI-Powered Attacks from Iran-Linked Actors — Iranian hackers using ChatGPT for deepfakes, phishing, and malware. Targets include hospitals, government databases, and critical infrastructure. Source: The Media Linethemedialine
  2.  UAE — Dubai Land Department, Courts & RTA Hit — DLD, Dubai Courts, and the Road & Transport Authority (RTA) faced cyber incidents in April 2026, along with Sharjah Electricity, Water and Gas Authority. Source: Economic Timeseconomictimes
  3.  ADT — 5.5 Million Customer Records Stolen (ShinyHunters) — US home security giant ADT breached on April 20, 2026, with data including names, addresses, and partial SSNs exfiltrated. Source: Integrity360integrity360
  4.  April 2026 Patch Tuesday Zero-Day Exploited — APT28 (Fancy Bear) conducted DNS hijacking across 120+ countries to intercept Microsoft 365 authentication traffic and steal credentials/tokens. Source: CM Alliancecm-alliance
  5.  EU Commission & Booking.com Among April Breach Victims — A wave of attacks in April 2026 hit the EU Commission, Booking.com, McGrawHill, and Medtronic, across government, healthcare, and travel sectors. Source: CM Alliancecm-alliance
  6.  Venezuelan Utility Operators Hit by Wiper Malware — Energy and utility firms across Venezuela were targeted with data-erasing malware, raising fears of OT infrastructure destruction during geopolitical conflicts. Source: Dr. Jason Edwards Weeklylinkedin
  7.  €50 Million Crypto Fraud Ring Disrupted — European law enforcement broke up a major crypto investment fraud operation that victimized hundreds across the EU using social engineering and pressure tactics. Source: Dr. Jason Edwards Weeklylinkedin
  8.  GitHub Push Bug Exposed Private Enterprise Code — A bug in GitHub’s push mechanism inadvertently leaked private repository code in enterprise systems, putting intellectual property and credentials at risk. Source: Dr. Jason Edwards Weeklylinkedin
  9.  Itron (Utility Systems Supplier) Reports Cyber Intrusion — A confirmed breach at critical infrastructure technology supplier Itron raised concerns across the global utility and smart grid sector. Source: Dr. Jason Edwards Weeklylinkedin
  10.  Medusa Ransomware Zero-Day Campaign — 120+ Countries — Storm-1175 launched zero-day attacks enabling Medusa ransomware deployment across healthcare, education, and finance in 120+ countries within hours. Source: CM Alliancecm-alliance

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

  1. GPT-5.4 Pro & Gemini 3.1 Pro — Real-Time Multimodal Reasoning — Both models now process text, images, and video simultaneously in real-time, enabling autonomous video analysis and cross-modal task execution without human prompting. Source: LinkedIn / Decoding Data Sciencelinkedin
  2. Google TurboQuant: 80% GPU Cost Reduction for LLMs — Google Research’s TurboQuant compresses LLM key-value cache from 16-bit to 3-bit, enabling massive context processing without hardware upgrades — slashing GPU costs by up to 80%. Source: LinkedIn / Decoding Data Sciencelinkedin
  3. Zhipu AI GLM-5.1: Sovereign AI Reaches Frontier Level — China’s 744-billion-parameter MoE model, trained entirely on Huawei Ascend chips, achieves 94% of Claude’s coding performance — proving sovereign AI stacks are now competitive without NVIDIA. Source: LinkedIn / Decoding Data Sciencelinkedin
  4. Agentic AI Goes Mainstream — 40% of Enterprise Apps by End of 2026 — Gartner predicts 40% of enterprise applications will embed task-specific AI agents by late 2026, up from under 5% in 2025. Orchestration platforms like CrewAI and LangGraph are leading adoption. Source: BuildMVPFastbuildmvpfast
  5. MIT Technology Review: 10 AI Things That Matter in 2026 — MIT’s authoritative annual AI overview identifies the biggest trends shaping AI this year, from memory compression to sovereign infrastructure and autonomous execution layers. Source: MIT Technology Reviewtechnologyreview
  6. Meta Acquires Robotics Startup to Advance Humanoid AI — Meta’s acquisition aims to integrate humanoid robotics capabilities into its AI models, accelerating physical-world AI automation and data collection for self-driving systems. Source: COAIO.comcoaio
  7. RunPod Launches Flash — Open-Source AI Inference SDK — Flash allows developers to go from a local Python function to a live, auto-scaling AI endpoint in minutes, removing container complexity and cutting startup infrastructure costs. Source: COAIO.comcoaio
  8. AI Models Now Match Humans in 83% of Knowledge Work — ARC-AGI-2 and GDPval benchmarks show current frontier models matching professional-level human performance across 83% of knowledge work categories, with hallucination rates dropping sharply. Source: LinkedIn / Decoding Data Sciencelinkedin
  9. UAE, India & Saudi Arabia Building Sovereign AI Infrastructure — The Gulf region is shifting toward nationally controlled AI compute stacks, with UAE emerging as a key global node for sovereign AI development independent of US/Chinese platforms. Source: LinkedIn / Decoding Data Sciencelinkedin
  10. Claude Code Can Now Autonomously Test & Fix Apps — Anthropic’s Claude Code update enables it to independently test software, identify bugs, and apply fixes in multi-step dev workflows — a major leap for autonomous software development agents. Source: Instagram / AI Weeklyinstagram