Threat Research | Weekly Recap [10 May 2026]

Infostealers, RATs & Malware Campaigns

• Operation HumanitarianBait used humanitarian aid lures and malicious LNKs to drop a fileless Python infostealer via trusted platforms. Linked title: Operation HumanitarianBait: An Infostealer Campaign in Disguise
• OpenClaw/Hologram fake installer waves delivered Rust infostealers and harvested wallet/password-manager credentials through layered C2 infrastructure. Linked title: OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
• Malicious OpenClaw skill tricked AI agents/developers into installing Remcos RAT or GhostLoader via signed-binary sideloading and in-memory patching. Linked title: Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
• AutoIt loader chains and script masquerading led to Vidar C2 activity and credential-stealing behavior. Linked title: Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar
• Quasar Linux (QLNX) emerged as a fileless Linux RAT with rootkit, PAM backdoor, and credential harvesting features for stealthy persistence. Linked title: Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain
• PCPJack spread through exposed infrastructure to evict TeamPCP artifacts and steal cloud credentials at scale. Linked title: PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials

Phishing, AiTM & Trusted Infrastructure Abuse

• Code-of-conduct phishing used realistic internal emails and PDF lures to proxy logins and capture tokens from tens of thousands of users. Linked title: Breaking the code: Multi-stage code of conduct phishing campaign
• Trusted Infrastructure Phishing (TIP) abused Microsoft 365, Google Workspace, Azure Blob Storage, and OAuth flows to blend phishing into normal enterprise traffic. Linked title: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns
• InstallFix used malicious ads and fake Claude install pages to trigger PowerShell-based, fileless malware execution. Linked title: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise

Supply Chain, Backdoors & Espionage

• Operation Silent Rotor targeted the unmanned aviation sector with Russian-language spear phishing and a Rust payload that fingerprinted victims and exfiltrated data. Linked title: Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector
• Operation GriefLure used malicious LNKs, batch files, and DLL sideloading to hit military telecom and healthcare targets with RAT payloads. Linked title: Operation GriefLure: Dissecting an APT Campaign
• ScarCruft (APT37) compromised a gaming platform supply chain to spread BirdCall across Windows and Android. Linked title: A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
• Backdoored Electron apps showed how trusted desktop apps can be hollowed out or modified to bypass safelisting and sustain access. Linked title: Threat Analysis: Backdoored Electron Apps Evading Defenses
• OpenClaw-related fake installers also highlighted the abuse of popular development and cloud services to conceal delivery and C2. Linked title: OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer

Linux & Kernel Exploitation

• Copy Fail / DirtyFrag kernel page-cache bugs were reported in active exploitation, enabling local privilege escalation to root. Linked title: Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild
• DirtyFrag CVEs CVE-2026-43284 and CVE-2026-43500 affect major Linux distros and were accompanied by a public PoC. Linked title: DirtyFrag: Two Kernel Bugs Give Root on All Major Linux Distros

Enterprise, Cloud & Platform Breaches

• Canvas/Instructure breach exposed student and staff data, with ShinyHunters claiming responsibility and threatening leakage. Linked title: Canvas Attackers Compromise 275M Students, Teachers, and Staff
• CallPhantom placed 28 fake Android apps on Google Play to monetize fabricated call-log data and deceptive payment flows. Linked title: Fake call logs, real payments: How CallPhantom tricks Android users
• Malicious NuGet packages impersonated Chinese UI libraries to deliver .NET infostealers and steal wallets, browser creds, and sensitive data. Linked title: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries

Network, IoT & Edge Exploitation

• Nexcorium Mirai variant exploited CVE-2024-3721 in TBK DVR devices to spread, persist, and launch DDoS modules. Linked title: Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign
• PAN-OS zero-day exploitation enabled unauthenticated root RCE, with real-world use involving shellcode injection and post-exploitation tooling. Linked title: Exploitation of PAN-OS Captive Portal Zero-Day for RCE
• Traefik probing detection showed how access-log analysis can identify fuzzing and automate Cloudflare blocking. Linked title: Detecting Web Server Probing & Fuzzing in Traefik

Security Operations, Detection & Strategy

• Elastic Entity Analytics Watchlists added weighted context for users, hosts, and services to improve entity risk scoring. Linked title: Know who to watch before the incident finds you
• Elastic Workflows GA delivered built-in automation for case handling, human-in-the-loop actions, and AI-integrated investigations. Linked title: Elastic Workflows GA: automation where your security data already lives
• Preemptive defense emphasized earlier adversary detection via IOFA/context graphs before perimeter alerts or breaches occur. Linked title: Why Preemption Is the Most Defensible Cybersecurity ROI Story You Have

Policy, Supply Chain & Hardware Risk

• LABScon25 highlighted the risks of foreign-made networked devices and argued for repair rights, offline guarantees, and BOM transparency. Linked title: Please Connect to the Foreign Entity to Enhance Your User Experience
• National Cyber Strategy support outlined how vendor tools map to government modernization, compliance, and zero-trust priorities. Linked title: Supporting the National Cyber Strategy: How TrendAI™ Helps

Threat Research | Weekly Recap – hendryadrian.com