Cyber Security News Daily Recap

Threat Research | Weekly Recap [31 May 2026]

admin
Threat Research | Weekly Recap [31 May 2026]
Cybersecurity Threat Research β€˜Weekly’ Recap. The roundup covers supply-chain and developer tooling abuse (including malicious packages, RAT installers, and backdoored developer ecosystems) alongside ongoing phishing, AiTM, and social engineering campaigns targeting 2FA and payment data. It also highlights actively exploited vulnerabilities and long-running access via RATs, cloud/Kubernetes secret theft, blockchain-based C2, and increasing use of AI tools to automate attacks and phishing workflows.
#SicoobSDK #NuGet #Sentry #axios #LaravelLang #RVTools #DenoRAT #DinDoor #Tycoon2FA #PhaaS #PhaaSEcosystem #CVE-2026-0257 #GlobalProtect #CVE-2026-31431 #CopyFail #Gogs #KnowledgeDeliver #NimbusRAT #DriveSurge #OperationDragonWeave #SapphireSleet #OverlayPhantom #AtlasCross #Kimsuky #AhnLab #QuasarLinux #QLNX #P2Pinfect #ClearFake #SectopRAT #ACRStealer #WormGPT #Promptflux #SilentPushContextGraph #SectopRAT

Supply Chain & Developer Tooling Abuse

  • Malicious NuGet package posing as Sicoob SDK exfiltrated banking certs, client IDs, and PFX passwords via hardcoded Sentry endpoints β€” Sicoob SDK impersonation
  • axios supply-chain attack expanded through DNS analysis, exposing typosquatting and phishing-style infra tied to npm abuse β€” axios DNS anatomy
  • Laravel Lang compromise injected RCE backdoors into 700+ package versions to steal secrets and exfiltrate data β€” Laravel Lang backdoor
  • Fake RVTools installer used a valid code-signing cert to deploy a modular Python RAT against VMware admins β€” RVTools masquerade
  • Fake software on GitHub/SourceForge impersonated popular apps to spread Deno RAT and DinDoor malware β€” Deno RAT distribution

Phishing, AiTM & Social Engineering

  • Tycoon 2FA stayed active post-takedown with OAuth device-code phishing, token theft, and relay infrastructure β€” Tycoon 2FA detection
  • Chinese-language PhaaS services used RCS/iMessage, OTP interception, and wallet tokenization to bypass MFA at scale β€” Chinese PhaaS ecosystem
  • SEND-themed phishing used fake email/SMS alerts and bogus payment pages to steal card details β€” SEND phishing campaigns
  • Misfortune Cookies showed physical lures like cookies and QR codes can still harvest credentials via phishing β€” Misfortune Cookies
  • Lookalike domains powered an iPhone theft economy with smishing kits, unlocking tools, and Telegram services β€” iPhone theft economy

Exploitation of Vulnerabilities & Perimeter Devices

  • PAN-OS GlobalProtect bypass (CVE-2026-0257) was actively exploited with forged auth override cookies; urgent patching advised β€” CVE-2026-0257
  • Copy Fail (CVE-2026-31431) Linux kernel flaw was confirmed in-the-wild and added to CISA KEV β€” CVE-2026-31431 detection
  • Gogs had an unfixed authenticated RCE via argument injection in branch-name handling β€” Gogs RCE flaw
  • KnowledgeDeliver compromise abused ASP.NET machine key weaknesses for unauthenticated RCE and web-shell deployment β€” KnowledgeDeliver exploitation
  • 2026 CVE exploitation continued to mirror prior opportunistic playbooks across multiple perimeter and app flaws β€” More CVEs, same playbook

RATs, Backdoors & Initial Access Campaigns

  • Nimbus RAT intrusion used Teams vishing, Quick Assist, and Google Drive/Sheets C2 for rapid access and exfiltration β€” Nimbus RAT abuse
  • DriveSurge hijacked thousands of sites via zTDS to deliver ClickFix/FakeUpdates chains at scale β€” DriveSurge campaign
  • AZUREVEIL / Adaptix C2 backed Operation Dragon Weave, using spearphishing and Azure Blob Storage dead-drop C2 β€” Operation Dragon Weave
  • Sapphire Sleet ran a multi-stage macOS intrusion with fake Zoom SDK updates, credential theft, and wallet stealing β€” macOS intrusion campaign
  • OverlayPhantom Android banking trojan used fake app impersonation and overlays to steal credentials in 180+ apps β€” OverlayPhantom

Espionage, RAT Networks & Long-Term Intrusions

  • Silver Fox / AtlasCross RAT used lookalike domains and custom malware for long-term espionage across APAC and beyond β€” AtlasCross RAT network
  • Silver Fox profile highlighted evolving phishing, trusted-software abuse, and RAT tooling including ValleyRAT and Gh0st RAT β€” Silver Fox APT
  • AhnLab’s Kimsuky-linked campaign used malicious LNK files and backdoors to steal browser, wallet, and clipboard data β€” Credit-card themed malware

Cloud, Kubernetes & Developer Secret Theft

  • AI-agent-driven intrusion moved from CVE exploitation to internal PostgreSQL exfiltration using AWS Secrets Manager and Cloudflare Workers β€” AI agent intrusion
  • P2Pinfect persisted in GKE clusters via exposed Redis, with dormant botnet activity later delivering miners or ransomware β€” P2Pinfect in Kubernetes
  • Quasar Linux (QLNX) targeted DevOps workstations to steal SSH keys, NPM/PyPI tokens, Git PATs, and cloud creds β€” QLNX RAT
  • ClearFake via smart contracts hid command-and-control in BSC testnet contracts to deliver SectopRAT and ACRStealer β€” ClearFake EtherHiding

AI in the Threat Landscape

  • AI-powered hacking tools such as WormGPT and Promptflux lowered barriers to automation, credential theft, and self-modifying malware β€” AI hacking tools evolution
  • AI Threat Landscape Digest showed commercial models being used offensively in phishing, espionage, and vuln research β€” AI threat digest
  • Silent Push Context Graph emphasized earlier adversary visibility by surfacing staging infrastructure before weaponization β€” Context Graph recap

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint