Palo Alto Networks warned customers of active exploitation targeting a critical, not yet patched vulnerability in its PAN-OS software, specifically within the User-ID Authentication Portal, also known as the Captive Portal. The flaw, tracked as CVE-2026-0300, is an out-of-bounds issue that allows unauthenticated attackers to execute arbitrary code with root privileges. It affects Internet-exposed PA-Series and VM-Series firewalls and can be triggered via specially crafted network packets.
The company attributed the activity to the CL-STA-1132 cluster believed to have links to a state sponsored actors. The attackers exploited the flaw for remote code execution to inject shellcode into an nginx worker process. They then deployed publicly available EarthWorm and ReverseSocks5 tunneling tools, and conducted Active Directory enumeration using credentials likely obtained from the firewall.
Ivanti has released security updates to fix a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973, after it was exploited in limited zero-day attacks. The flaw affects EPMM 12.8.0.0 and earlier and allows authenticated attackers with admin privileges to execute arbitrary code due to improper input validation.
Ivanti recommends updating to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1, reviewing administrator accounts, and rotating credentials as a precaution. The company said exploitation has been very limited and that no customers are known to have been impacted by the other vulnerabilities in the list.
The Apache Software Foundation (ASF) has issued security updates for the Apache HTTP Server to fix multiple vulnerabilities, including a high-severity flaw that may allow remote code execution. CVE-2026-23918 is a “double free” vulnerability in HTTP/2 protocol processing that could potentially be exploited for RCE. The vulnerability impacts Apache HTTP Server version 2.4.66 and has been fixed in version 2.4.67.
A critical security flaw in Weaver E-cology is being actively exploited by attackers. The vulnerability, tracked as CVE-2026-22679, affects versions before 20260312. It allows hackers to remotely run malicious commands without logging in by abusing a debug feature in a specific API endpoint.
Separately, attackers started exploiting the CVE-2026-29014 RCE in the MetInfo enterprise content management system (CMS) popular in China. Security researchers say the exploitation activity spiked on May 1, with attacks coming from IPs in China and Hong Kong.
Progress Software has issued security updates for its MOVEit Automation platform, addressing two software vulnerabilities, including a high-severity flaw that could allow attackers to bypass authentication controls.
Disc Soft, the vendor behind the Daemon Tools software for creating disk images and emulating virtual CD/DVD/Blu-ray drives, has confirmed it became a victim of a targeted supply chain attack involving compromised installers of Daemon Tools Lite.
Attackers injected malicious code into versions released between April 8 and May 5. The malware first deployed an information-stealing tool, then selectively infected around a dozen systems with a backdoor, including a Russian educational institution targeted with a more advanced payload. Victims included organizations in Belarus, Russia, and Thailand across government, scientific, manufacturing, and retail sectors. Disc Soft said that only Daemon Tools Lite version 12.5.1 was affected, the breach has been contained, and other products such as Daemon Tools Ultra and Daemon Tools Pro were not impacted.
US-based Certificate Authority DigiCert has disclosed a security incident in which attackers infiltrated its internal systems and stole 27 code signing certificates later used to sign malware. The attacker impersonated a customer and convinced employees to download and execute a malicious file disguised as a screenshot.
Ransom-ISAC discovered a malicious BYOVD kernel driver called dragoncore_k.sys signed with a valid Microsoft WHQL certificate linked to a likely fake Chinese company. The driver contains an unauthenticated IOCTL (0x22201C) that allows local administrators to terminate Protected Process Light (PPL) security processes from Ring 0. Researchers assess with high confidence that the malware is linked to the Dragon Breath (APT-Q-27) group, although a connection to APT31 / Wuhan XRZ-associated operators remains a medium-confidence possibility.
A China-linked advanced persistent threat (APT) group has been targeting government entities across multiple regions since late 2024. The group, tracked as UAT-8302, has conducted operations against government organizations in South America and expanded its focus to southeastern Europe throughout 2025.
Trend Micro has discovered a series of cyber espionage campaigns attributed to a China-aligned threat cluster it tracks as SHADOW-EARTH-053, targeting government entities and critical infrastructure across South, East, and Southeast Asia. The attackers primarily leveraged N-day flaws in Microsoft Exchange Server and Internet Information Services, including techniques similar to the ProxyLogon chain. The threat actors exploited unpatched servers to deploy GODZILLA web shells to establish persistent remote access.
A North Korea-aligned hacking group known as ScarCruft has compromised a video game platform used by ethnic Koreans in China in a supply-chain attack using a variant of the BirdCall backdoor. The malicious code was embedded into Android game downloads hosted on the platform.
Iranian MuddyWater hacker group conducted a false-flag attack posing as the Chaos ransomware gang. Using Microsoft Teams social engineering, they gained access to victim systems, stole credentials, established persistence, enabled remote access, exfiltrated data, and sent extortion emails. Although the attack appeared to be a Chaos ransomware operation, forensic evidence showed the infrastructure and tactics matched known MuddyWater activity.
A Linux malware implant called Quasar Linux (QLNX) is targeting developers and DevOps environments with rootkit, backdoor, and credential-stealing features. The malware spreads through platforms such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX can dynamically compile rootkit components and PAM backdoor modules directly on infected systems using GCC.
SentinelLABS discovered a credential-stealing malware framework called PCPJack that spreads across exposed cloud infrastructure and deletes traces linked to TeamPCP, a threat actor linked to several major supply chain attacks in early 2026. PCPJack steals credentials from cloud, container, developer, productivity, and financial platforms, then exfiltrates the data and propagates to additional systems. It targets exposed services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web apps.
A large-scale phishing campaign leveraging legitimate remote management software has compromised more than 80 organizations since at least April 2025. The operation, dubbed ‘VENOMOUS#HELPER,’ mainly targets US-based entities and appears to be financially motivated. The campaign uses customized versions of the SimpleHelp and ConnectWise ScreenConnect RMM tools to establish persistent access on infected systems.
Security researchers at Cisco Talos have discovered an intrusion campaign active since at least January 2026, using a previously undocumented remote access tool (RAT), dubbed ‘CloudZ RAT,’ and a custom plugin named Pheno plugin. The operation appears designed to harvest user credentials and intercept one-time passwords (OTPs).
Two former employees of US cybersecurity firms have been sentenced to prison for their roles in the ALPHVBlackCat ransomware scheme that targeted companies across the country and the world.
Two US citizens were each sentenced to 18 months in prison for running “laptop farms” that allowed North Korean IT workers to fraudulently secure remote jobs at nearly 70 US companies.
A Latvian national who acted as a key negotiator for a global ransomware network has been sentenced to 8.5 years in a US federal prison. Deniss Zolotarjovs was allegedly involved in the Karakurt group, associated with multiple ransomware brands and led by former Conti and Akira affiliates. He is the first known member of this network to be extradited to the United States to face charges.
The group reportedly operated out of St. Petersburg, Russia, using a structured hierarchy and shell companies across several countries to conceal its activities. It was involved in corruption, misuse of public resources, and recruiting individuals with law enforcement backgrounds who allegedly leveraged their access to intimidate targets and obtain government data. The group’s leaders also evaded taxes and paid bribes to secure privileges, including exemptions from military service for members.
A Russian national accused of orchestrating cyberattacks on critical energy infrastructure across multiple countries is expected to plead guilty to US federal charges that could carry a sentence of up to 27 years in prison. Artem Vladimirovich Revenskii, known online as “Digit,” was allegedly the member of Sector16, a cybercriminal group accused of targeting oil and gas infrastructure in the US, Ukraine, Germany, France, and Latvia. Prosecutors said the group focused on countries considered adversaries of the Russian government.
Marlon Ferro (also known online as GothFerrari and Marlo) was sentenced to 78 months in prison for his role in a criminal ring that stole over $250 million in cryptocurrency through home invasions and money laundering. Arrested in May 2025 while carrying firearms and a fake ID, he later pleaded guilty and was ordered to pay $2.5 million in restitution and serve three years of supervised release. The group used social engineering to access victims’ digital wallets and escalated to burglaries when funds were moved to hardware wallets, targeting high-value crypto holders between late 2023 and early 2025.
Authorities in Taiwan have arrested a 23-year-old university student accused of disrupting the Taiwan High Speed Rail system using software-defined radio and modified handheld devices. He allegedly transmitted a high-priority “General Alarm” signal that triggered emergency braking, bringing four trains to a halt for about 48 minutes.
A Romanian national, Gavril Sandu, 53, has been charged with participating in a “vishing” scheme between 2009 and 2010 that targeted financial institution customers by hacking VOIP systems and tricking victims into revealing debit card details and PINs. Prosecutors allege Sandu used the stolen data to create counterfeit cards, withdraw cash from ATMs as a money mule, and share the proceeds with co-conspirators. He was arrested in Romania in January 2026 and extradited to the US in April 2026.