๐ก MiniUpdate RAT shifts C2 traffic onto Azure
Researchers tracking Screening Serpens identified an espionage campaign using MiniUpdate and MiniJunk V2 against targets in the US, Israel, and the UAE. Delivery relied on tailored spear-phishing, fake job portals, and spoofed installers, while MiniUpdate used AppDomainManager hijacking to load local payloads, suppress ETW telemetry, and bypass signature checks.
The operational significance is the blend of signed executables, native .NET abuse, and Azure-hosted domains impersonating health, finance, and technology entities. That combination reduces detection opportunities, isolates C2 by target, and supports shell execution, process control, dynamic code loading, and chunked file exfiltration.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Researchers tracking Screening Serpens identified an espionage campaign using MiniUpdate and MiniJunk V2 against targets in the US, Israel, and the UAE. Delivery relied on tailored spear-phishing, fake job portals, and spoofed installers, while MiniUpdate used AppDomainManager hijacking to load local payloads, suppress ETW telemetry, and bypass signature checks.
The operational significance is the blend of signed executables, native .NET abuse, and Azure-hosted domains impersonating health, finance, and technology entities. That combination reduces detection opportunities, isolates C2 by target, and supports shell execution, process control, dynamic code loading, and chunked file exfiltration.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Zero-click WhatsApp takeover tied to unpatched iOS 16
Multiple iPhone users in Italy had WhatsApp accounts hijacked without QR pairing, linked devices, or user interaction. Forensic analysis by Forenser found repeated WhatsApp resync events and ImageIO errors on affected devices, all running iOS 16. The cases are consistent with abuse of CVE-2025-43300, potentially combined with CVE-2025-55177, to extract session material and attach a rogue client.
Operationally, this is significant because the attacker session did not appear in WhatsApp's linked-device view while still sending messages from the victim account. The observed access was focused on recent chats, indicating session-level compromise rather than full device visibility. Patching iOS removes the known exposure window.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Multiple iPhone users in Italy had WhatsApp accounts hijacked without QR pairing, linked devices, or user interaction. Forensic analysis by Forenser found repeated WhatsApp resync events and ImageIO errors on affected devices, all running iOS 16. The cases are consistent with abuse of CVE-2025-43300, potentially combined with CVE-2025-55177, to extract session material and attach a rogue client.
Operationally, this is significant because the attacker session did not appear in WhatsApp's linked-device view while still sending messages from the victim account. The observed access was focused on recent chats, indicating session-level compromise rather than full device visibility. Patching iOS removes the known exposure window.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ FBI flags Kali365 as Microsoft 365 token-theft service
The FBI has warned that Kali365 is being used to hijack Microsoft 365 accounts via OAuth device code phishing, capturing session tokens after users complete legitimate MFA. First seen in April 2026 and marketed through Telegram, the platform offers device-code phishing, AI-generated lures, campaign templates, victim tracking, and an adversary-in-the-middle mode dubbed Cookie Link.
The operational point is clear: this tradecraft bypasses password theft entirely and turns approved authentication into attacker access. For defenders, device code flows, new device registrations, inbox rule changes, and token-based session abuse are now priority indicators in Microsoft 365 environments.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The FBI has warned that Kali365 is being used to hijack Microsoft 365 accounts via OAuth device code phishing, capturing session tokens after users complete legitimate MFA. First seen in April 2026 and marketed through Telegram, the platform offers device-code phishing, AI-generated lures, campaign templates, victim tracking, and an adversary-in-the-middle mode dubbed Cookie Link.
The operational point is clear: this tradecraft bypasses password theft entirely and turns approved authentication into attacker access. For defenders, device code flows, new device registrations, inbox rule changes, and token-based session abuse are now priority indicators in Microsoft 365 environments.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ SonicWall scanning surge hits 597,000 sessions in one day
Between 9 and 18 May, GreyNoise observed a sustained reconnaissance spike against SonicOS management interfaces, peaking at roughly 597,000 sessions on 12 Mayโabout 46 times the prior 30-day baseline. The traffic was concentrated on ports 80 and 8080, largely tied to a Chrome 119/Linux fingerprint and source networks in the Netherlands and Ukraine, with heavy volume on AS211736. SonicWall appliances were the target.
The pattern matters because similar scan spikes in Q1 preceded disclosure of CVE-2026-0400. This does not confirm a new vulnerability, but it does indicate structured target mapping against exposed management surfaces and SSL VPN-related endpoints.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Between 9 and 18 May, GreyNoise observed a sustained reconnaissance spike against SonicOS management interfaces, peaking at roughly 597,000 sessions on 12 Mayโabout 46 times the prior 30-day baseline. The traffic was concentrated on ports 80 and 8080, largely tied to a Chrome 119/Linux fingerprint and source networks in the Netherlands and Ukraine, with heavy volume on AS211736. SonicWall appliances were the target.
The pattern matters because similar scan spikes in Q1 preceded disclosure of CVE-2026-0400. This does not confirm a new vulnerability, but it does indicate structured target mapping against exposed management surfaces and SSL VPN-related endpoints.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ CISA flags exploited Drupal SQL injection flaw
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Ghost CMS flaw used to hijack 700+ sites
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ค MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Threat group MuddyWater conducted an espionage campaign in Q1 2026, targeting nine organizations across nine countries. The actors relied on DLL side-loading to execute payloads, steal data, and evade detection.
Operationally, this highlights ongoing abuse of signed binaries and search-order hijacking. Defenders should monitor unsigned modules loaded by trusted processes, tighten application control around vulnerable loaders, and hunt for atypical DLL paths and child-process chains consistent with side-loaded execution.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Threat group MuddyWater conducted an espionage campaign in Q1 2026, targeting nine organizations across nine countries. The actors relied on DLL side-loading to execute payloads, steal data, and evade detection.
Operationally, this highlights ongoing abuse of signed binaries and search-order hijacking. Defenders should monitor unsigned modules loaded by trusted processes, tighten application control around vulnerable loaders, and hunt for atypical DLL paths and child-process chains consistent with side-loaded execution.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ KnowledgeDeliver flaw exploited as a zero-day to install web shells
Attackers are leveraging a zero-day in the KnowledgeDeliver learning management system to deploy web shells on vulnerable servers, enabling unauthorized remote access and control.
Operationally, organizations with internet-facing LMS deployments should map exposed instances, retain and review logs, and inspect web roots for unfamiliar scripts while restricting external access (e.g., via WAF or VPN). Web shell footholds enable command execution, lateral movement, and data theft, making rapid containment, credential hygiene, and segmentation reviews priority actions until hardening is complete.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Attackers are leveraging a zero-day in the KnowledgeDeliver learning management system to deploy web shells on vulnerable servers, enabling unauthorized remote access and control.
Operationally, organizations with internet-facing LMS deployments should map exposed instances, retain and review logs, and inspect web roots for unfamiliar scripts while restricting external access (e.g., via WAF or VPN). Web shell footholds enable command execution, lateral movement, and data theft, making rapid containment, credential hygiene, and segmentation reviews priority actions until hardening is complete.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก Malware Found in Laravel-Lang Composer Packages After Git Tag Poisoning Attack
Attackers injected malware into four Laravel-Lang Composer packages by rewriting hundreds of Git tags, using a tag-poisoning technique. Numerous Laravel apps may be exposed.
This is a software supply-chain breach via version metadata. Prioritize audits for altered tag history, pin to commit hashes, verify signatures, and roll back affected builds. Review CI caches and watch for unexpected package updates.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Attackers injected malware into four Laravel-Lang Composer packages by rewriting hundreds of Git tags, using a tag-poisoning technique. Numerous Laravel apps may be exposed.
This is a software supply-chain breach via version metadata. Prioritize audits for altered tag history, pin to commit hashes, verify signatures, and roll back affected builds. Review CI caches and watch for unexpected package updates.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
โก Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Microsoft has released security updates for SharePoint Server, addressing a remote code execution vulnerability tracked as CVE-2026-45659 (CVSS 8.8). Fixes apply across supported server versions, closing a high-severity path to arbitrary code execution.
Onโprem SharePoint admins should fastโtrack these patches, prioritizing internet-facing servers. Validate update success, review external access routes and service account scopes, and watch for anomalous activity to contain RCE exposure.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Microsoft has released security updates for SharePoint Server, addressing a remote code execution vulnerability tracked as CVE-2026-45659 (CVSS 8.8). Fixes apply across supported server versions, closing a high-severity path to arbitrary code execution.
Onโprem SharePoint admins should fastโtrack these patches, prioritizing internet-facing servers. Validate update success, review external access routes and service account scopes, and watch for anomalous activity to contain RCE exposure.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Critical Memcached SASL Flaw Lets Attackers Infer Usernames
A critical vulnerability in Memcached allows attackers to determine which usernames exist in SASL-enabled deployments. The flaw enables identification of valid accounts without verifying passwords.
Operationally, exposure of confirmed usernames lowers barriers for credential stuffing, brute-force attempts, and targeted phishing against services relying on SASL. Internet-exposed and multi-tenant environments are most at risk, as pre-validating accounts streamlines follow-on intrusion and complicates detection.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
A critical vulnerability in Memcached allows attackers to determine which usernames exist in SASL-enabled deployments. The flaw enables identification of valid accounts without verifying passwords.
Operationally, exposure of confirmed usernames lowers barriers for credential stuffing, brute-force attempts, and targeted phishing against services relying on SASL. Internet-exposed and multi-tenant environments are most at risk, as pre-validating accounts streamlines follow-on intrusion and complicates detection.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก Charter confirms data breach after ShinyHunters extortion threat
U.S. telecom Charter Communications has confirmed a data breach following an extortion threat by the ShinyHunters group to leak stolen data unless a ransom is paid.
Confirmation signals adversary access and a shift from intrusion to pressure operations. This raises risk of phishing using breach themes, credential reuse attempts, and closer regulatory attention. Organizations should review vendor exposure, tighten access controls, and prepare customer communications while monitoring for ShinyHunters-branded leak channels.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
U.S. telecom Charter Communications has confirmed a data breach following an extortion threat by the ShinyHunters group to leak stolen data unless a ransom is paid.
Confirmation signals adversary access and a shift from intrusion to pressure operations. This raises risk of phishing using breach themes, credential reuse attempts, and closer regulatory attention. Organizations should review vendor exposure, tighten access controls, and prepare customer communications while monitoring for ShinyHunters-branded leak channels.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ค Microsoft Defender can now automatically isolate hacked endpoints
Microsoft is testing a Microsoft Defender for Endpoint feature that automatically isolates compromised devices to hinder lateral movement. It severs network access while keeping management channels live for investigation and recovery.
This compresses response time and shifts containment from manual playbooks to policy. Teams should validate coverage on critical assets, tune isolation thresholds, and define override paths to limit disruption.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Microsoft is testing a Microsoft Defender for Endpoint feature that automatically isolates compromised devices to hinder lateral movement. It severs network access while keeping management channels live for investigation and recovery.
This compresses response time and shifts containment from manual playbooks to policy. Teams should validate coverage on critical assets, tune isolation thresholds, and define override paths to limit disruption.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก Air Force looks to accelerate F-15 EW upgrades at new โSpeedlineโ
The Air Force Life Cycle Management Center has opened a dedicated facility, the Speedline, to accelerate installation of modern electronic warfare and survivability upgrades on F-15E Strike Eagles.
Accelerated retrofits cut depot time, raise availability, and field upgraded jets sooner. A single line standardizes configurations and training baselines, bolstering survivability and mission endurance in contested airspace.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The Air Force Life Cycle Management Center has opened a dedicated facility, the Speedline, to accelerate installation of modern electronic warfare and survivability upgrades on F-15E Strike Eagles.
Accelerated retrofits cut depot time, raise availability, and field upgraded jets sooner. A single line standardizes configurations and training baselines, bolstering survivability and mission endurance in contested airspace.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Banned Russian Submunitions Found After Mali's Military Announces Airstrikes
Unexploded banned Russian submunitions were identified after Mali's military announced airstrikes, linking the discovery to the period immediately following declared operations.
Operationally, the find indicates cluster-type ordnance in the strike area, elevating contamination and casualty risks and requiring clearance. It also intensifies scrutiny of munition supply, strike records, and preserved evidence for attribution and compliance.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Unexploded banned Russian submunitions were identified after Mali's military announced airstrikes, linking the discovery to the period immediately following declared operations.
Operationally, the find indicates cluster-type ordnance in the strike area, elevating contamination and casualty risks and requiring clearance. It also intensifies scrutiny of munition supply, strike records, and preserved evidence for attribution and compliance.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก Canada's Telesat eyes secure Italian satellite connectivity contract, sources say
Canada's Telesat is pursuing a contract to provide secure satellite connectivity for Italy, with discussions reported to be underway.
A deal would signal Italyโs intent to harden national communications and broaden procurement options via commercial satellite services, placing a Canadian operator in a sensitive European role and shaping interoperability, resilience, and supplier diversification in government networks.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Canada's Telesat is pursuing a contract to provide secure satellite connectivity for Italy, with discussions reported to be underway.
A deal would signal Italyโs intent to harden national communications and broaden procurement options via commercial satellite services, placing a Canadian operator in a sensitive European role and shaping interoperability, resilience, and supplier diversification in government networks.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ The LA Metro Attack Wasn't Hacktivism. It Was a State Operation With a Costume On.
A new assessment states the LA Metro attack was not a hacktivist action but a state-run operation using a hacktivist faรงade.
Operationally, this highlights how state actors exploit activist branding to gain deniability, complicate attribution, and shape public perception. For defenders of critical transit systems, it raises the bar for threat validation, incident communications, and response calibration when "hacktivism" may mask state direction.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
A new assessment states the LA Metro attack was not a hacktivist action but a state-run operation using a hacktivist faรงade.
Operationally, this highlights how state actors exploit activist branding to gain deniability, complicate attribution, and shape public perception. For defenders of critical transit systems, it raises the bar for threat validation, incident communications, and response calibration when "hacktivism" may mask state direction.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Glassworm botnet disrupted after resilient C2 infrastructure takedown
The Glassworm botnet has been disrupted following the takedown of a resilient command-and-control infrastructure. The action interrupts control pathways, degrading coordination across infected hosts.
Operationally, removing core C2 nodes constrains tasking and update propagation, increasing fragmentation and creating a short window for remediation and telemetry collection. Defenders should audit endpoints, purge persistence, and tighten egress controls while monitoring for residual traffic.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The Glassworm botnet has been disrupted following the takedown of a resilient command-and-control infrastructure. The action interrupts control pathways, degrading coordination across infected hosts.
Operationally, removing core C2 nodes constrains tasking and update propagation, increasing fragmentation and creating a short window for remediation and telemetry collection. Defenders should audit endpoints, purge persistence, and tighten egress controls while monitoring for residual traffic.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users
Active Grandoreiro banking malware and BTMOB RAT campaigns are targeting Windows and Android users across Europe and Latin America in 2026. The Grandoreiro and BTMOB campaigns elevate banking-malware risk for consumers and enterprises.
Operationally, cross-platform reach complicates defense and widens credential-theft risk across mixed fleets. Financial services and mobile-centric teams should tighten endpoints, boost anti-fraud monitoring, and rehearse rapid isolation.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Active Grandoreiro banking malware and BTMOB RAT campaigns are targeting Windows and Android users across Europe and Latin America in 2026. The Grandoreiro and BTMOB campaigns elevate banking-malware risk for consumers and enterprises.
Operationally, cross-platform reach complicates defense and widens credential-theft risk across mixed fleets. Financial services and mobile-centric teams should tighten endpoints, boost anti-fraud monitoring, and rehearse rapid isolation.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Malicious npm Package Stole Files From Claude AI User Directory via GitHub
A malicious npm package stole files from a Claude AI user directory and moved them to GitHub. The case spotlights an npm supply-chain vector targeting local AI data.
Operational significance: developer machines that use Claude alongside GitHub-linked workflows are at risk when dependencies turn rogue. Reduce exposure by pinning and auditing packages, constraining filesystem and token scopes, and monitoring unexpected Git actions or file exfiltration.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
A malicious npm package stole files from a Claude AI user directory and moved them to GitHub. The case spotlights an npm supply-chain vector targeting local AI data.
Operational significance: developer machines that use Claude alongside GitHub-linked workflows are at risk when dependencies turn rogue. Reduce exposure by pinning and auditing packages, constraining filesystem and token scopes, and monitoring unexpected Git actions or file exfiltration.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ค GPU mining malware spreads via SEO poisoning, AI chatbots
Actors are pushing GPU mining malware through SEO poisoning and AI chatbot suggestions, funneling users to attacker-run sites.
Operationally, the search-and-chat vector widens delivery beyond email, heightening cryptojacking exposure for GPU-capable endpoints and developer machines. Treat chatbot links as untrusted, tighten web filtering on search-driven downloads, and monitor anomalous GPU use.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Actors are pushing GPU mining malware through SEO poisoning and AI chatbot suggestions, funneling users to attacker-run sites.
Operationally, the search-and-chat vector widens delivery beyond email, heightening cryptojacking exposure for GPU-capable endpoints and developer machines. Treat chatbot links as untrusted, tighten web filtering on search-driven downloads, and monitor anomalous GPU use.
๐ฐ๏ธ Open sources - closed narratives
@sitreports