# CTI Daily Brief — 2026-05-14 > **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting. **Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: pending · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.50 · **Recency window:** 36 h (gap to prior brief: 24 h) ## 0. TL;DR - **Ivanti ships May 2026 multi-product fix: critical CWE-73 in Xtraction, SQLi→RCE in EPM, OS-command injection in vTM.** CVE-2026-8043 (CVSS 9.6, CWE-73 external control of file name/path) in Ivanti Xtraction < 2026.2 lets a low-privilege authenticated user read arbitrary files and write HTML to the web directory, staging XSS or web-shell drop points. The EPM batch closes an authenticated SQL injection in the EPM web console (≤ 2024 SU6) whose technique class consistently terminates in `xp_cmdshell` or stored-procedure code execution. Virtual Traffic Manager (vTM) < 22.9r4 admin interface carries an OS-command injection. No in-the-wild exploitation reported; Xtraction is commonly deployed on internal management networks where egress controls are looser than perimeter ([Ivanti, 2026-05-12](https://www.ivanti.com/blog/may-2026-security-update); [CERT-FR CERTFR-2026-AVI-0576, 2026-05-13](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0576/)). See § 2. - **The Gentlemen RaaS backend dumped — Check Point exposes operator handles and tooling; SystemBC C&C reveals 1,570+ victims vs. 332 on the public leak site; decryptor on GitHub.** Check Point Research's 2026-05-13 analysis of a 44.4 MB extract from the group's leaked "Rocket" backend (16.22 GB total, posted to the cybercrime forum Breached on 4 May after the group's infrastructure was compromised) maps nine operator handles, the EDR-suppression toolchain (`EDRStartupHinder`, `gfreeze`, `glinker`), the ZeroPulse C2 framework, and a separately-exposed SystemBC C&C server holding 1,570+ victim entries against 332 publicly listed in the first five months of 2026 — large under-reporting of true scope. The decryptor is public on GitHub per BankInfoSecurity, making decryption the first action for any in-flight Gentlemen incident ([Check Point Research, 2026-05-13](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/); [BankInfoSecurity, 2026-05-11](https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654)). See § 4 UPDATE. - **Dutch IGJ rules Clinical Diagnostics/NMDL failed mandatory NEN 7510 information-security standard at time of July 2025 ransomware breach.** The Dutch Health & Youth Care Inspectorate's 2026-05-13 finding cites two specific failures: no independent information-security audit, and no periodic processing-risk assessments — meaning the laboratory could not determine which controls were required. The breach exposed approximately 941,000 patients' records, including results of the national cervical-cancer screening programme (Bevolkingsonderzoek Nederland). IGJ has no fining power but has demanded independent certification and signalled sector-wide enforcement; Autoriteit Persoonsgegevens (AP) holds a parallel GDPR investigation that can. NEN 7510 (Dutch healthcare security baseline) is the structural analogue of Switzerland's EPDG security profile — same gap, same regulator pattern ([IGJ, 2026-05-13](https://www.igj.nl/actueel/nieuws/2026/05/13/clinical-diagnostics-voldeed-niet-aan-wettelijke-norm-voor-informatiebeveiliging); [Computable, 2026-05-13](https://www.computable.nl/2026/05/13/inspectie-vernietigend-over-beveiliging-clinical-diagnostics-na-datahack/)). See § 1. - **CL-STA-1132 in-the-wild exploitation of PAN-OS Captive Portal continues while patch wave 2 for eight build streams is delayed to 2026-05-28.** Palo Alto Networks PSIRT's 2026-05-13 update lists PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7 as "ETA 05/28" only — operators on those builds cannot patch and must rely on the interim mitigation (restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused). Likely state-sponsored CL-STA-1132 continues unauthenticated root RCE against the affected service ([Palo Alto PSIRT, updated 2026-05-13](https://security.paloaltonetworks.com/CVE-2026-0300); [Unit 42, 2026-05-06](https://unit42.paloaltonetworks.com/captive-portal-zero-day/)). See § 4 UPDATE. - **GemStuffer weaponises RubyGems as a one-way exfiltration channel scraping UK local-authority ModernGov portals.** Socket published 2026-05-13 documenting 155+ malicious gems that override `HOME` to a fabricated `/tmp/gemhome/` directory carrying hard-coded API credentials, scrape Lambeth, Wandsworth and Southwark council committee calendars and officer contacts, and publish the captured HTML inside valid `.gem` archives via `gem push`. Pattern is novel: most CI/CD monitoring instruments inbound package pulls, not outbound publish operations — and `gem push` from a build agent that does not own a publish role is the structural detection. Socket notes RubyGems temporarily disabled new account registration in connection with the broader account-abuse pattern ([Socket, 2026-05-13](https://socket.dev/blog/gemstuffer); [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html)). See § 3. - **Deep dive — FamousSparrow (UAT-9244) ran a three-wave intrusion against an Azerbaijani oil & gas operator December 2025–February 2026, re-exploiting the same ProxyNotShell Exchange chain across all three waves** despite the victim's attempted remediation, and in Wave 1 deployed Deed RAT via a novel DLL-sideloading technique against a signed LogMeIn Hamachi binary — overriding two specific exported functions (Init, ComMain) and patching `StartServiceCtrlDispatcherW` so payload execution only fires when the legitimate application's own start-up flow runs. Bitdefender characterises Azerbaijan as a strategic post-Ukraine-transit gas supplier whose deliveries have expanded to 13 European countries (including new flows to Germany and Austria) — making Azerbaijani energy infrastructure a high-value collection target for Chinese state actors monitoring European energy supply dependencies ([Bitdefender Labs, 2026-05-13](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry); [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html)). See § 5. ## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures ### Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection ([IGJ, 2026-05-13](https://www.igj.nl/actueel/nieuws/2026/05/13/clinical-diagnostics-voldeed-niet-aan-wettelijke-norm-voor-informatiebeveiliging); native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators. IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland ([Computable, 2026-05-13](https://www.computable.nl/2026/05/13/inspectie-vernietigend-over-beveiliging-clinical-diagnostics-na-datahack/)). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence. For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting. — *Source: [IGJ, 2026-05-13](https://www.igj.nl/actueel/nieuws/2026/05/13/clinical-diagnostics-voldeed-niet-aan-wettelijke-norm-voor-informatiebeveiliging) · [Computable, 2026-05-13](https://www.computable.nl/2026/05/13/inspectie-vernietigend-over-beveiliging-clinical-diagnostics-na-datahack/) · Tags: ransomware, data-breach, healthcare · Region: europe · Sector: healthcare* ## 2. Trending Vulnerabilities ### CVE-2026-8043 Ivanti Xtraction external file control (CVSS 9.6) plus EPM SQL-injection-to-RCE and vTM admin OS-command injection — May 2026 advisory batch, no ITW Ivanti's [May 2026 Security Update](https://www.ivanti.com/blog/may-2026-security-update) (2026-05-12) discloses four product-line advisories. The headline issue is **CVE-2026-8043** in Ivanti Xtraction prior to 2026.2 — a CWE-73 (external control of file name or path) flaw rated 9.6 on CVSS 3.1 with `PR:L` (low-privilege auth required, not admin) and `AC:L` — letting a remote authenticated attacker read arbitrary server-side files and write arbitrary HTML into the web directory. The dual primitive is the operational concern: arbitrary HTML write into the web tree is a viable stored-XSS staging point against higher-privileged Xtraction users, and combined with the file-read primitive is sufficient to chain to web-shell drop in environments where the attacker can guess or read deployment paths. Ivanti's EPM advisory in the same cycle addresses a SQL-injection vulnerability in the EPM web console prior to 2024 SU6 that any remote authenticated user can leverage. The relevant defender note is technique class, not just CVSS: SQL injection against EPM's SQL Server back-end is the well-documented `xp_cmdshell` (T1059) or stored-procedure code-execution pivot ransomware initial-access brokers have weaponised against EPM and analogous endpoint-management platforms for years. The third advisory covers an OS-command injection (T1059) in the Ivanti Virtual Traffic Manager (vTM) admin interface prior to 22.9r4, allowing an admin-credentialed attacker to inject OS commands and achieve full appliance RCE. Ivanti states no in-the-wild exploitation as of 2026-05-12 for any of the four advisories; CERT-FR ([CERTFR-2026-AVI-0576, 2026-05-13](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0576/)) and SecurityWeek ([2026-05-13](https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/)) corroborated the disclosure within 24 hours. Affected and fixed versions (per the vendor batch): Ivanti Xtraction < 2026.2 → 2026.2; Ivanti EPM ≤ 2024 SU6 → 2024 SU6; Ivanti vTM < 22.9r4 → 22.9r4. Inclusion gate cleared: CVE-2026-8043 sits in the ENISA EUVD CVSS 9.0–10.0 critical band on the vendor's CVSS 3.1 score. Detection priority for SOCs that operate Ivanti: monitor EPM web-console request logs for stored-procedure invocation patterns originating from non-administrative user contexts (T1505.003 web-shell + T1059 command-line), and audit Xtraction installations for any HTML file in the web tree whose timestamp post-dates 2026-04-01 and whose content does not match a release manifest. ATT&CK: T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1059 Command and Scripting Interpreter, T1190+T1505.003 chained for the Xtraction file-write to staged web-shell route. Xtraction is commonly deployed on internal management networks where egress controls are looser than perimeter — a successful T1041 (exfiltration over C2) post-compromise can go unnoticed longer than perimeter-edge compromises. — *Source: [Ivanti, 2026-05-12](https://www.ivanti.com/blog/may-2026-security-update) · [CERT-FR CERTFR-2026-AVI-0576, 2026-05-13](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0576/) · [SecurityWeek, 2026-05-13](https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/) · Tags: vulnerabilities, rce, patch-available · Region: global · Sector: public-sector · CVE: CVE-2026-8043 · CVSS: 9.6 · Vector: zero-click · Auth: post-auth · Status: patch-available* ## 3. Research & Investigative Reporting ### GemStuffer — RubyGems weaponised as a one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern targets the asymmetric monitoring gap between package pull and push Socket's Threat Research Team disclosed on 2026-05-13 a campaign it dubs **GemStuffer**, in which 155+ malicious Ruby packages were published to the public RubyGems registry — not as a malware-delivery vehicle but as a covert one-way data-exfiltration channel ([Socket, 2026-05-13](https://socket.dev/blog/gemstuffer); [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html)). The technique is new enough to warrant a defender's attention regardless of jurisdiction: a public package registry's push API has hitherto been monitored for malware distribution, not for outbound data leakage. Socket notes RubyGems temporarily disabled new account registration in connection with the broader account-abuse pattern that GemStuffer is part of. Attack-chain steps as reported by Socket: (1) reconnaissance of the execution environment to confirm `gem` CLI presence and writeable temp space; (2) HTTP scraping of UK local-government democratic-services portals running ModernGov — Lambeth, Wandsworth and Southwark councils — using Ruby's stdlib `Net::HTTP` with SSL verification suppressed; (3) packaging of scraped HTML responses (committee calendars, agenda items, officer contact data, linked PDFs) into syntactically valid `.gem` archives with the captured data placed in `lib/result.txt` or in `README` fields; (4) credential injection — three OAuth-format RubyGems API keys hard-coded as plaintext in the payloads, with `ENV['HOME']` overridden to an attacker-controlled `/tmp/gemhome/` directory containing fabricated `.gem/credentials` files (permissions 0600) so the CLI's credential lookup resolves to attacker values without touching the operator's real home directory; (5) exfiltration via `gem push` to the RubyGems API. The scraped data is itself public (council democratic-services portals are by design public), so the operational significance is not the confidentiality of the data but the channel pattern. Socket flagged the possibility that "council portal access as a pivot to demonstrate capability against government infrastructure" is the actual objective. The defender-critical generalisation: most CI/CD pipeline monitoring instruments `npm install` / `bundle install` / `pip install` inbound; few instrument outbound `npm publish` / `gem push` / `pip upload` from non-publisher contexts. Analyst-derived ATT&CK mapping for the chain (not cited in Socket's write-up): T1583.001 Domains (registry abuse), T1027 Obfuscated Files (data embedded inside `.gem` structure), T1567.004 Exfiltration to Web Service, T1552.001 Credentials In Files (hard-coded API keys). Detection priorities for any organisation with Ruby tool-chains in its development surface: (a) audit `gem push` and `bundle exec gem push` invocations from CI runners and developer workstations that do not have a publish role assigned; (b) flag new RubyGems publisher accounts with high version churn (>10 versions/day on a freshly created package); (c) inspect outbound HTTPS POST traffic from build agents to `rubygems.org` (POST = publish, GET = read); (d) extend the same lens to `npm publish` and `pip upload`. The asymmetric-monitoring-gap pattern generalises trivially across registries; the GemStuffer write-up is the lever for security teams to fund that monitoring asymmetry now rather than after a CH/EU-equivalent variant lands. RubyGems' temporary signup suspension is signal that the registry operator already considers this a structural rather than a single-actor problem. — *Source: [Socket, 2026-05-13](https://socket.dev/blog/gemstuffer) · [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/gemstuffer-abuses-150-rubygems-to.html) · Tags: supply-chain, data-breach, organized-crime, cloud · Region: uk, europe · Sector: public-sector, technology* ## 4. Updates to Prior Coverage ### UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE] > **UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13):** Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a **second patch wave with an ETA of 2026-05-28** for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 ([Palo Alto Networks PSIRT, updated 2026-05-13](https://security.paloaltonetworks.com/CVE-2026-0300)). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage ([Unit 42 — Captive Portal Zero-Day, 2026-05-06](https://unit42.paloaltonetworks.com/captive-portal-zero-day/)). > > The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning. > > — *Source: [Palo Alto Networks PSIRT — CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300) · [Unit 42 — Captive Portal Zero-Day, 2026-05-06](https://unit42.paloaltonetworks.com/captive-portal-zero-day/) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev, patch-available · Region: global · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only, patch-available* ### UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub > **UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis):** Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor ([Check Point Research, 2026-05-13](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/); [BankInfoSecurity, 2026-05-11](https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654)). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework. > > Nine operator handles are identified — including administrator `zeta88` (also `hastalamuerte`), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities `EDRStartupHinder`, `gfreeze` and `glinker` manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains. > > Two operationally critical facts: (1) Check Point Research attributes a count of **1,570+ victim entries** to a separately-exposed SystemBC C&C server, against **332 victims publicly listed on the group's data-leak site in the first five months of 2026** — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as [GitHub `Bedrock-Safeguard/gentlemen-decryptor`](https://github.com/Bedrock-Safeguard/gentlemen-decryptor), enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on `EDRStartupHinder`, `gfreeze`, `glinker` process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (`certutil` enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise. > > — *Source: [Check Point Research, 2026-05-13](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/) · [BankInfoSecurity, 2026-05-11](https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654) · Tags: ransomware, organized-crime, identity · Region: europe, global · Sector: technology* ## 5. Deep Dive — FamousSparrow Three-Wave Intrusion of an Azerbaijani Energy Operator: ProxyNotShell Re-exploitation and a Wave-1 DLL-Sideload Loader That Overrides Two Hamachi Exports to Defeat Sandbox Analysis **Background.** FamousSparrow has been tracked publicly since 2021 as a China-nexus espionage cluster targeting hotels, government and engineering firms; Bitdefender's 2026-05-13 write-up cites tooling and infrastructure overlap with the Earth Estries cluster, and The Hacker News summary additionally notes Salt Typhoon overlap. Recent primary technical detail has been sparse — the Bitdefender Labs publication on 2026-05-13 is the first multi-wave intrusion case study against an energy-sector victim published in some time ([Bitdefender Labs, 2026-05-13](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry); [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html)). The Azerbaijan targeting is geopolitically novel for the cluster: Bitdefender characterises Azerbaijani gas-export expansion to 13 European countries (with new flows to Germany and Austria) following the post-Ukraine-transit reconfiguration, making extraction and transit infrastructure intelligence operationally valuable to Chinese state actors monitoring European energy supply dependencies. **Victim, time-frame, framing.** Bitdefender Labs documented a three-wave intrusion against an unnamed Azerbaijani oil and gas operator spanning **December 2025 to February 2026**, attributed with moderate-to-high confidence to FamousSparrow (also tracked as UAT-9244 in Talos taxonomy). The operationally most consequential framing is not the attribution but the fact that **all three waves re-used the same Exchange initial access vector** despite the victim's attempted remediation — the structural lesson is patch-completeness verification rather than novel-zero-day defence. **Vulnerability mechanics & initial access.** Initial access in every wave exploited the ProxyNotShell chain — **CVE-2022-41040** (SSRF in the Exchange front-end Auto-discover handler) chained with **CVE-2022-41082** (deserialisation in the back-end PowerShell remoting endpoint) against an on-premises Microsoft Exchange Server. The vulnerable surface is the front-end Exchange `Autodiscover.svc` accepting a crafted IIS request that triggers internal SSRF to the Mailbox role's PowerShell remoting endpoint; the deserialisation in the chained PowerShell context yields code execution under the Exchange application-pool identity (typically `LocalSystem` on the mailbox server). The re-exploitation across three waves indicates either incomplete cumulative-update application (Microsoft's [HealthChecker.ps1](https://github.com/microsoft/CSS-Exchange) is the canonical verification harness) or a persistence foothold — likely a web shell or scheduled task — that survived clean-up rounds and re-armed the same vulnerable code path. **Exploitation chain mapped to ATT&CK.** Each wave deployed distinct payload combinations on top of the same initial-access foothold: - **T1190 Exploit Public-Facing Application** — ProxyNotShell against Exchange (each wave). - **T1505.003 Server Software Component: Web Shell** — surviving persistence from an earlier wave is the most plausible explanation for re-exploitation across remediation attempts. - **T1059.001 Command and Scripting Interpreter: PowerShell** — Exchange PowerShell remoting deserialisation gadget yields PowerShell execution; subsequent reconnaissance and tooling drop. - **Wave 1: Deed RAT (Snappybee) deployed via DLL sideloading against a signed LogMeIn Hamachi binary** — Deed RAT is the ShadowPad successor lineage (encrypted C2, file I/O, command execution, process injection). The sideloading is the technique-novelty highlight: per Bitdefender the malicious DLL overrides two of Hamachi's exported functions (`Init`, `ComMain`) and patches `StartServiceCtrlDispatcherW`, so the payload only executes when Hamachi's own service-start path runs. T1574.002 Hijack Execution Flow: DLL Side-Loading is the ATT&CK umbrella, but the override-and-patch detail is what defeats sandbox harnesses: stub harnesses that call DllMain or a small set of obvious exports never trigger `Init` / `ComMain` in the right order and the payload stays dormant. - **Wave 2: TernDoor deployed via DLL sideloading against a renamed-but-legitimate `deskband_injector64.exe`** — Bitdefender records the second wave as introducing TernDoor as a second backdoor family. The sideloading host is `deskband_injector64.exe` renamed `USOShared.exe` and placed in `C:\ProgramData\USOShared\`; the malicious loader is `winmm.dll` in the same directory. (No legitimate Microsoft "USOShared" signed binary is involved — the directory name is reused for camouflage.) - **Wave 3: Modified Deed RAT with updated C2 infrastructure** — Bitdefender's third wave is an evolution of Wave 1's implant (refreshed C2, no novel sideloading host), confirming the operator's preference for iterating on the Deed RAT line rather than abandoning it. - **T1078 Valid Accounts + T1021.001 RDP / T1021.002 SMB** — lateral movement via Impacket, RDP, SMB tooling once the Exchange-server foothold is established. **Named clusters and shared tooling.** Bitdefender's overlap assessment places FamousSparrow / UAT-9244 in operational relationship with Earth Estries (Trend Micro taxonomy); The Hacker News summary additionally connects the cluster to Salt Typhoon (Microsoft taxonomy). Implants observed include Deed RAT (Snappybee), TernDoor, Mofu Loader and ShadowPad ancestry; the LogMeIn Hamachi sideloading host is freshly observed for this cluster and indicates active tooling rotation rather than reuse of a known signed-binary host. **Detection and hunt concepts.** Defender-actionable, behavioural — not IOCs: - **Exchange patch-verification audit**: Run Microsoft's `HealthChecker.ps1` against every on-premise Exchange server and review the output for `Exchange Build` and `Hotfix Applied` lines. CU-level patch status alone is insufficient — the cumulative-update installer occasionally rolls back fixes if an OWA front-end customisation conflicts. Cross-reference IIS log analysis for repeated POST requests to `/autodiscover/autodiscover.json` with non-empty bodies, especially when the same external IP returns over a span of days — the ProxyNotShell exploitation pattern leaves this footprint. - **Web-shell survival sweep**: Audit the Exchange `FrontEnd\HttpProxy\owa\auth\` and `FrontEnd\HttpProxy\ecp\auth\` directories for files modified post-patch, and the Exchange transport-agents folder for unsigned scheduled tasks. Persistence outliving clean-up was the structural enabler of re-exploitation in this case. - **LogMeIn Hamachi / signed-binary sideload anomalies**: Hunt for `hamachi*.exe` or `logmein*.exe` loading DLLs from non-standard installation paths, or any legitimately signed binary whose child process tree spawns `cmd.exe` / `powershell.exe` with encoded arguments. The export-override gating makes the loader resilient against generic sandbox detection, but the eventual payload still spawns shell children — Sysmon event ID 1 with `ParentImage` filter on known signed binaries and `CommandLine` patterns for `-EncodedCommand` / `-enc` remains effective. Wave 2's sideloading is the same class of abuse using a renamed legitimate binary — extend the hunt to `deskband_injector64.exe` running from non-standard paths (Bitdefender placed it as `C:\ProgramData\USOShared\USOShared.exe`) and to any `winmm.dll` load from a `ProgramData` subdirectory rather than from the system search path. - **DLL load-order anomaly hunt**: T1574.002 sideloading depends on a writable DLL search path adjacent to the host binary. Hunt Sysmon event ID 7 (Image Load) records for the Hamachi process loading DLLs from `%LOCALAPPDATA%\Temp\` or other writable user-context paths rather than from the legitimate `Program Files\LogMeIn Hamachi\` install directory. - **Lateral-movement signatures**: alert on Impacket execution patterns (`smbexec.py` / `wmiexec.py`) — process command lines containing `\\127.0.0.1\admin$` and Win32 service installations with randomly-named binaries (`__output` style) on member servers. RDP from Exchange servers to non-administrative workstations is anomalous regardless of source-account legitimacy. **Hardening / mitigation.** Concrete configuration toggles, not advice: - **Exchange**: Apply the latest cumulative update and verify with `HealthChecker.ps1`; deploy Microsoft's mitigation script for ProxyNotShell-class URL rewriting if running an Exchange version still affected. Consider the broader move to Exchange Online for organisations that have not migrated — on-premises Exchange remains a top initial-access vector across China-nexus campaigns. - **Application-allow-listing**: Enforce Windows Defender Application Control (WDAC) or AppLocker policies that disallow LOLBin-style execution of `logmein*.exe` / `hamachi*.exe` from `%TEMP%` / `%LOCALAPPDATA%` paths. Even legitimately signed binaries should not run from user-writable directories. - **EDR / Microsoft Defender for Endpoint**: enable "Block executable content from email client and webmail" and "Block all Office applications from creating child processes" ASR rules; these do not directly catch the Hamachi sideload but harden adjacent ingress paths. - **Conditional Access**: Require modern-authentication and device-compliance for OWA / EAS / Outlook desktop where Exchange Online or hybrid mailboxes are in use; legacy authentication on hybrid setups continues to expose ProxyNotShell-adjacent paths. **Operationally critical context for Swiss / EU public-sector SOCs.** Per Bitdefender, Azerbaijani gas exports now reach 13 European countries including Germany and Austria — so energy-sector intelligence collection against an Azerbaijani operator is structurally collection against the upstream end of European energy supply. The ProxyNotShell-re-exploitation pattern documented here is not Azerbaijan-specific — any organisation in CH / EU with an on-premise Exchange server that received CU patches but lacks `HealthChecker.ps1`-level verification carries the same exposure. The Wave-3 export-gated sideloading technique generalises to any legitimate signed binary an operator chooses to abuse; defenders should treat it as a class problem (DLL sideloading from signed hosts) rather than a Hamachi-specific signature. — *Source: [Bitdefender Labs, 2026-05-13](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry) · [The Hacker News, 2026-05-13](https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html) · Tags: nation-state, espionage, china-nexus · Region: europe, apac · Sector: energy* ## 6. Action Items - **Apply Ivanti's May 2026 patches across Xtraction / EPM / vTM.** Update Xtraction to 2026.2 to close CVE-2026-8043 (CVSS 9.6, file-write / file-read primitive against the web tree). Update Endpoint Manager to 2024 SU6 to close the SQL-injection-to-RCE class. Update Virtual Traffic Manager to 22.9r4 to close the admin OS-command injection. Xtraction installations on internal management networks should be patched first given the typically looser egress controls. See § 2 — *Source: [Ivanti, 2026-05-12](https://www.ivanti.com/blog/may-2026-security-update) · Tags: vulnerabilities, rce, patch-available · Region: global · CVE: CVE-2026-8043 · CVSS: 9.6 · Vector: zero-click · Auth: post-auth · Status: patch-available* - **Continue PAN-OS Captive Portal interim mitigation on the eight "ETA 05/28" build streams until 28 May.** Disable User-ID Authentication Portal on untrusted-zone interfaces or restrict it to trusted zones only; for Threat Prevention subscribers, ensure Threat ID 510019 is enabled (PAN-OS 11.1+). CL-STA-1132 in-the-wild exploitation is ongoing; the FCEB KEV deadline has no jurisdictional weight in CH / EU but the active exploitation does. See § 4. — *Source: [Palo Alto Networks PSIRT — CVE-2026-0300](https://security.paloaltonetworks.com/CVE-2026-0300) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev, mitigation-only · Region: global · CVE: CVE-2026-0300 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, mitigation-only, patch-available* - **For active Gentlemen ransomware incidents — attempt decryption before negotiation.** BankInfoSecurity's 2026-05-11 reporting identifies the `Bedrock-Safeguard/gentlemen-decryptor` GitHub release as the recovery path; Check Point Research's 2026-05-13 backend-leak analysis additionally maps the EDR-suppression toolchain (`EDRStartupHinder`, `gfreeze`, `glinker` — custom binaries, not commodity) and the CertiHound AD CS abuse utility. Hunt those tool names on hosts in scope; monitor for AD Certificate Services reconnaissance (`certutil` enumeration of CA servers / templates) consistent with CertiHound. See § 4. — *Source: [BankInfoSecurity, 2026-05-11](https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654) · [Check Point Research, 2026-05-13](https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/) · Tags: ransomware, organized-crime · Region: europe, global · Sector: technology* - **Verify Exchange ProxyNotShell remediation completeness with `HealthChecker.ps1`, not CU-level alone.** FamousSparrow re-exploited the same CVE-2022-41040 / CVE-2022-41082 chain across three intrusion waves at one victim despite remediation attempts — patch-rollback or surviving persistence is the structural cause. Run Microsoft's [`HealthChecker.ps1`](https://github.com/microsoft/CSS-Exchange) on every on-premise Exchange server; audit `FrontEnd\HttpProxy\owa\auth\` and `FrontEnd\HttpProxy\ecp\auth\` for files modified post-patch. See § 5. — *Source: [Bitdefender Labs, 2026-05-13](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry) · Tags: nation-state, espionage, china-nexus · Region: europe, apac · Sector: energy* - **Hunt outbound `gem push` (and `npm publish` / `pip upload`) from build agents and dev workstations that lack a publisher role.** GemStuffer's structural innovation is exploiting the inbound-monitoring-only blind spot of most CI/CD security tooling. Flag new RubyGems publisher accounts with >10 versions/day on freshly created packages; inspect outbound POSTs to `rubygems.org` from non-publisher contexts. The same monitoring asymmetry exists across npm and PyPI. See § 3. — *Source: [Socket, 2026-05-13](https://socket.dev/blog/gemstuffer) · Tags: supply-chain, data-breach · Region: uk, europe · Sector: technology, public-sector* - **For Swiss healthcare entities — schedule the EPDG-equivalent NEN 7510 audit; do not wait for the regulator.** The IGJ ruling on Clinical Diagnostics / NMDL specifically cites absence of third-party security audit and absence of periodic risk assessment as the structural failures behind a 941,000-record breach. Swiss cantonal supervisors track the same hygiene baselines via the EPDG profile; equivalent compliance gaps in Swiss healthcare carry equivalent regulatory exposure under FINMA and cantonal data-protection authorities. See § 1. — *Source: [IGJ, 2026-05-13](https://www.igj.nl/actueel/nieuws/2026/05/13/clinical-diagnostics-voldeed-niet-aan-wettelijke-norm-voor-informatiebeveiliging) · Tags: data-breach, ransomware, healthcare · Region: europe · Sector: healthcare* ## 7. Verification Notes **Recency window.** `window_hours = 36` (gap 24 h since [briefs/2026-05-13.md](2026-05-13.md) + 12 h safety overlap); `developing_window_hours = 72`. Items whose primary source is older than 36 h are dropped from main sections unless they carry a fresh in-window development (UPDATE rule) or appear as deep-dive Background. **Items dropped — already covered last 7 days (PD-8):** S2's findings on **Mini Shai-Hulud / TanStack npm worm** (last_covered 2026-05-13 deep dive — `campaign:mini-shai-hulud`); **SEPPmail CVE-2026-44128 cluster** (`incident` covered 2026-05-09 deep dive + § 2); **Fortinet FortiAuthenticator / FortiSandbox** (CVE-2026-44277 / CVE-2026-26083 in yesterday's § 2); **SAP May 2026 Patch Day** (CVE-2026-34260 / CVE-2026-34263 in yesterday's § 2); **Microsoft May 2026 Patch Tuesday** (CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 in yesterday's § 2); **Europol IOCTA 2026** (annual-report covered 2026-05-10). Each lacks an in-window material delta sufficient to open § 4 UPDATE. **Items dropped — out-of-window (PD-7).** S3 returned a structured "developing-window" set whose primary sources are all older than 36 h. Drop list with primary-source dates: **QLNX / Quasar Linux RAT** (Trend Micro 2026-05-05, [BleepingComputer 2026-05-05](https://www.bleepingcomputer.com/news/security/new-stealthy-quasar-linux-malware-targets-software-developers/)); **TCLBANKER / REF3076** ([Elastic Security Labs 2026-05-07](https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan)); **UAT-8302** ([Cisco Talos 2026-05-05](https://blog.talosintelligence.com/uat-8302/)); **Cline CVE-2026-44211** ([Oasis Security 2026-05-07](https://www.oasis.security/blog/cline-kanban-websocket-hijack)); **AiTM "code of conduct" phishing campaign** ([Microsoft Security Blog 2026-05-04](https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/)); **Progress MOVEit Automation CVE-2026-4670 / CVE-2026-5174** (Progress / Airbus SecLab 2026-04-30 / [The Hacker News 2026-05-04](https://thehackernews.com/2026/05/progress-patches-critical-moveit.html)). Reason in every case: `out-of-window: primary source , window_hours=36`. None carry a fresh in-window development that would qualify under PD-7 carve-outs (a/b/c). **Items dropped — § 2 inclusion gate not cleared.** **HPE ArubaOS May 2026 multi-CVE batch** ([HPE Aruba HPESBNW05048](https://csaf.arubanetworking.hpe.com/2026/hpe_aruba_networking_-_hpesbnw05048.txt) / [HPESBNW05049](https://csaf.arubanetworking.hpe.com/2026/hpe_aruba_networking_-_hpesbnw05049.txt), [CERT-FR CERTFR-2026-AVI-0573, 2026-05-13](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0573/)) — highest issue CVE-2026-23819 is CVSS 8.8 stored-XSS post-auth, with several CVSS 7.2 authenticated command-injection findings and CVSS 7.5 unauthenticated DoS on the PAPI port. No ITW exploitation, no public PoC, no pre-auth RCE on widely-deployed internet-exposed software — neither CISA-KEV nor ENISA-EUVD critical band nor § 2 catch-all gate (a–e) is cleared. Notable for CH / EU public-sector wireless infrastructure (cantonal government, education, healthcare) but operationally a routine patch cycle. Coverage gap consequence: zero. **Items dropped — single-source dark-web only.** **Anubis ransomware listing for A.R.Ge.Co (France)** ([Malware.news, 2026-05-13](https://malware.news/t/anubis-ransomware-strikes-french-firm-a-r-ge-co/106978)) — leak-site claim only, no victim confirmation, no HIGH-reliability journalism corroboration, per PD-6 fake-news guard on leak-site claims. **Single-source items (PD-5 carve-out applied).** One § 4 item: the PAN-OS CVE-2026-0300 UPDATE on the wave-2 patch delay relies on Palo Alto-affiliated primaries only (Palo Alto Networks PSIRT advisory + Unit 42 research blog) after Phase 5.7 iteration 1 flagged a false-corroboration SecurityWeek citation that did not in fact mention Palo Alto. Independent corroboration for the wave-2 build list (ETA 2026-05-28) was not located in HIGH-reliability third-party coverage within the 36-h window; item is flagged `[SINGLE-SOURCE]` in its heading and the wave-2 build list should be re-verified against the live PSIRT entry. Active-exploitation status itself remains multi-source (Unit 42 + CISA KEV listing + prior briefs' coverage). **Phase 5.7 verifier remediations applied (four iterations, model-rotated).** Iteration 1 (Opus): NEEDS_FIXES truth=6 editorial=2 advisory=3 — § 4 Gentlemen UPDATE attributed four claims to Check Point Research the article does not support (ZeroPulse-via-Ethereum-smart-contracts-via-1rpc.io for C2 resolution; 4VPS as hosting provider; "32% of victims were European in Q1"; Moscow business-hours timestamp clustering) — all four removed and detection guidance rewritten. § 4 PAN-OS UPDATE's SecurityWeek 2026-05-13 corroboration was false (the article covers only Fortinet + Ivanti) — citation removed, item flagged `[SINGLE-SOURCE]`. § 5 deep dive's specific "Bcm/year" figures and Italy/Greece/Bulgaria recipient list replaced with Bitdefender's actual framing ("13 European countries, including new deliveries to Germany and Austria"). Advisories (F11): GemStuffer's "219 of 224 versions" detail rewritten to match Socket; ATT&CK mapping tagged as analyst-derived; Salt Typhoon attribution routed to THN explicitly. Iteration 2 (Sonnet): NEEDS_FIXES truth=3 — leftover instances of iter-1 issues that hadn't been remediated in non-TL;DR locations. § 6 Gentlemen action item still carried the 1rpc.io detection sentence (removed); § 6 misattributed `Bedrock-Safeguard/gentlemen-decryptor` to Check Point Research instead of BankInfoSecurity (re-attributed); "Nova ransomware" attribution to NMDL breach removed from § 0 + § 1. Iteration 3 (Opus): NEEDS_FIXES truth=7 — iter-2's "Neither IGJ nor Computable attributes the breach to a named ransomware operator" was itself an unsupported assertion (Computable does name Nova) — Nova attribution restored citing Computable. **FamousSparrow wave attribution inverted in deep dive** — Bitdefender's actual wave map is W1 = Deed RAT via Hamachi sideloading with Init/ComMain export override + `StartServiceCtrlDispatcherW` patch, W2 = TernDoor via separate sideloading host, W3 = Modified Deed RAT + updated C2; brief had Hamachi as W3. § 0 TL;DR, § 5 heading, § 5 background paragraph, § 5 exploitation-chain bullets, and § 5 detection paragraph all rewritten. "Runtime export call graph inspection" framing overstated the technique — tightened to "two specific exported functions overridden". Gentlemen 1,570 figure was attributed to "an affiliate's exposed C2 server" but Check Point in fact attributes it to a SystemBC C&C server; 332 = first five months of 2026 (CP's full comparison cites 412 cumulative DLS listings) — § 0 TL;DR + § 4 paragraph rewritten. GemStuffer "2026-05-12 signup suspension" date not in cited primaries — removed; version-rotation / hash-IOC paragraph not in Socket — removed. Iteration 4 (Sonnet): NEEDS_FIXES truth=1 editorial=0 advisory=0 — single F3 finding: § 5 Wave 2 sideloading host was described as `USOShared` (implying a legitimate Microsoft-signed binary). Bitdefender actually names the host as `deskband_injector64.exe` **renamed** to `USOShared.exe` and placed in `C:\ProgramData\USOShared\`; the malicious loader is `winmm.dll` in the same directory. The directory name reuses "USOShared" for camouflage; no legitimate Microsoft USOShared signed binary is involved. § 5 exploitation-chain bullet + detection paragraph rewritten to specify `deskband_injector64.exe` and the `C:\ProgramData\USOShared\` path. **Early-exit on low-defect convergence (v2.50):** with `truth + editorial = 1` and no F1 / F4 findings, iteration 4 qualifies as the early-exit point per prompt § Phase 5.7 — remediation applied, residual logged, brief published without spawning iteration 5. `verification_residual_count = 1`. **Model rotation across the verification loop:** iter 1 / iter 3 = Claude Opus 4.7 (`cti-verification`), iter 2 / iter 4 = Claude Sonnet 4.6 (`cti-verification-alt`). Both verifier definitions carry the identical operational system prompt; the rotation surfaces model-specific blind spots — Sonnet caught the Nova-attribution false disclaimer in iter 2 that Opus had introduced in iter 1's remediation; Opus caught the wave-attribution inversion in iter 3 that Sonnet's iter 2 had not flagged. **Sub-agent stalls.** None. All four sub-agents returned within the 30-min wall-clock cap: S1 (443 s, Claude Sonnet 4.6), S2 (414 s, Claude Sonnet 4.6), S3 (797 s, Claude Sonnet 4.6), S4 (979 s, Claude Sonnet 4.6). **Fetch failures (consolidated across sub-agents).** `databreaches-net` 403 (Cloudflare Managed Challenge — bridge + WebSearch fallback documented per source spec); `sec-disclosures-edgar` 403 on EDGAR full-text search (S4) — no fresh 8-K Item 1.05 disclosures recovered for the May 12-14 window; `ico-uk` SPA-empty body even via bridge; `inside-it-ch` Cloudflare-blocked across all attempts (no in-window stories surfaced via WebSearch fallback); `bleepingcomputer` SPA-rendering on article level (recovered via THN/SecurityWeek corroboration); `trendmicro-research` 403 on direct WebFetch (recovered via BleepingComputer / The Hacker News paraphrase — Trend Micro is HIGH-reliability primary attribution); `cert-eu` SPA-empty on listing, recovered via per-advisory URL; `helpnetsecurity` 429 (recovered via THN); `community.progress.com` (SPA empty body); `bsi-de` per-advisory SPA (RSS feed cross-checked); `forums.ivanti.com` Salesforce SPA (recovered via Ivanti vendor blog). **Contradictions / reduced-confidence flags.** None this run. Two distinct sub-agents (S1 + S2) independently arrived at the CVE-2026-0300 second-patch-wave delta from different discovery paths (CISA KEV listing notes vs. NCSC-CH Patch Tuesday compilation); both led to the same primary Palo Alto PSIRT advisory. **Coverage gaps:** databreaches-net (Cloudflare Managed Challenge, no UA bypass — WebSearch fallback only); sec-disclosures-edgar (EDGAR full-text feed 403 on routine UA — no fresh 8-K Item 1.05 disclosures recovered in window); ico-uk (SPA + sitemap discovery insufficient to surface in-window enforcement actions); inside-it-ch (Cloudflare Managed Challenge); trendmicro-research (403 — recommend bridge allow-list addition for desktop-Chrome UA, would have unlocked direct fetch on two QLNX / InstallFix items even if those were out-of-window today). **Self-evolution candidate (source list).** No new candidate added this run; the active list is already at 94 sources and recent rotation-priority gaps are transport-blocking rather than coverage-gap caused. Recommend tracking `trendmicro-research` as a bridge allow-list addition in a future tooling commit (separate from this brief commit).