# CTI Daily Brief — 2026-05-22

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Sonnet 4.6, model ID `claude-sonnet-4-6`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Sonnet 4.6 (`claude-sonnet-4-6`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · **Verify iter 1:** Claude Opus 4.7 (`claude-opus-4-7`) NEEDS_FIXES → resolved · **Verify iter 2:** Claude Sonnet 4.6 (`claude-sonnet-4-6`) NEEDS_FIXES → resolved · **Verify iter 3:** Claude Opus 4.7 (`claude-opus-4-7`) CLEAN · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Operation Saffron seizes First VPN** — Europol/Eurojust-coordinated takedown of criminal anonymisation VPN present in "nearly every major cybercrime investigation"; 33+ servers seized across 27 countries (server-host), 5,000+ user accounts captured; Switzerland one of seven JIT participants; Phobos RaaS infrastructure link confirmed ([Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/operation-saffron-first-vpn-takedown/)).
- **CISA KEV: Trend Micro Apex One On-Premise directory traversal (CVE-2026-34926) actively exploited** — management server compromise injects malicious code propagated fleet-wide to all managed agents via built-in update mechanism; JPCERT confirmed ITW exploitation 2026-05-21; patch to build 17079 required ([CISA KEV, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog)).
- **Cisco Secure Workload CVSS 10.0 (CVE-2026-20223)** — unauthenticated REST API call grants Site Admin access across all tenants; no workaround; on-prem deployments must upgrade to 3.10.8.3 / 4.0.3.17 or migrate from 3.9 ([Cisco PSIRT, 2026-05-20](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy)).
- **Calypso/Red Lamassu deploys Showboat (Linux) + JFMBackdoor (Windows) against telecoms** — multi-year Chinese espionage campaign targeting ISPs in Middle East, Central Asia; kworker-masquerading ELF implant with SOCKS5 proxy and Pastebin dead-drop rootkit loader; Lumen Black Lotus Labs + PwC joint disclosure ([BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/)).
- **Langflow CORS/token-hijack (CVE-2025-34291) added to CISA KEV** — Flodric botnet deployed through compromised AI workflow instances; `allow_origins='*'` with `SameSite=None` cookie enables cross-origin token theft with no interaction beyond page visit; upgrade to >= 1.7.0 ([CISA, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog)).

> **Immediate Action — Patch Trend Micro Apex One On-Premise management server to build 17079.** JPCERT/CC confirmed on 2026-05-21 that CVE-2026-34926 (CISA KEV, added 2026-05-21) is being actively exploited in the wild: an authenticated attacker with administrative access to the Apex One management server traverses the server's directory structure to modify a key table and inject malicious code that Apex One's own update mechanism then deploys to every managed agent in the fleet — one compromised management console equals fleet-wide code execution. Admin credentials to the Apex One server are the entry prerequisite; attackers obtain them via phishing, credential theft, or brute force. The SaaS variant is not affected; only on-premises server and agent builds below 17079 require immediate action. Apply the Trend Micro patch ([KA-0023430](https://success.trendmicro.com/en-US/solution/KA-0023430)) and restrict local network access to the Apex One management console to trusted management VLANs.
>
> — *Source: [JPCERT/CC at260014, 2026-05-22](https://www.jpcert.or.jp/english/at/2026/at260014.html) · [CISA KEV, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog) · [HKCERT Advisory 20260522](https://www.hkcert.org/security-bulletin/trend-micro-apex-one-multiple-vulnerabilities_20260522) · Tags: actively-exploited, vulnerabilities, cisa-kev, patch-available · Region: global · CVE: CVE-2026-34926 · CVSS: 6.7 · Vector: local · Auth: post-auth · Status: exploited, cisa-kev, patch-available · Evidence: "Trend Micro Incorporated has reported that attacks exploiting the relative path traversal vulnerability in TrendAI Apex One(On Premise) (CVE-2026-34926) have been observed in the wild." (JPCERT/CC); "a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability." (HKCERT)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool ([Eurojust, 2026-05-21](https://www.eurojust.europa.eu/news/eurojust-coordinated-investigation-shuts-down-criminal-vpn-network)). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" ([BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/police-seize-first-vpn-service-used-in-ransomware-data-theft-attacks/)). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations ([Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/operation-saffron-first-vpn-takedown/)). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

— *Source: [Eurojust, 2026-05-21](https://www.eurojust.europa.eu/news/eurojust-coordinated-investigation-shuts-down-criminal-vpn-network) · [BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/police-seize-first-vpn-service-used-in-ransomware-data-theft-attacks/) · [Help Net Security, 2026-05-21](https://www.helpnetsecurity.com/2026/05/21/operation-saffron-first-vpn-takedown/) · Tags: law-enforcement, organized-crime, ransomware · Region: europe, switzerland · Sector: public-sector*

### Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence

Lumen's Black Lotus Labs and PwC Threat Intelligence disclosed on 2026-05-21 two purpose-built implants used by the China-aligned espionage cluster Calypso (also tracked as Red Lamassu, Bronze Medley — active since at least mid-2022 based on binary upload and victim telemetry) in a multi-year campaign against telecommunications providers ([Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms) · [PwC Threat Intelligence, 2026-05-21](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/red-lamassu-open-season.html)). Confirmed victims include a Middle East ISP, an Afghanistan ISP, and entities in Azerbaijan, the US, and Ukraine; European telecoms are within the actor's documented targeting pattern. Showboat is a modular ELF binary masquerading as a Linux kernel worker thread (`kworker` — `T1036.005 Masquerade: Match Legitimate Name`) providing remote shell (`T1059.004`), bidirectional file transfer, SOCKS5 proxy to internal network segments (`T1090.001 Internal Proxy`), and a `hide` command that fetches a rootkit payload from Pastebin at runtime (`T1102.001 Dead Drop Resolver`) — the C2 payload is exfiltrated base64-encoded inside PNG image fields to blend with web traffic ([Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms)). JFMBackdoor, the Windows counterpart, is delivered via DLL sideloading (`T1574.002`): a batch script drops a legitimate signed executable that loads the malicious DLL, providing remote shell, file operations, SOCKS5 proxy, and self-removal ([PwC Threat Intelligence, 2026-05-21](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/red-lamassu-open-season.html)). C2 infrastructure clusters to Chengdu, Sichuan-geolocated IP ranges; X.509 certificate SAN/CN patterns link the victim set ([Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms)). Detection: hunt for `kworker` ELF processes whose parent is not `kthreadd` (PID 2) on Linux telecom servers (auditd EXECVE or Sysmon for Linux EID 1 parent-pid check); alert on unsigned DLLs loaded by vendor-signed executables (Sysmon EID 7: signed process, unsigned module); flag egress DNS queries or HTTP GET to pastebin.com from daemon-context processes.

— *Source: [Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms) · [PwC Threat Intelligence, 2026-05-21](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/red-lamassu-open-season.html) · [BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/) · [The Hacker News, 2026-05-21](https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html) · Tags: nation-state, espionage, china-nexus · Region: europe, middle-east, apac · Sector: telco*

### ICO secures £355,880 POCA confiscation against former Markerstudy Insurance employee for off-hours bulk record access and sale [SINGLE-SOURCE]

The UK Information Commissioner's Office announced on 2026-05-21 a £355,880.10 confiscation order at Manchester Crown Court under the Proceeds of Crime Act against Rizwan Manjra, a former Markerstudy Insurance Services Limited employee ([ICO, 2026-05-21](https://ico.org.uk/action-weve-taken/enforcement/2026/05/rizwan-manjra-proceeds-of-crime-act/)). Manjra had pleaded guilty in December 2024 under Computer Misuse Act 1990 s.1 after accessing over 32,000 insurance policies on weekends — outside his scheduled hours — and exfiltrating data via mobile phone for onward sale to a third party. The POCA order requires disgorgement of financial benefit; non-payment triggers a 3.5-year default prison term. The enforcement pattern — weekends, anomalously high read volume, exfiltration via mobile rather than corporate network — is the canonical UEBA/behavioural-analytics insider-threat detection profile: any user account generating bulk read activity against insurance, medical, or government record databases outside scheduled shift patterns warrants alert triage (Windows EID 4663 object access on sensitive share / DLP network egress alert on mobile-hotspot NAT patterns). The POCA track running parallel to the GDPR fine channel represents a meaningful escalation in UK enforcement posture applicable to CH/EU insider-threat compliance modelling.

— *Source: [UK ICO, 2026-05-21](https://ico.org.uk/action-weve-taken/enforcement/2026/05/rizwan-manjra-proceeds-of-crime-act/) · Tags: insider-threat, data-breach, law-enforcement · Region: uk · Sector: finance, insurance*

## 2. Trending Vulnerabilities

### CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)

CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per [Trend Micro KA-0023430](https://success.trendmicro.com/en-US/solution/KA-0023430). The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: `T1574 Hijack Execution Flow` via trusted software update path.

— *Source: [CISA KEV alert, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog) · [JPCERT/CC at260014, 2026-05-22](https://www.jpcert.or.jp/english/at/2026/at260014.html) · [Trend Micro KA-0023430](https://success.trendmicro.com/en-US/solution/KA-0023430) · Tags: vulnerabilities, actively-exploited, cisa-kev, patch-available · Region: global · CVE: CVE-2026-34926 · CVSS: 6.7 · Vector: local · Auth: post-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)

CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9. The platform's default CORS policy (`allow_origins='*'` with `allow_credentials=True`) combined with the refresh token cookie configured as `SameSite=None` allows any malicious webpage to perform cross-origin requests with the authenticated victim's credentials, reaching `/api/v1/auth/refresh` to obtain access tokens and subsequently calling all authenticated endpoints — including Langflow's code-execution functionality. Exploitation requires only victim browser navigation to an attacker-controlled page; no prior access needed (`T1190 Exploit Public-Facing Application`). First confirmed exploitation: 2026-01-23; Trend Micro documented Flodric botnet deployment through compromised Langflow instances. CISA added CVE-2025-34291 to KEV on 2026-05-21. Fixed: Langflow 1.7.0 (restrictive CORS default) and 1.9.3 (explicit fix). Block internet exposure of Langflow instances; enforce HTTPS-only with explicit CORS allowlists; hunt for anomalous subprocess execution from the Langflow process tree (Sysmon EID 1, parent `langflow-backend` or `uvicorn`).

— *Source: [CISA KEV alert, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog) · Tags: vulnerabilities, actively-exploited, cisa-kev, patch-available, rce · Region: global · CVE: CVE-2025-34291 · CVSS: 9.4 · Vector: user-interaction · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform ([Cisco PSIRT, 2026-05-20](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy)). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: `T1190 Exploit Public-Facing Application`. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

— *Source: [Cisco PSIRT advisory, 2026-05-20](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy) · [NCSC-CH Security Hub, 2026-05-21](https://security-hub.ncsc.admin.ch/#/posts/12588) · [The Register, 2026-05-21](https://www.theregister.com/security/2026/05/21/cisco-serves-up-yet-another-perfect-10-bug-with-secure-workload-admin-flaw/5244012) · Tags: vulnerabilities, rce, pre-auth · Region: global · CVE: CVE-2026-20223 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-34926 | Trend Micro Apex One On-Premise | 6.7 | n/a | Yes (2026-05-21) | Yes (ITW) | Build 17079 | [Trend Micro](https://success.trendmicro.com/en-US/solution/KA-0023430) |
| CVE-2025-34291 | Langflow AI Platform | 9.4 (v4) / 8.8 (v3) | n/a | Yes (2026-05-21) | Yes (ITW since Jan 2026) | >= 1.7.0 / 1.9.3 | [CISA KEV](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog) |
| CVE-2026-20223 | Cisco Secure Workload | 10.0 | n/a | No | No (disclosed internally) | 3.10.8.3 / 4.0.3.17 | [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy) |

## 3. Research & Investigative Reporting

*No new qualifying primary research with operational defender impact in the 36-hour window — section intentionally left empty.*

## 4. Updates to Prior Coverage

### UPDATE: TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate

> **UPDATE (originally covered 2026-05-19, updated 2026-05-21):** Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations ([Unit 42, 2026-05-21](https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/)). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.
>
> The execution chain runs `tanstack_runner.js` under the Bun JavaScript runtime, enumerating stored credentials including `gh auth token` capture (`T1552.001 Unsecured Credentials: Credentials In Files`); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (`T1650 Acquire Access`), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active ([Unit 42, 2026-05-21](https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/)).
>
> Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran `npm publish` during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any `bun` or `bun.js` process execution from a CI runner context (Sysmon EID 1 process-name filter).
>
> — *Source: [Unit 42, 2026-05-21](https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/) · [StepSecurity, 2026-05-21](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem) · Tags: supply-chain, nation-state · Region: global · Sector: technology*

### UPDATE: Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix

> **UPDATE (originally covered 2026-05-20):** Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update ([The Hacker News, 2026-05-21](https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html)). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in `MsMpEng.exe`) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to `NT AUTHORITY\SYSTEM` (`T1068 Exploitation for Privilege Escalation`). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via `Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion` — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from `MsMpEng.exe` as parent.
>
> — *Source: [The Hacker News, 2026-05-21](https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html) · [Microsoft MSRC CVE-2026-41091](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) · Tags: vulnerabilities, actively-exploited, lpe, patch-available · Region: global · CVE: CVE-2026-41091, CVE-2026-45498 · CVSS: 7.8 / 4.0 · Vector: local · Auth: post-auth · Status: exploited, patch-available*

### UPDATE: West Pharmaceutical Services — 8-K/A confirms full operational restoration, data investigation ongoing

> **UPDATE (originally covered 2026-W21):** West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion ([SEC EDGAR 8-K/A, 2026-05-20](https://www.sec.gov/Archives/edgar/data/0000105770/000010577026000077/wst-20260507.htm)). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.
>
> — *Source: [SEC EDGAR 8-K/A West Pharmaceutical, 2026-05-20](https://www.sec.gov/Archives/edgar/data/0000105770/000010577026000077/wst-20260507.htm) · [Cybersecurity Dive, 2026-05-14](https://www.cybersecuritydive.com/news/west-pharmaceutical-restoring-operations-ransomware-attack/820250/) · Tags: ransomware, data-breach · Region: us · Sector: healthcare, manufacturing*

## 5. Deep Dive — Red Lamassu (Calypso/Bronze Medley): Showboat + JFMBackdoor telco espionage implant pair

**Background.** Calypso (also tracked as Red Lamassu and Bronze Medley) is a China-aligned espionage cluster active since at least mid-2022 based on Lumen's binary upload and victim telemetry — the Showboat/JFMBackdoor campaign dates to this period. The group has previously been linked to intrusions against government entities, energy companies, and telecommunications operators in Central Asia, South Asia, and the Middle East using commodity and bespoke tooling including PlugX and ShadowPad variants. Lumen Black Lotus Labs and PwC Threat Intelligence disclosed the Showboat/JFMBackdoor toolset on 2026-05-21 based on infrastructure analysis, binary upload telemetry, and victim telemetry ([Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms) · [PwC Threat Intelligence, 2026-05-21](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/red-lamassu-open-season.html)).

**Linux implant: Showboat.** Showboat is a modular post-exploitation ELF binary. On disk, the process name is `kworker`, directly impersonating Linux kernel worker threads to evade basic process-list inspection (`T1036.005 Masquerade: Match Legitimate Name or Location`). The implant contacts its C2 server, collects basic system information, and encodes the beacon data as Base64 inside PNG image field bytes — blending C2 beaconing with image-format traffic (`T1001.002 Steganography`). Functional modules provide: (1) **remote shell** (`T1059.004 Unix Shell`); (2) **bidirectional file transfer**; (3) **SOCKS5 proxy and port-forwarding** (`T1090.001 Internal Proxy`) — enabling the attacker to tunnel through the compromised telecom server into internal network segments without direct external access to those targets; (4) a `hide` command that fetches a rootkit payload from a Pastebin or forum-style dead-drop at runtime (`T1102.001 Dead Drop Resolver`), pulling additional capability after initial deployment rather than shipping it on disk. C2 infrastructure is geolocated to Chengdu, Sichuan province, consistent with prior Calypso campaigns. X.509 certificate SAN/CN clustering links the campaign's confirmed victim set.

**Windows implant: JFMBackdoor.** JFMBackdoor is delivered via DLL sideloading (`T1574.002 Hijack Execution Flow: DLL Side-Loading`): a batch script drops a legitimate vendor-signed executable alongside a malicious DLL in a writable path; the signed binary loads the DLL, providing the attacker with remote shell, file operations, SOCKS5 proxy, screenshot capture, and self-removal capability. The use of a vendor-signed loader binary defeats application allowlisting based on signing alone.

**Kill-chain pattern.** Initial access vector is not publicly confirmed; the long-running nature (mid-2022 to 2026) and focus on network-exposed telecom infrastructure suggest exploitation of public-facing services (`T1190`) or credential-based entry. Post-access, Showboat provides the persistent Linux bridgehead; from there SOCKS5 tunnels are used for lateral movement into internal segments (`T1090.001`). Data collection via `T1560 Archive Collected Data` and exfiltration via the C2 covert channel completes the chain.

**Detection for EU/telco SOCs.** (1) Linux: `kworker` processes whose parent is not `kthreadd` (PID 2) are anomalous — legitimate kernel workers are exclusively children of `kthreadd`; any `kworker`-named process with a user-space parent (e.g., bash, sshd, any application binary) is high-confidence suspicious. Enumerate via auditd EXECVE rules or Sysmon for Linux EID 1 with parent-pid cross-check. (2) Linux: SOCKS5 connection establishment from application-layer daemon processes (not expected proxy services) to non-standard ports is a lateral-movement pivot indicator. (3) Linux: DNS queries or HTTP GET to `pastebin.com` from processes running as root or as non-web-facing service accounts are anomalous — no production daemon should be fetching Pastebin content. (4) Windows: Sysmon EID 7 (ImageLoad) showing a signed process binary loading an unsigned DLL from a writable user-controlled path (e.g., AppData, Temp, or any path not under `%SystemRoot%`) warrants investigation. (5) Network: X.509 certificate attribute hunting against the Chengdu IP ranges described by Lumen Black Lotus Labs; if your threat-intel platform supports cert-fingerprint or SAN searches, use the campaign's known certificate clustering pattern as a pivot.

**Hardening.** On Linux telecom servers: (a) enforce process-name uniqueness checks via auditd rules that alert on EXECVE where `comm` matches `kworker` but `ppid` != 2; (b) egress-filter server processes to block outbound connections to hosting services (Pastebin, paste sites, general code-hosting) from root-context processes. On Windows: (c) require DLL signature enforcement via Windows Defender Application Control (WDAC) `RequireSignedCode` policy; (d) restrict writable paths in the DLL search order through AppLocker or WDAC deny-list rules on `AppData\Roaming`, `Temp`, and user-writable directories. Across the estate: (e) enforce strict outbound firewall rules on telecom infrastructure servers limiting egress to known management and update destinations.

— *Source: [Lumen Black Lotus Labs, 2026-05-21](https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-family-taunts-defenses-and-targets-international-telecom-firms) · [PwC Threat Intelligence, 2026-05-21](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/red-lamassu-open-season.html) · [BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/) · [The Hacker News, 2026-05-21](https://thehackernews.com/2026/05/showboat-linux-malware-hits-middle-east.html) · Tags: nation-state, espionage, china-nexus · Region: europe, middle-east, apac · Sector: telco*

## 6. Action Items

- **Patch Trend Micro Apex One On-Premise to server/agent build 17079** — CVE-2026-34926 is actively exploited ITW (JPCERT, 2026-05-22); a compromised management console deploys attacker code to all managed endpoints. Verify version via Apex One management console's product version page; apply [KA-0023430](https://success.trendmicro.com/en-US/solution/KA-0023430). Treat the Apex One server host as Tier-0 — restrict management VLAN access before patch is applied.

— *Source: [JPCERT/CC, 2026-05-22](https://www.jpcert.or.jp/english/at/2026/at260014.html) · Tags: actively-exploited, vulnerabilities, cisa-kev · Region: global*

- **Upgrade Langflow to >= 1.7.0 (or 1.9.3)** — CVE-2025-34291 in CISA KEV (added 2026-05-21); Flodric botnet actively exploiting exposed Langflow instances via CORS token theft. If Langflow is internet-exposed, block access immediately and patch before re-exposing. Check `langflow --version`; update via `pip install langflow --upgrade`.

— *Source: [CISA KEV, 2026-05-21](https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog) · Tags: actively-exploited, vulnerabilities, cisa-kev · Region: global*

- **Restrict network access to Cisco Secure Workload REST API management plane** — CVE-2026-20223 is CVSS 10.0 zero-auth; on-prem deployments require manual upgrade to 3.10.8.3 or 4.0.3.17 (3.9 and earlier: migrate). Until patched, firewall the Secure Workload cluster API endpoints to trusted management hosts only. See § 2 for affected version table.

— *Source: [Cisco PSIRT, 2026-05-20](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy) · Tags: vulnerabilities, rce, pre-auth · Region: global*

- **Verify Defender Antimalware Engine >= 1.1.26040.8 (LPE fix) AND Platform >= 4.18.26040.7 (DoS fix)** — CVE-2026-41091 (SYSTEM LPE via MsMpEng.exe link-following) confirmed ITW; run `Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion` on all Windows endpoints. `AMProductVersion` alone does not confirm the LPE is patched — check `AMEngineVersion`. Environments using delayed-approval WSUS/Intune update rings may not have received the out-of-band engine update yet — approve immediately.

— *Source: [Microsoft MSRC, 2026-05-19](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091) · Tags: actively-exploited, vulnerabilities, lpe · Region: global*

- **Hunt for kworker process anomalies on Linux telecom and infrastructure servers** — Showboat (Calypso/Red Lamassu) masquerades as `kworker`; legitimate kernel workers are exclusively children of `kthreadd` (PID 2). Any `kworker`-named process with a user-space parent is high-confidence suspicious. Deploy auditd EXECVE rule checking `ppid != 2` when `comm = kworker`, or Sysmon for Linux EID 1 with parent-pid filter. Flag egress DNS/HTTP to pastebin.com from daemon-context processes.

— *Source: [BleepingComputer, 2026-05-21](https://www.bleepingcomputer.com/news/security/chinese-hackers-target-telcos-with-new-linux-windows-malware/) · Tags: nation-state, espionage, china-nexus · Region: europe, middle-east · Sector: telco*

- **Rotate npm tokens and GitHub PATs if your pipeline ran npm publish during 2026-05-11 to 2026-05-12** — TeamPCP Mini Shai-Hulud stole tokens via `gh auth token` capture in CI runners; self-propagating worm backdoored packages across every account the stolen token could reach. Audit owned npm packages for unauthorised versions published in that window.

— *Source: [Unit 42, 2026-05-21](https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/) · Tags: supply-chain · Region: global · Sector: technology*

## 7. Verification Notes

- **Coverage window:** standard (gap to prior brief: 24 h, window: 36 h).
- **Items dropped — out-of-window primary source (all primary sources outside 36 h window):**
  - ICO fine £963,900 vs. South Staffordshire Water (Cl0p, 20-month dwell) — ICO primary 2026-05-11, outside window. No in-window fresh development found.
  - Microsoft DART / HPE Operations Manager third-party intrusion case study (123-day dwell) — Microsoft Security Blog primary 2026-05-12, outside window. No in-window news coverage found.
  - Fortinet FortiAuthenticator CVE-2026-44277 (CVSS 9.8) + FortiSandbox CVE-2026-26083 (CVSS 9.1) — Fortinet PSIRT primary 2026-05-13, outside window. Not in CISA KEV; no confirmed exploitation in window.
  - SAP May 2026 Patch Day (CVE-2026-34260 SQL injection S/4HANA CVSS 9.6; CVE-2026-34263 unauthenticated RCE Commerce Cloud CVSS 9.6) — SAP Security Notes primary 2026-05-12, outside window.
- **Verizon 2026 DBIR** (published 2026-05-19–20, S4 found, in-window): covered in weekly 2026-W21 as annual-report entry (PD-9 — no re-treatment in daily). Not re-summarised.
- **CVE-2026-45585 (YellowKey BitLocker bypass):** previously covered as UPDATE on 2026-05-20; S2 sources (MSRC 2026-05-20, NCSC-NL 2026-05-20) are same-day as prior coverage — no material new delta; excluded.
- **Microsoft Entra ID / Azure cloud CVSS 10.0 cluster** (CVE-2026-42901, CVE-2026-47280, CVE-2026-23652, CVE-2026-40411, CVE-2026-42823 — MSRC 2026-05-21): already mitigated server-side by Microsoft, no customer action required, no exploitation, ENISA EUVD status unverified. Excluded from § 2; operators monitoring Azure/Entra posture should review May 2026 MSRC release.
- **Single-source items:** ICO POCA confiscation (Rizwan Manjra) — ICO is the primary disclosing party for its own enforcement action; no other source covered in window.
- **Coverage gaps:** `sophos-xops` (HTTP 503, 4 consecutive failures, no bridge available); `inside-it-ch` (HTTP 403, 5 consecutive failures, no Wayback snapshot); `databreaches-net` (HTTP 403, bridge also 403, 4 consecutive failures, rotation-priority — WebSearch fallback found no in-window items); `recordedfuture` (RSS 404). Note: Lumen Black Lotus Labs blog previously recorded as redirect-to-homepage during research sub-agent phase; verification sub-agent (iter 1) confirmed the full blog URL resolves — Lumen and PwC Threat Intelligence are now promoted as primary sources for the Showboat/JFMBackdoor item in § 1 and § 5.
- **Verification iteration 1 (2026-05-22T06:40:29Z–06:46:02Z, Claude Opus 4.7):** NEEDS_FIXES — 4 truth, 4 editorial, 1 advisory. All applied.
- **Verification iteration 2 (2026-05-22T06:54:52Z–07:00:28Z, Claude Sonnet 4.6):** NEEDS_FIXES — 1 truth, 2 editorial. Findings: JPCERT advisory misplaced in Langflow footer (removed); HKCERT Evidence quote had no backing URL (HKCERT advisory URL added to § 0 callout footer); Defender AMEngineVersion check missing for LPE CVE (added). All applied.
- **Verification iteration 3 (2026-05-22T07:07:09Z–07:11:40Z, Claude Opus 4.7):** CLEAN — 0 truth, 0 editorial, 0 advisory. All iter 1 and iter 2 remediations confirmed correct; all primary source facts independently verified.
- **CVE-2025-34291 (Langflow) source quality gap (iter 2 advisory F4):** CISA KEV is the only non-NVD primary reachable in this run; the JPCERT advisory in url-liveness.tsv covers only Apex One. Trend Micro's Flodric botnet analysis was not reachable as a primary URL. Reduced confidence on Flodric attribution specifics — the core CORS/token-theft CVE details are from the CISA KEV description, which directly quotes the Langflow security bulletin.