# CTI Daily Brief — 2026-05-23

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.7, model ID `claude-opus-4-7`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.7) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.7 (`claude-opus-4-7`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.7, Claude Sonnet 4.6 (4 iterations, model-rotated; iter 4 CLEAN) · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.59 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Drupal CVE-2026-9082 now actively exploited; CISA KEV-listed 2026-05-22.** Drupal updated SA-CORE-2026-004 to confirm in-the-wild exploit attempts on PostgreSQL-backed sites; Imperva measured 15,000+ attempts against ~6,000 sites across 65 countries; NCSC.ch Security Hub flipped post 12584 to "Actively exploited" the same day ([Drupal Security Team, 2026-05-22](https://www.drupal.org/sa-core-2026-004) · [Imperva, 2026-05-21](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/) · [NCSC-CH, 2026-05-22](https://security-hub.ncsc.admin.ch/#/posts/12584)).
- **Dutch FIOD seizes 800 servers from Stark Industries proxy hoster — among the first publicly reported EU criminal enforcement actions against a sanctions-shielding bulletproof host.** Suspects connected to WorkTitans B.V. and MIRhosting arrested for sustaining the infrastructure that fronted NoName057(16) DDoS operations against EU and Swiss public-sector targets ([FIOD, 2026-05-22](https://www.fiod.nl/fiod-houdt-twee-verdachten-aan-wegens-overtreding-sanctiewetgeving/) · [BleepingComputer, 2026-05-22](https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/)).
- **Kimwolf / "Dort" arrested in Ottawa — 30+ Tbps DDoS-for-hire infrastructure.** Jacob Butler, 23, charged in U.S. and Canada for operating the AISURU-variant Kimwolf botnet; >25,000 attack commands including against DoD IP space; coordinated C2 takedown March 2026 dismantled Kimwolf alongside AISURU/JackSkid/Mossad ([KrebsOnSecurity, 2026-05-22](https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/)).
- **Megalodon automated-poisoned 5,561 GitHub repos on 2026-05-18.** Automated commits inject `SysDiag` and `Optimize-Build` GitHub Actions workflows that exfiltrate AWS/GCP/Azure credentials, OIDC tokens and SSH keys from CI runners; the @tiledesk/tiledesk-server npm package 2.18.6–2.18.12 carries the dormant `Optimize-Build` variant ([SafeDep, 2026-05-21](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) · [OX Security, 2026-05-21](https://www.ox.security/blog/megalodon-cicd-malware-github/)).
- **FBI PSA260521 warns on Kali365 — OAuth device-code PhaaS bypassing M365 MFA without credential capture.** $250/month Telegram-distributed kit issues device codes via lures impersonating Adobe/DocuSign/SharePoint; secondary AiTM mode proxies session cookies; observed outcomes since April 2026 include mailbox exfiltration, lateral phishing, BEC fraud and ransomware pre-staging ([The Register, 2026-05-22](https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024) · [Help Net Security, 2026-05-22](https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/)).
- **Iran's Screening Serpens (UNC1549) operationalises AppDomainManager hijacking against aerospace, defence and telecom.** Unit 42 documents six new RAT variants (four MiniUpdate, two MiniJunk V2) deployed via legitimate Microsoft .NET binaries paired with weaponised `.runtimeconfig.json` files that silently disable ETW tracing and strong-name validation before the RAT runs ([Unit 42, 2026-05-22](https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/)).

> **Immediate Action — Patch Drupal CVE-2026-9082 today on PostgreSQL-backed deployments.** Active in-the-wild exploitation was confirmed by Drupal and corroborated by NCSC.ch on 2026-05-22; Imperva reports observing 15,000+ exploitation attempts against ~6,000 sites across 65 countries ([Imperva, 2026-05-21](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/)). The flaw is an anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — no login, no role, no user interaction required. Swiss federal and cantonal portals, EU institution Drupal instances, and academic SWITCH-hosted sites running PostgreSQL backends are direct targets. Patch to 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 or one of the EOL best-effort releases per [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004); if patching cannot be completed today, the safest temporary control is to swap the database backend to MySQL/MariaDB (the injection does not affect those backends).
>
> — *Source: [Drupal Security Team SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · [NCSC.ch Security Hub post 12584](https://security-hub.ncsc.admin.ch/#/posts/12584) · Additional source: [Imperva — Customers Protected Against CVE-2026-9082](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/) · Additional source: [BleepingComputer (2026-05-22)](https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev, patch-available · Region: global, switzerland, europe · Sector: public-sector, education · CVE: CVE-2026-9082 · CVSS: 6.5 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available · Evidence: "Drupal confirmed: exploit attempts are now being detected in the wild" (BleepingComputer); "Current exploitation status: Actively exploited" (NCSC.ch Security Hub); "Imperva sees more than 15,000 exploit attempts against around 6,000 Drupal websites in 65 countries" (Imperva)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled

On 2026-05-18 the Dutch Fiscal Information and Investigation Service (FIOD) arrested two suspects — a 57-year-old man from Amsterdam and a 39-year-old man from The Hague, both connected to bulletproof-hosting operators (WorkTitans B.V. and MIRhosting) named in the related corroborating coverage — raiding four locations including data centres in Dronten and Schiphol-Rijk plus the suspects' residences in Enschede and Almere, and seizing 800 servers, laptops, phones and administrative records ([FIOD, 2026-05-22](https://www.fiod.nl/fiod-houdt-twee-verdachten-aan-wegens-overtreding-sanctiewetgeving/) · [BleepingComputer, 2026-05-22](https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/) · [DutchNews.nl, 2026-05-22](https://www.dutchnews.nl/2026/05/two-dutch-men-arrested-for-aiding-russian-cyberattacks/)). The charges are filed under the Dutch Sanctions Act: the two firms are accused of sustaining bulletproof hosting infrastructure for Stark Industries Solutions Ltd, designated by the EU in May 2025 for facilitating Russian and Belarusian destabilisation operations. Recorded Future's Insikt Group had already documented the sanctions-evasion playbook last year — Stark Industries migrated its ASN (AS44477) to AS209847 (WorkTitans) and rebranded the operating brand to THE.Hosting while retaining the same RIPE maintainer objects under Dmitrii Miasnikov, a transparent shell concealing ownership continuity ([Recorded Future Insikt Group, 2025-06](https://www.recordedfuture.com/research/one-step-ahead-stark-industries-solutions-preempts-eu-sanctions)).

This is one of the first publicly reported criminal enforcement actions in the EU directed at a bulletproof hoster acting as a proxy for a designated Russian entity, and the operational nexus to Switzerland is direct: per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns against EU and NATO member-state websites — Swiss federal and cantonal public-sector sites included. Defender vantage: the seized intelligence will generate lead packages on the criminal-customer book, but the immediate hunt value is at network level. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) IP space has appeared in blocklist feeds since mid-2024; review ingress rate-limiting and scrubbing SLAs for any remaining traffic from this AS pair and from BGP-adjacent peers, and re-check application-layer rate limits on the citizen-facing portals NoName057(16) historically targeted.

**Why it matters to us:** Swiss public-sector portals have been a recurring NoName057(16) target; the takedown is a chance to re-baseline scrubbing capacity and re-check AS-level blocklists, not a sign that the threat is over (DDoS-for-hire reorganises quickly).

— *Source: [FIOD official press release](https://www.fiod.nl/fiod-houdt-twee-verdachten-aan-wegens-overtreding-sanctiewetgeving/) · [BleepingComputer](https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/) · Additional source: [DutchNews.nl](https://www.dutchnews.nl/2026/05/two-dutch-men-arrested-for-aiding-russian-cyberattacks/) · Additional source: [Recorded Future Insikt Group (2025-06 background)](https://www.recordedfuture.com/research/one-step-ahead-stark-industries-solutions-preempts-eu-sanctions) · Tags: law-enforcement, organized-crime, ddos, russia-nexus, eu-nexus · Region: europe, switzerland · Sector: public-sector, telco*

### Kimwolf / "Dort" DDoS-for-hire operator arrested — 30+ Tbps IoT botnet, U.S. DoD-range targeting, AISURU variant

Canadian authorities (Ontario Provincial Police) arrested Jacob Butler, 23, of Ottawa — alias **Dort** — earlier this week on a U.S. extradition warrant; the U.S. Department of Justice unsealed the criminal complaint in the District of Alaska on **Thursday 2026-05-21** ([U.S. Department of Justice, 2026-05-21](https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) · [KrebsOnSecurity, 2026-05-22](https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/) · [The Record, 2026-05-22](https://therecord.media/canadian-man-arrested-charged-running-kimwolf-botnet)). Butler is alleged to have developed and operated **Kimwolf**, a DDoS-for-hire botnet assessed as a variant of AISURU. Kimwolf infected primarily consumer IoT — digital photo frames, webcams and other internet-exposed devices — via default credentials and known public CVEs, issued more than 25,000 DDoS attack commands, and peaked at **nearly 30 Tbps** per the DOJ and KrebsOnSecurity (The Hacker News reports the peak as 31.4 Tbps — the discrepancy is between the DOJ-cited figure used in the unsealed complaint and a secondary number cited by THN; treat the DOJ number as the reference for capacity-planning purposes). Targets included U.S. Department of Defense IP ranges and at least one victim with confirmed losses exceeding $1 million per incident. Kimwolf C2 infrastructure was seized 2026-03-19 in a coordinated multi-jurisdiction action alongside three sibling botnets — AISURU, JackSkid and Mossad — collectively infecting >3 million devices.

The complaint also documents that Butler conducted DDoS, doxing and swatting attacks against researchers who investigated him, including Synthient's Ben Brundage who had helped identify a Kimwolf-exploited vulnerability. Defender takeaway for Swiss and EU operators: the 30 Tbps capability is now demonstrably in range of a single operator's commercial service, and DDoS-for-hire infrastructure reorganises within weeks of takedowns. Re-baseline ISP scrubbing SLAs against a 10–30 Tbps reference, audit citizen-facing portals' application-layer rate limits, and segment consumer-grade IoT (frames, cameras, NVRs) off any path that touches critical infrastructure or admin networks.

**Why it matters to us:** Kimwolf belongs to the IoT-amplification class of botnets that target Swiss/EU public-sector portals; the arrest is an opportunity to re-test scrubbing capacity and IoT segmentation, not to assume the supply has shrunk.

— *Source: [U.S. Department of Justice press release](https://www.justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos) · [KrebsOnSecurity](https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/) · Additional source: [The Record](https://therecord.media/canadian-man-arrested-charged-running-kimwolf-botnet) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html) · Tags: law-enforcement, botnet, ddos, organized-crime · Region: global, us · Sector: defense, telco, public-sector*

### Megalodon mass-poisons 5,561 GitHub repos in a 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials and OIDC tokens

SafeDep and OX Security disclosed an automated mass-backdooring campaign tracked as **Megalodon** that pushed thousands of malicious commits to 5,561 distinct GitHub repositories in a roughly six-hour window on 2026-05-18, using throwaway accounts with forged committer identities such as `build-bot`, `auto-ci`, `ci-bot` and `pipeline-bot` ([SafeDep, 2026-05-21](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) · [OX Security, 2026-05-21](https://www.ox.security/blog/megalodon-cicd-malware-github/) · [The Hacker News, 2026-05-22](https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html)). Two GitHub Actions YAML variants were injected: **SysDiag**, triggered on every `push` and `pull_request` event (T1059.004 Unix Shell via CI Runner) to maximise execution frequency in active repos, and **Optimize-Build**, which replaces existing workflows with `workflow_dispatch` triggers — a dormant backdoor that the attacker can activate on demand via the GitHub REST API (T1546 Event Triggered Execution). Both variants carry a base64-encoded bash payload that the SafeDep and OX Security write-ups disassemble in detail.

On execution the payload harvests CI environment variables, `/proc/*/environ` entries, AWS credentials across configured profiles and IMDSv2 metadata, GCP access tokens via `gcloud auth print-access-token`, Azure IMDS tokens, SSH private keys from `~/.ssh/`, Docker config files, `.npmrc`, `.netrc`, Kubernetes configs, Vault tokens, Terraform credentials and — critically for CI/CD trust chains — GitHub Actions OIDC tokens (T1552.004 Private Keys; T1078.004 Cloud Accounts). The npm package `@tiledesk/tiledesk-server` versions 2.18.6–2.18.12 carries the `Optimize-Build` variant after the maintainer's GitHub repo was compromised; SafeDep's Malysis engine flagged the package. Detection vantage: audit every `.github/workflows/*.yml` for the SafeDep-published payload markers and unfamiliar committer identities on recent commits; review CI runner process trees for `aws configure list-profiles`, `gcloud auth print-access-token` and `curl http://169.254.169.254` calls outside expected infra tests. Hardening: require approval for `workflow_dispatch` on untrusted branches, gate `.github/workflows/` changes behind CODEOWNERS review, adopt OIDC-based trusted publishing to eliminate long-lived cloud credentials, and pin third-party actions to commit SHAs not branch tags.

**Why it matters to us:** any EU/CH agency, university or contractor with CI/CD reaching cloud infrastructure is exposed if a maintainer they depend on was caught in the 6-hour sweep — re-audit GitHub Actions workflows on internal forks today, and rotate any cloud credentials previously surfaced via CI runners on the affected window.

— *Source: [SafeDep technical analysis](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) · [OX Security](https://www.ox.security/blog/megalodon-cicd-malware-github/) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/megalodon-github-attack-targets-5561.html) · Tags: supply-chain, identity, cloud, organized-crime · Region: global · Sector: technology, public-sector, education*

### FBI PSA260521 — Kali365 OAuth device-code PhaaS bypasses M365 MFA without credential capture

The FBI's Internet Crime Complaint Center issued PSA260521 on 2026-05-21 on **Kali365**, a Telegram-distributed Phishing-as-a-Service platform observed since April 2026 that abuses Microsoft's OAuth 2.0 device-code authorization flow (RFC 8628) to capture persistent access and refresh tokens for M365 accounts while completely bypassing multi-factor authentication ([The Register, 2026-05-22](https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024) · [Help Net Security, 2026-05-22](https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/) · [The Record, 2026-05-22](https://therecord.media/fbi-warns-of-kali365-phishing-attacks) · [CyberScoop, 2026-05-22](https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/)). The technique falls under MITRE ATT&CK T1111 (MFA Interception) and T1528 (Steal Application Access Token) but differs structurally from credential phishing: the victim receives a lure impersonating Adobe Acrobat Sign, DocuSign or SharePoint, opens the embedded device code, and enters it on the legitimate `login.microsoftonline.com/common/oauth2/deviceauth` page; the attacker's registered device then receives both an access and a refresh token bound to that device, granting persistent access to Exchange Online, Teams, OneDrive and SharePoint without any further user interaction or MFA challenge.

A secondary AiTM mode proxies the victim's browser through attacker infrastructure to capture session cookies during a real Microsoft authentication flow when device-code is blocked. Subscriptions cost $250/month or $2,000/year per tenant; AI-generated lures are available in 14 languages with automated campaign templates and real-time tracking dashboards, lowering the technical bar for less capable actors. Observed outcomes since April 2026 — per the four outlets corroborating the FBI PSA — include mailbox exfiltration, lateral phishing, business email compromise and ransomware pre-staging. Detection vantage: Entra ID sign-in logs surface `authenticationProtocol = deviceCode` events — alert on those from unfamiliar device names or geographies inconsistent with the user's home location, and look for sign-in activity immediately after a device-code event from a different IP. Hardening: block user-interactive device-code flow via Conditional Access's `Authentication flows` condition (block / require compliant device), enforce FIDO2 phishing-resistant MFA for high-value accounts, and review existing OAuth app consents — public-sector tenants often leave device-code open for legacy device enrolment, and once an attacker holds a refresh token, only `Revoke-MgUserSignInSession` clears it.

**Why it matters to us:** the device-code attack path is the single fastest M365 compromise vector that classic phishing-aware users still walk into; Swiss federal, cantonal and public-administration Entra tenants often leave the flow open for kiosk / shared-device enrolment, and the Kali365 commoditisation means small actors can now run it without M365 expertise.

— *Source: [The Register](https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024) · [Help Net Security](https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/) · Additional source: [The Record](https://therecord.media/fbi-warns-of-kali365-phishing-attacks) · Additional source: [CyberScoop](https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/) · Tags: phishing, identity, cloud, organized-crime · Region: global · Sector: public-sector, finance, healthcare*

### Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident

The Rhysida ransomware-as-a-service group listed **Landeshauptstadt Stuttgart** — the Baden-Württemberg state capital (~600,000 residents) — on its dark-web leak site in mid-May 2026 (DeXpose dates the listing to 2026-05-19; Heise (2026-05-21) covers the leak-site listing and Stuttgart's response without anchoring the original posting date), demanding 5 Bitcoin (~€333,000) for exclusive access to allegedly stolen documents and publishing heavily downscaled previews of scanned invoices and faxes attributed to Stuttgart's administrative systems ([Heise Online (EN), 2026-05-21](https://www.heise.de/en/news/Cyber-gang-Rhysida-claims-data-theft-from-Stuttgart-city-11301876.html) · [DeXpose, 2026-05-20](https://www.dexpose.io/rhysida-ransomware-targets-landeshauptstadt-stuttgart/)). The city's response is measured: published material is "currently being examined together with the responsible authorities" and Stuttgart has "no indications of a cyber incident at this time", with further comment declined while investigation continues. No vulnerability or initial access vector has been disclosed; the claim appears to be data-exfiltration-only with city portals and operational systems unaffected, consistent with Rhysida's pattern since the British Library (2023) and the German charity Welthungerhilfe (2025).

Defender vantage with the city's denial in mind: confidence in the claim is **MEDIUM** — the only corroboration is press coverage of the leak-site listing itself. Hunt rather than respond: Rhysida tends to gain initial access through phishing (T1566) or external VPN exploitation (T1133), executes living-off-the-land via `cmd.exe` / PowerShell with scheduled-task persistence, and stages data in unusual directories before exfiltration (T1074.001). DACH municipal SOCs should treat the listing as a forcing function to re-check VPN patch levels, password-spray detection on the on-prem identity edge, and any unexplained outbound bursts from file servers and DFS shares since 2026-05-10. South Korean researchers' 2024 free Rhysida decryptor exploited an encryption flaw that the group has since reworked; no current decryptor is publicly known for 2026 variants if encryption does follow.

**Why it matters to us:** German municipal targeting bleeds into Swiss DACH context (shared partner networks, fediplomatic exchanges); the Stuttgart pattern — data theft only, leak-site posting, city denies — is increasingly common and the right response is hunt-without-confirming, not wait-for-a-victim-statement.

— *Source: [Heise Online (EN)](https://www.heise.de/en/news/Cyber-gang-Rhysida-claims-data-theft-from-Stuttgart-city-11301876.html) · Additional source: [DeXpose](https://www.dexpose.io/rhysida-ransomware-targets-landeshauptstadt-stuttgart/) · Tags: ransomware, data-breach, organized-crime · Region: europe, dach · Sector: public-sector*

### ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS

ANSSI / CERT-FR issued [CERTFR-2026-AVI-0635](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0635/) on 2026-05-22 covering a security-policy bypass vulnerability in **SPIP** (Système de Publication pour l'Internet) versions prior to 4.4.15; SPIP 4.4.15 was released the same day ([SPIP blog, 2026-05-22](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-15.html)). The advisory quotes the issue in CERT-FR's standard French: *"Une vulnérabilité a été découverte dans SPIP. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. SPIP versions antérieures à 4.4.15 sont affectées."* (in English: a vulnerability allows an attacker to bypass the security policy; versions prior to 4.4.15 are affected). No CVE identifier or CVSS score is attached to the CERT-FR notice yet; no exploitation in the wild has been reported.

The SPIP project blog characterises the underlying issue specifically as an **open-redirect vulnerability in the cookie action** — the "policy bypass" framing in the CERT-FR advisory is the standard generic catch-all used by ANSSI, not a separate finding. SPIP is the predominant CMS across French public administration — préfectures, ministries, research institutions — and the Francophone government sphere in Belgium, Switzerland (Romandie cantonal and communal sites) and Canada. Open-redirect issues in authenticated cookie paths are typically chained into account-impersonation or token-laundering against OAuth/OpenID-Connect identity providers, so the EU/CH public-sector risk is concrete even without a CVE in the loop yet. SPIP 4.4.15 is the immediate follow-on to the earlier-May 4.4.14 security release. Detection vantage: review SPIP access logs for unexpected redirect-parameter values on the cookie-action endpoint and any outbound 30x responses to attacker-controlled hosts; defenders should also note that Swiss cantonal and communal administrations using SPIP for public portals fall under the 24-hour NCSC.ch reporting obligation for critical-infrastructure operators if a SPIP intrusion is later confirmed.

**Why it matters to us:** every Romandie cantonal/communal SOC with a SPIP-built portal needs to patch in this cycle; the absence of a CVE makes it easy to overlook on automated patch-track reports.

— *Source: [ANSSI / CERT-FR CERTFR-2026-AVI-0635](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0635/) · Additional source: [SPIP project blog](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-15.html) · Tags: vulnerabilities, patch-available · Region: europe, switzerland · Sector: public-sector, education*

## 2. Trending Vulnerabilities

*No qualifying items in window — section intentionally empty.* Today's KEV-listed and actively-exploited CVE (CVE-2026-9082, Drupal core PostgreSQL SQL injection) was first covered in the 2026-05-21 brief, so the new material — the KEV addition, the 15,000+ in-the-wild attempts, and NCSC.ch flipping the post to "Actively exploited" — appears as a § 4 UPDATE with the Immediate Action callout in § 0 carrying the deadline-of-the-day operational frame. CVE-2026-46333 (Linux kernel `__ptrace_may_access()` race, Qualys ssh-keysign-pwn) is fresh and has four working public PoCs but is a local privilege-escalation primitive rather than a pre-auth network-facing flaw, so it does not clear the § 2 inclusion gates; it appears as today's § 5 Deep Dive instead.

— *Source: [Drupal Security Team SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · Additional source: [Qualys TRU on CVE-2026-46333](https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path) · Tags: vulnerabilities · Region: global*

## 3. Research & Investigative Reporting

### Unit 42 — Iran's Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore): AppDomainManager hijacking silently disables ETW + strong-name checks in six new RATs

Unit 42 published a comprehensive write-up on **Screening Serpens** (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 ([Unit 42, 2026-05-22](https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/) · [Cybersecurity Dive, 2026-05-22](https://www.cybersecuritydive.com/news/iran-cyberattacks-espionage-us-israel-uae/820990/)). The group deployed new RAT variants across two malware families: **MiniUpdate** in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and **MiniJunk V2** in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is **AppDomainManager hijacking** (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised `UpdateChecker.dll` / `InitInstall.dll` / `Updater.dll` and — critically — a malicious `.runtimeconfig.json` that redirects the CLR's AppDomainManager loading at process startup, *silently disabling ETW tracing and strong-name validation before the RAT executes*. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on `.runtimeconfig.json` writes by non-installer processes; watch the `Microsoft-Windows-DotNETRuntime` ETW provider for `StrongNameVerification=0` startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with `.dll` parent images loading via `rundll32.exe` / `svchost.exe`. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict `.runtimeconfig.json` writes outside install paths via FIM.

— *Source: [Unit 42](https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/) · Additional source: [Cybersecurity Dive](https://www.cybersecuritydive.com/news/iran-cyberattacks-espionage-us-israel-uae/820990/) · Tags: nation-state, espionage, iran-nexus · Region: middle-east, global · Sector: defense, aviation, telco*

### Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration

Unit 42 documents (2026-05-22) systematic nation-state operationalisation of **ROADtools** — the open-source Python Entra ID attack/defence framework hosted at `github.com/dirkjanm/ROADtools` — by three named clusters: **Cloaked Ursa / Midnight Blizzard / APT29 / NOBELIUM** (Russia), **Curious Serpens / Peach Sandstorm / APT33** (Iran) and **UTA0355** (Russian state-affiliated) ([Unit 42, 2026-05-22](https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/)). The chain begins with credential compromise (password spray or OAuth device-code phishing — see § 1 Kali365), then uses `roadtx` to register attacker-controlled devices in the victim's Entra ID tenant, establishing persistence via a Primary Refresh Token bound to a registered device. The `roadrecon` module performs systematic directory enumeration via legacy Azure AD Graph API calls — now also ported to the msgraph branch — targeting users, groups, service principals, application permissions and OAuth token grants.

MITRE ATT&CK techniques mapped explicitly by Unit 42: T1098.005 (Account Manipulation: Device Registration), T1550 (Use Alternate Authentication Material), and T1087 (Account Discovery via Microsoft Graph API). The device-PRT-binding step functionally bypasses tenant MFA — the brief leaves the explicit T1556.006 framing off since Unit 42 does not map it that way; defenders running custom ATT&CK overlays may want to add it themselves. Volexity's April 2025 [OAuth device-code paper](https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/) is the historical background for the device-code half of the chain. Detection vantage: monitor Entra ID audit logs for `Add device` events from unfamiliar device names or from IPs not in expected employee geographies; alert on sign-in logs carrying the `roadtx` user-agent string or unexpected `https://login.microsoftonline.com/common/oauth2/token` device-code grant flows; review Microsoft Graph Activity Logs for bulk `GET /users`, `GET /groups` and `GET /servicePrincipals` calls clustered by time. Hardening: enforce Conditional Access token-protection (token binding renders stolen tokens non-transferable across devices); restrict device registration to compliant or hybrid-joined devices only; enforce Privileged Access Workstation policy for admin token issuance; block Azure AD Graph via `blockLegacyAuthentication`. Midnight Blizzard has a documented pattern of targeting EU diplomatic corps and government Microsoft 365 tenants, so the relevance to Swiss federal and EU institution Entra estates is direct.

— *Source: [Unit 42](https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/) · Additional source: [Volexity OAuth device-code background (2025-04)](https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/) · Tags: nation-state, espionage, identity, cloud, russia-nexus, iran-nexus · Region: global, europe · Sector: public-sector, defense, technology*

### ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days

Rapid7 Labs published its [Q1 2026 Threat Landscape Report](https://www.rapid7.com/blog/post/tr-q1-2026-threat-landscape-report-geopolitics-ransomware/) on 2026-05-21 covering January–March 2026 IR data; the [GlobeNewswire release](https://www.globenewswire.com/news-release/2026/05/21/3299378/36514/en/Rapid7-Q1-2026-Threat-Landscape-Report-Finds-Vulnerability-Exploitation-Overtakes-Social-Engineering-as-the-Top-Initial-Access-Vector.html) accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

- **Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %)** in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
- **More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws** requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
- **Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days.** Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the *exploitation-confirmation* signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
- **Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media** before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
- **SQL injection became the most-exploited vulnerability class in Q1 2026**, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
- **RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 %** — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

— *Source: [Rapid7 Q1 2026 Threat Landscape Report](https://www.rapid7.com/blog/post/tr-q1-2026-threat-landscape-report-geopolitics-ransomware/) · Additional source: [GlobeNewswire press release](https://www.globenewswire.com/news-release/2026/05/21/3299378/36514/en/Rapid7-Q1-2026-Threat-Landscape-Report-Finds-Vulnerability-Exploitation-Overtakes-Social-Engineering-as-the-Top-Initial-Access-Vector.html) · Tags: vulnerabilities, ransomware, nation-state, ai-abuse · Region: global · Sector: public-sector*

### ANNUAL REPORT — Check Point Research March-April 2026 AI Threat Landscape Digest: a single operator runs two AI platforms in parallel to breach nine Mexican government agencies [SINGLE-SOURCE]

Check Point Research's [March-April 2026 AI Threat Landscape Digest](https://blog.checkpoint.com/research/ai-attacks-are-no-longer-experimental-key-findings-from-the-march-april-2026-ai-threat-landscape/) (published 2026-05-22) is the operationally most striking annual / periodic AI report of the past month. The centrepiece — researched by Gambit Security and summarised in the Check Point post — documents a single unidentified operator compromising **nine Mexican government agencies** between December 2025 and February 2026, covering tax records, civil registry, patient files and electoral infrastructure. The structural innovation: the attacker ran two commercial AI platforms in parallel — one managing live exploitation and issuing >5,000 AI-executed commands, a second processing harvested data and feeding instructions back into the first. Persistence for the AI itself was simple: modifying the AI client's startup configuration file to embed persistent instructions inherited by every subsequent session.

Two further findings have direct EU/CH public-sector implications. First, the **EvilTokens** platform — a commercial jailbreak-as-a-service tool packaging AI-driven phishing generation, financial-data extraction and similar capabilities as a subscription — represents the same commoditisation curve as Kali365 (§ 1) but for AI-assisted intrusion. Second, CPR explicitly calls out that **stolen API keys for Anthropic, OpenAI, Groq and Mistral are now high-value criminal targets**, since they grant access to powerful AI services without an account; Swiss federal and cantonal agencies using commercial AI APIs should treat key rotation cadence and source-IP scoping (Conditional Access on the API layer) on par with classic privileged-credential hygiene. Detection vantage: bulk exfiltration events temporally co-located with anomalous API call patterns to commercial AI services from non-standard processes; process trees in which AI client libraries spawn data-collection subprocesses; cloud audit logs showing API key issuance followed immediately by large-volume inference calls from unusual source IPs.

— *Source: [Check Point Research](https://blog.checkpoint.com/research/ai-attacks-are-no-longer-experimental-key-findings-from-the-march-april-2026-ai-threat-landscape/) · Tags: ai-abuse, espionage, supply-chain, organized-crime · Region: global, latam · Sector: public-sector, healthcare, finance*

## 4. Updates to Prior Coverage

### UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"

> **UPDATE (originally covered 2026-05-21):** On 2026-05-22 Drupal updated [SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) to confirm that exploit attempts targeting CVE-2026-9082 — the anonymous pre-authentication SQL injection in the Entity Query API's PostgreSQL path — are now being detected in the wild. NCSC.ch updated [Security Hub post 12584](https://security-hub.ncsc.admin.ch/#/posts/12584) to "Actively exploited" status the same day at 13:52Z, also recording the addition of CVE-2026-9082 to the CISA Known Exploited Vulnerabilities catalog on 2026-05-22 (the NCSC-CH post is the brief's source of record on the KEV add; the CISA news-events alert URL constructed earlier in the day returned a 404 at composition time).
>
> Imperva reports observing **15,000+ exploitation attempts against approximately 6,000 Drupal sites across 65 countries** within days of disclosure ([Imperva, 2026-05-21](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/)). The technical mechanism (now public via the [Searchlight Cyber write-up](https://slcyber.io/research-center/keys-to-the-kingdom-anonymous-sql-injection-in-drupal-core-cve-2026-9082/)): on the case-insensitive `IN` operator path through `core/lib/Drupal/Core/Entity/Query/Sql/Condition::compile()` / `ConditionAggregate::compile()`, a JSON-encoded array value survives into the SQL placeholder name without sanitisation, allowing injection when the backend is PostgreSQL. Fixed versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12 and 11.3.10; best-effort patches for EOL Drupal 8.9 and 9 are also available. MySQL/MariaDB/SQLite-backed Drupal sites remain unaffected, which is the temporary control to fall back on if the patch window slips past today.
>
> Defender vantage update from yesterday's brief: the operational frame is no longer "patch when convenient" but **patch today** — the § 0 Immediate Action carries the operational framing; this UPDATE captures the source-of-record links and the technical mechanism for anyone composing internal advisories or hunt queries. CH/EU specifics: NCSC.ch Security Hub is the authoritative jurisdictional source for Swiss federal and cantonal operators; Drupal-on-PostgreSQL is widespread across FITKO and SWITCH-hosted university sites, French `gouvernement.fr` instances and EU institution portals. Detection: WAF telemetry for nested JSON arrays in user-supplied fields hitting Drupal endpoints; PostgreSQL `log_min_duration_statement` to surface anomalous query shapes; web-server logs for unexpected POST payloads to anonymous routes.
>
> — *Source: [Drupal Security Team SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · [NCSC.ch Security Hub post 12584](https://security-hub.ncsc.admin.ch/#/posts/12584) · Additional source: [Imperva — Customers Protected Against CVE-2026-9082](https://www.imperva.com/blog/imperva-customers-protected-against-cve-2026-9082-in-drupal-core/) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/) · Additional source: [Searchlight Cyber technical analysis](https://slcyber.io/research-center/keys-to-the-kingdom-anonymous-sql-injection-in-drupal-core-cve-2026-9082/) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev, patch-available · Region: global, switzerland, europe · Sector: public-sector, education · CVE: CVE-2026-9082 · CVSS: 6.5 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures

> **UPDATE (originally covered weekly 2026-W21):** CERT-UA published a bulletin (surfaced 2026-05-22) on a spring-2026 phishing campaign by **Ghostwriter** (a.k.a. UAC-0057, UNC1151, FrostyNeighbor) targeting Ukrainian government entities through lures themed on the Prometheus online-learning platform ([The Hacker News, 2026-05-22](https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html) · [SC World, 2026-05-22](https://www.scworld.com/brief/belarus-linked-ghostwriter-group-targets-ukraine-using-prometheus-learning-platform-lures)). The material delta from this week's weekly long-running coverage of FrostyNeighbor / Ghostwriter activity is a **new three-stage implant trio** distinct from the prior PicassoLoader toolset.
>
> Chain: phishing email from a compromised account → PDF attachment with a link to a ZIP archive → ZIP carrying a JavaScript file (**OYSTERFRESH**). OYSTERFRESH renders a decoy document as cover while writing an obfuscated, RC4-encrypted **OYSTERBLUES** payload to the Windows Registry and launching **OYSTERSHUCK**. OYSTERSHUCK decodes OYSTERBLUES (executed via JavaScript) which then collects computer name, user account, OS version, last boot time and running process list, exfiltrates via HTTP POST to C2, and executes dynamically received JavaScript via `eval()`. The final payload is assessed as Cobalt Strike. *(MITRE ATT&CK overlay added by this brief, not by the CERT-UA narrative as carried by The Hacker News: T1027 Obfuscated Files/Information on the OYSTERFRESH stage, T1547.001 Registry Run Keys on the OYSTERBLUES persistence, T1059.007 JavaScript on OYSTERSHUCK execution, T1219 Remote Access Software on the Cobalt Strike final.)*
>
> Defender vantage: CERT-UA's own recommendation is to **block `wscript.exe` execution for standard user accounts** — a high-yield control because the OYSTER* trio relies on script-host execution from user context. EDR signal: `wscript.exe` spawning `powershell.exe` or a base64-encoded command; registry monitoring for new `HKCU\Software` Run-key values containing binary blobs or script paths; hunt for Cobalt Strike beacon signatures in HTTP POST egress to non-corporate domains. The EU/CH relevance is direct: Ghostwriter historically targets Belgium, Germany, Poland, Lithuania, Latvia and other NATO members alongside Ukraine, and the OYSTER* implant chain is a toolset upgrade defenders should expect to see surfaced in EU government tenants and Eastern-Europe-focused think tanks.
>
> — *Source: [The Hacker News](https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html) · Additional source: [SC World](https://www.scworld.com/brief/belarus-linked-ghostwriter-group-targets-ukraine-using-prometheus-learning-platform-lures) · Tags: nation-state, espionage, phishing, russia-nexus · Region: europe · Sector: public-sector, defense, education*

## 5. Deep Dive — CVE-2026-46333 ssh-keysign-pwn: a 9-year ptrace race in the Linux kernel reaching root and SSH host keys

**Background.** The Linux kernel's `__ptrace_may_access()` permission check in `kernel/ptrace.c` has been a recurring source of local-privilege-escalation primitives ever since the dumpable / capability model was introduced. CVE-2019-13272 ([Jann Horn, 2019](https://bugs.chromium.org/p/project-zero/issues/detail?id=1856)) exploited a similar credential-window confusion in the same function. The introduction of `pidfd_getfd()` in v5.6-rc1 (January 2020) added a second axis — fd duplication across processes — that has compounded ptrace-window primitives by allowing fds harvested during a privileged credential window to be reused under the attacker's UID. Qualys's [Looney Tunables (CVE-2023-4911)](https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibc-s-ld-so) set the template for the credibility-with-public-exploits disclosure pattern Qualys has continued since. CVE-2026-46333 fits squarely in that lineage: a long-dormant logic error reaching first-class root primitives, with the disclosure structured around defender-actionable analysis rather than weaponisation help.

**The bug.** Qualys TRU disclosed [CVE-2026-46333](https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path) on 2026-05-20 (the URL path encodes the disclosure date; the Qualys blog also carries a 2026-05-22 rendered "Date" field that appears to reflect a content update; the brief uses the URL-encoded disclosure date as anchor) ([The Hacker News, 2026-05-21](https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html) · [Canonical / Ubuntu, 2026-05-19](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available); upstream kernel fix landed 2026-05-14) — a TOCTOU race in `__ptrace_may_access()` present since Linux v4.10-rc1 (November 2016). The window is the brief interval when a privileged process drops credentials — for example a setuid binary calling `setuid()` to lower privilege after performing a privileged action. During that window `__ptrace_may_access()` incorrectly permits ptrace attachment, because credential comparison is performed against the uid/gid captured at the time of the `ptrace_may_access()` call rather than at the point of the actual access; the dumpable flag is re-evaluated too late. An unprivileged caller racing the credential drop wins ptrace rights on the target.

**The chain.** A standalone ptrace win is interesting; the chain that promotes it to a four-target root primitive is the combination with `pidfd_getfd()`. Once attached, the attacker uses `pidfd_getfd()` to duplicate file descriptors from the privileged process into the attacker's own process. Those fds — opened by the privileged process for reading `/etc/shadow`, writing to `/etc/ssh/ssh_host_*_key`, executing as root, or speaking to D-Bus / systemd over a privileged socket — are now usable under the attacker's UID. Qualys developed four working exploits, detailed in the public advisory (exploit code itself was withheld during coordinated disclosure; the advisory and PoC outputs are public):

- **`chage`** (setuid-root, setgid-shadow) → reads `/etc/shadow` and recovers the local hash database for cracking.
- **`ssh-keysign`** (setuid-root) → exfiltrates SSH host private keys from `/etc/ssh/` — the host's identity to the rest of the network, enabling SSH MITM and host impersonation on internal links.
- **`pkexec`** (setuid-root) → arbitrary root command execution; functionally equivalent to PwnKit (CVE-2021-4034) outcomes but reached through a different primitive.
- **`accounts-daemon`** (root daemon, not setuid) → arbitrary root command execution via hijacked D-Bus connection to systemd.

Exploits confirmed working on Debian 13, Ubuntu 24.04 / 26.04, Fedora 43 / 44; the underlying primitive applies to any distro carrying a v4.10-or-newer kernel and a standard setuid surface. Prerequisites: a local unprivileged shell on the target host. No network exposure required — this is a pure post-foothold escalation primitive — and no kernel hardening short of restricting ptrace defeats it on a default Linux server.

**MITRE ATT&CK mapping.** Primarily [T1068 Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/); the SSH-key exfiltration outcome maps to [T1552.004 Unsecured Credentials: Private Keys](https://attack.mitre.org/techniques/T1552/004/); the D-Bus path through `accounts-daemon` is closer to [T1543.002 Create or Modify System Process: Systemd Service](https://attack.mitre.org/techniques/T1543/002/) in outcome shape.

**Detection vantage.** Qualys published QID 387392 for vulnerability scanning. Behavioural detection is the operationally interesting axis because the primitive is hard to defeat without a kernel update:

- **Syscall pairing.** EDR / `auditd` hunt for `pidfd_getfd` syscall paired with `ptrace` calls originating from a non-root process targeting a setuid-root process. The combination is rare in normal workloads and is the canonical fingerprint of the exploitation pattern.
- **Anomalous credential-file reads.** `/etc/shadow` read by non-root, non-PAM-stack processes; `/etc/ssh/ssh_host_*_key` read by non-`sshd` processes.
- **D-Bus → systemd anomalies.** `accounts-daemon` D-Bus connections from process trees lacking a legitimate parent (e.g. spawned from a shell rather than a login session).
- **Audit-rule pattern.** `auditctl -w /etc/shadow -p r -k shadow_read` plus `-w /etc/ssh -p r -k ssh_host_key_read`; pair with `-a always,exit -F arch=b64 -S pidfd_getfd -k pidfd_getfd_audit`.

**Hardening / mitigation.** The supported mitigation hierarchy:

1. **Patch.** Upstream kernel fix landed 2026-05-14; distribution vendor packages are available from Debian, Fedora, Red Hat, SUSE, AlmaLinux, CloudLinux and Ubuntu (Canonical's [ssh-keysign-pwn advisory](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available)). Roll the kernel where USNs / DSAs are available; for ELRepo / longterm trees, build against the patched stable tag.
2. **Interim: `sysctl kernel.yama.ptrace_scope=2`.** Restricts `ptrace` to processes carrying `CAP_SYS_PTRACE`. This eliminates the primitive on non-root processes but breaks debuggers and some profiling tools; deploy via configuration management with explicit allowlist of dev workstations or jump hosts where ptrace is needed.
3. **Restrict `pidfd_getfd` via seccomp on multi-tenant or container hosts.** Where workloads can be characterised, deny `pidfd_getfd` via seccomp profiles on container runtimes; Docker / containerd default profiles can be extended.
4. **Container-runtime context.** Multi-tenant Kubernetes nodes where lower-privilege workloads share the host kernel are the highest-risk environment because the primitive operates at kernel level — `userns` remapping does not block it. Treat patched-kernel rollout as a hard prerequisite for multi-tenant nodes.

**Why this is a deep dive and not a § 2 entry.** CVE-2026-46333 is a local LPE primitive — no pre-authentication network surface, no automated mass-exploitation pattern in the wild yet — so it does not clear the § 2 inclusion gates the prompt enforces. But the combination of all-major-distros affected, four working Qualys exploits detailed in the public advisory, nine-year dormancy in a kernel function under repeated scrutiny, and SSH host-key exfiltration as one of the achievable outcomes makes it the highest-signal Linux-LPE deep dive of the last fortnight. Every EU/CH public-sector environment running Linux containers, multi-tenant compute or developer workstations sits within the affected surface; the patch rollout window is the actionable defensive frame.

— *Source: [Qualys TRU primary advisory](https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path) · Additional source: [The Hacker News](https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html) · Additional source: [Canonical / Ubuntu advisory blog](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available) · Tags: vulnerabilities, lpe, priv-esc, poc-public, patch-available · Region: global · Sector: public-sector, technology, education, healthcare · CVE: CVE-2026-46333 · CVSS: 5.5 · Vector: local · Auth: post-auth · Status: poc-public, patch-available*

## 6. Action Items

(Derived from this brief's content only. Generic advice does not belong here.)

- **Patch Drupal CVE-2026-9082 today on every PostgreSQL-backed Drupal deployment** — pre-auth SQL injection, active exploitation, 15,000+ attempts measured by Imperva, NCSC.ch status "Actively exploited". Target versions: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 per [Drupal SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004). MySQL/MariaDB/SQLite backends are unaffected — if patching slips, swap the backend as a temporary control.
  — *Source: [Drupal SA-CORE-2026-004](https://www.drupal.org/sa-core-2026-004) · [NCSC.ch Security Hub post 12584](https://security-hub.ncsc.admin.ch/#/posts/12584) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev, patch-available · Region: switzerland, europe, global*
- **Patch SPIP to 4.4.15 across every Francophone public-administration deployment** — ANSSI [CERTFR-2026-AVI-0635](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0635/) is the operational driver; the underlying issue is an open-redirect on the cookie action (per the SPIP project blog), commonly chained into account-impersonation. SPIP is the predominant CMS in Romandie cantonal / communal portals, French ministries and Belgian Francophone government sites. No CVE attached, so the patch is easy to overlook on CVE-driven tooling.
  — *Source: [ANSSI / CERT-FR CERTFR-2026-AVI-0635](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0635/) · [SPIP project blog](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-15.html) · Tags: vulnerabilities, patch-available · Region: switzerland, europe*
- **Roll kernel patches for CVE-2026-46333 on every Linux estate; raise `kernel.yama.ptrace_scope=2` as interim on hosts that cannot be rebooted yet.** Four working Qualys exploits detailed in the public advisory (exploit code withheld during coordinated disclosure), all major distros affected, SSH host-key exfiltration in the outcome set. Multi-tenant Kubernetes nodes carry highest residual risk. Full detection / hardening package in § 5 Deep Dive below.
  — *Source: [Qualys TRU](https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path) · [Canonical / Ubuntu](https://ubuntu.com/blog/ssh-keysign-pwn-linux-vulnerability-fixes-available) · Tags: vulnerabilities, lpe, priv-esc, poc-public, patch-available · Region: global*
- **Block user-interactive OAuth device-code flow via Entra ID Conditional Access** to defeat Kali365 PhaaS; enforce FIDO2 phishing-resistant MFA for privileged accounts and audit existing OAuth app consents. After a suspected device-code compromise the only persistent-token clearing path is `Revoke-MgUserSignInSession` — refresh tokens survive password resets.
  — *Source: [The Register](https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024) · [Help Net Security](https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/) · Tags: phishing, identity, cloud · Region: global, switzerland, europe*
- **Audit `.github/workflows/*.yml` across every internal fork and rotate CI cloud credentials issued during the Megalodon window on 2026-05-18.** SafeDep and OX Security published the SysDiag and Optimize-Build payload markers and committer-identity tells; look for the forged `build-bot` / `auto-ci` / `ci-bot` / `pipeline-bot` author strings on commits dated to that day. Move CI to OIDC-based trusted publishing where long-lived cloud credentials still exist.
  — *Source: [SafeDep](https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/) · [OX Security](https://www.ox.security/blog/megalodon-cicd-malware-github/) · Tags: supply-chain, identity, cloud · Region: global*
- **Hunt for Entra ID `Add device` events and `roadtx` user-agent strings** following the Unit 42 ROADtools write-up; restrict device registration to compliant / hybrid-joined devices and enforce Conditional Access token-protection on admin sessions. Midnight Blizzard / APT29 has a documented EU diplomatic-tenant targeting pattern — Swiss federal and EU institution Entra estates are direct.
  — *Source: [Unit 42 ROADtools](https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/) · Tags: nation-state, identity, cloud, russia-nexus · Region: switzerland, europe, global*
- **Re-baseline DDoS scrubbing capacity against a 10–30 Tbps reference** and re-check AS-level ingress blocklists. AS44477 (legacy Stark) and AS209847 (THE.Hosting / WorkTitans) are the relevant ASNs per Recorded Future's 2025 Insikt Group analysis — verify the current routing-table state via your IRR / RPKI tooling before pushing a blocklist update, since the post-FIOD seizure could have reshuffled BGP advertisements. The Kimwolf and Stark / WorkTitans takedowns reduce immediate supply but DDoS-for-hire reorganises within weeks; treat the moment as a capacity exercise window, not a closed risk.
  — *Source: [KrebsOnSecurity](https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/) · [BleepingComputer](https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/) · Tags: ddos, law-enforcement, botnet · Region: switzerland, europe*

## 7. Verification Notes

- **Items dropped (off-audience / less-is-more):** Oncology Institute Inc. SEC Item 1.05 8-K (US-only oncology practice, no Swiss/EU nexus, single-source MEDIUM via Globe and Mail relay since the EDGAR filing index returned HTTP 403 to the bridge fetcher — relevance bar not met); Cloud Atlas / Kaspersky Securelist 2026 PowerCloud + ReverseSocks coverage (substantive but indirect EU nexus — Cloud Atlas targets Russian and Belarusian government primarily; EU diplomatic exposure is collateral). Both available for re-surfacing if a CH/EU victim or operationally relevant detail emerges.
- **Items dropped (out of window):** Germany Cyber-Dome / Cyber-Security Strengthening Act announcement (Interior Minister Dobrindt, 2026-05-12) — outside the 36 h recency window with no in-window legislative delta (cabinet vote outcome, final text). Carry forward; surface in next brief if a cabinet decision or NIS2 cross-impact lands in-window.
- **CVEs dropped from § 2 with reason:** CVE-2026-46333 — does not clear any § 2 inclusion gate (local LPE not pre-auth RCE; four working Qualys exploits detailed in the public advisory but no in-the-wild exploitation reported by Qualys or downstream researchers as of this run). Covered instead as § 5 Deep Dive given operational depth.
- **Items included with reduced confidence:** Rhysida ransomware claim against Landeshauptstadt Stuttgart — `[MEDIUM]` confidence; corroboration is press coverage of the leak-site listing and a DeXpose write-up, not a victim statement (city denies confirmed incident). Treat as hunt-trigger not confirmed-victim. FBI PSA260521 details on Kali365 — the IC3 advisory itself (`ic3.gov/PSA/2026/PSA260521`) returned HTTP 403 to the bridge fetcher; primary advisory text was reconstructed from four independent corroborating outlets (The Register, Help Net Security, The Record, CyberScoop) all quoting the FBI text verbatim. Confidence HIGH on the technical content; primary URL not directly fetched in this run. SEC EDGAR direct-filing access also returned 403 (TOI 8-K), but TOI was dropped on relevance grounds rather than carried with degraded sourcing. Check Point Research March-April 2026 AI Threat Landscape Digest is `[SINGLE-SOURCE]` — only the CPR blog post was directly fetched in this run; the Gambit Security primary report URL referenced in earlier drafts returned a 404 and was dropped per the verifier iter-1 F1 finding.
- **Kimwolf primary-source upgrade applied in iteration 1:** following the verifier's F6 finding, the DOJ press release on the indictment (`justice.gov/usao-ak/pr/canadian-man-arrested-international-authorities-charged-administrating-kimwolf-ddos`) was promoted to the first Source link in the § 1 Kimwolf footer, with KrebsOnSecurity demoted to second Source and The Hacker News + The Record kept as Additional sources. Confidence on the factual outline (defendant, charges, peak throughput, takedown sequence) is HIGH due to corroboration density anchored on the DOJ primary.
- **Contradictions:** Drupal SA-CORE-2026-004 carries vendor severity 23/25 ("Highly Critical") while NIST's published CVSS v3.1 is 6.5 — the gap reflects Drupal's CMS-wide-impact risk framing versus NVD's strict base-score calculation. Brief reports both; the operational truth is "actively exploited pre-auth SQL injection on PostgreSQL backends" regardless of which score scheme is referenced.
- **Sub-agents that didn't return on time:** none — S1 / S2 / S3 / S4 all returned within the 30 min wall-clock cap. S2 (Sonnet 4.6): 4 items, 322 s; S3 (Sonnet 4.6): 5 items, 330 s + later updates; S1 (Sonnet 4.6): 6 items, 557 s; S4 (Sonnet 4.6): 3 items, 574 s. Sub-agent self-reported telemetry: webfetch 8/7/11/22, websearch 16/5/14/12, bridge fetches 10/14/9/8 for S2/S3/S1/S4 respectively.
- **Verification loop (Phase 5.7):** four iterations, model-rotated per v2.47 — iter 1 (Opus) NEEDS_FIXES truth=9 editorial=4 advisory=2, iter 2 (Sonnet) NEEDS_FIXES truth=3 editorial=1 advisory=1, iter 3 (Opus, cold) NEEDS_FIXES truth=5 editorial=2 advisory=3, iter 4 (Sonnet + iter-3 deltas) **CLEAN** truth=0 editorial=0 advisory=3. Brief published under iteration 4's CLEAN verdict. Three iter-4 F11 advisory items applied as cheap edits before publish: SafeDep citation label corrected to 2026-05-21; DOJ citation label corrected to 2026-05-21 to match the body's Thursday-2026-05-21 unsealing-date reading; Danish-authorities NoName057(16) claim softened to "per De Volkskrant reporting carried by BleepingComputer, Danish authorities have alleged that WorkTitans infrastructure supported NoName057(16) DDoS campaigns".
- **Candidate-source overflow:** S3 surfaced two new candidate sources (`searchlight-cyber` — high-quality same-day technical analysis of CVE-2026-9082; `gambit-security` — primary research on the Mexico AI-orchestrated nine-agency breach). Per the one-candidate-per-run cap, `searchlight-cyber` was added as `status: candidate` in `sources/sources.json`; `gambit-security` is carried forward for next run.
- **Coverage gaps:** databreaches-net (transport-403, Cloudflare challenge — fifth consecutive failing run, content cross-checked via BleepingComputer/TheRecord/SecurityAffairs); inside-it-ch (Cloudflare challenge + stale Wayback — fifth consecutive failing run, no Swiss-specific in-window items recovered via WebSearch fallback); sophos-xops (HTTP 503 on canonical RSS — fifth consecutive failing run); dragos-ot (HTTP 404 on resource library RSS — feed appears stale); trendmicro-research (rotation-priority but not retried this run); cisa.gov direct fetches consistently 403 (mitigation: `python3 tools/fetch_source.py` bridge — used for CISA KEV catalog ingest); ic3.gov direct fetches 403 (Kali365 PSA reconstructed from four corroborators); sec.gov EDGAR direct 403; heise.de Security articles TollBit-gated (HTTP 307 → tollbit.heise.de — feed summaries only); cert-eu (3 of 7 recent runs returned no new advisory — quiet, no advisory dated within this 36 h window — most recent is 2026-006 from 2026-05-06 on PAN-OS); anssi-fr (in-window CERTFR-2026-AVI-0611 on Azure surfaced but not operationally significant for this brief; AVI-0635 SPIP fetched and included); jpcert (no in-window lead surfaced; bridge not used in this run); prodaft (not attempted — no in-window publication surfaced via WebSearch); euronews (Cloudflare challenge on direct + Wayback miss — Germany Cyber-Dome AFP wire content recovered via The Star republication, but item ultimately dropped as out-of-window). edpb, cnil-fr returned 200 / no in-window enforcement actions — that is a quiet day, not a coverage gap.