On this page
On this page
- 0. TL;DR
- 1. Active Threats, Trending Actors, Notable Incidents & Disclosures
- 2. Trending Vulnerabilities
- 3. Research & Investigative Reporting
- 4. Updates to Prior Coverage
- 5. Deep Dive — FortiClient EMS CVE-2026-35616 + EKZ Infostealer kill chain
- 6. Action Items
- 7. Verification Notes
Tags (26)
Regions (6)
References (51)
- CVE-2026-35616 ×3
- CVE-2024-39930
- CVE-2026-1402
- CVE-2026-2601
- CVE-2026-26194
- CVE-2026-2710
- CVE-2026-32996
- CVE-2026-32997
- CVE-2026-41052
- CVE-2026-41053
- CVE-2026-4408
- CVE-2026-4480
- CVE-2026-44848
- CVE-2026-44849
- CVE-2026-44939
- CVE-2026-4868
- CVE-2026-5296
- CVE-2026-6713
- CVE-2026-8716
- CVE-2026-8834
- CVE-2026-8850
- CVE-2026-8854
- CVE-2026-8855
- CVE-2026-8856
- CVE-2026-9170
- TheGentlemen RaaS lists Czech University of Finance and Administration (VSFS) and Swiss DEVO-Tech AG on leak site
- Apereo CAS 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory
- Rapid7 publishes unpatched Gogs argument-injection RCE with Metasploit module
- Carnival Corporation confirms 5.99M-record ShinyHunters breach — Princess/Holland/Cunard/Costa
- Dutch Police + NCSC dismantle Asocks residential-proxy botnet — 17M devices, 200 NL-hosted servers seized
- UK Visa Portal lookalike (ukvisaportal.com) — 100K passport scans/selfies exposed via misconfigured S3 bucket
- JINX-0164 — financially motivated cluster targeting crypto orgs via LinkedIn recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- Grandoreiro 2026 Iberian campaign — Delphi DLL side-loading, WebSocket/STUN C2; parallel ESET BTMOB Android RAT MaaS
- NCSC-NL — Security Advisories (RSS)
- ANSSI / CERT-FR
- BSI Germany — CERT-Bund WID (RSS)
- Check Point Research
- CISA Known Exploited Vulnerabilities Catalog
- The DFIR Report
- ESET WeLiveSecurity
- GitHub Advisory Database
- Help Net Security
- Huntress Labs
- IBM X-Force
- Microsoft Threat Intelligence
- NCSC Switzerland — Cyber Security Hub (CSH) / GovCERT.ch
- Rapid7 Research
- Risky Biz News (Newsletter / Catalin Cimpanu)
- The Record (Recorded Future News)
- Wiz Research Blog
- Centre for Cybersecurity Belgium (CCB)
0. TL;DR
- Arctic Wolf documents active ITW exploitation of CVE-2026-35616 (Fortinet FortiClient EMS 7.4.5–7.4.6, CVSS 9.1, CISA KEV since 2026-04-06). The pre-auth
X-SSL-CLIENT-VERIFYheader bypass is being abused to push the EKZ Infostealer to managed endpoints as a fakeFortiEndpoint_Patch.exesigned under the legitimatefortitray.exeparent. Anything on 7.4.5/7.4.6 must move to 7.4.7 immediately; managed endpoints need browser-profile-write hunts. - Rapid7 ships a working Metasploit module against an unpatched Gogs zero-day (argument injection via
git rebase --execin the rebase-merge code path; CVSSv4 9.4). The maintainer did not respond to coordinated disclosure within 90 days; ~1,141 internet-facing instances visible on Shodan. No patch. Mitigate by disabling self-registration and the rebase-merge strategy. - Carnival Corporation files substitute notices confirming a breach affecting 5,995,277 individuals (Maine AG filing; driver's-licence + passport numbers exposed across Princess / Holland America / Cunard / Costa per The Record). Maine AG records the breach occurring 2026-04-10 and discovered 2026-04-14 (single-employee-account social engineering); ShinyHunters claimed and ultimately published when ransom was refused.
- Samba ships 4.22.10 / 4.23.8 / 4.24.3 closing two unauthenticated RCEs at CVSS 10.0 —
CVE-2026-4408(SAMR%ushell injection) andCVE-2026-4480(print-command%Jshell injection). AD DCs unaffected; classic-printing and on-demand DCERPC SAMR file-server roles are. - Dutch Police and NCSC seize 200 servers and dismantle the Asocks residential-proxy botnet (~17 million enrolled devices, NL-hosted C2). Asocks joins the recent string of disrupted residential-proxy networks — SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot — and defenders relying on Asocks exit-node blocklists should re-tune residential-proxy correlation rules now that the network is offline.
- NCSC.ch's Security Hub flags
CVE-2026-9170— improper-input-validation pre-auth RCE in IBM HTTP Server / WebSphere at CVSS 9.8. Prevalent in Swiss banking, insurance and federal middleware estates; APAR PH71265 / Fix Pack updates are out.
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654
The Apereo Foundation released CAS version 7.3.7.1 on 2026-05-27 fixing an unspecified vulnerability in the OpenID Connect identity-provider component of its Central Authentication Service. Apereo scoped the disclosure to deployments where CAS acts as an OIDC IdP (no explicit statement about non-OIDC deployments, but the scoping suggests SAML / Kerberos-only configurations are out of scope of this specific defect). The reporters are Artur Stoecklin and David Roth at Coop (Switzerland), who reported the issue to the Apereo team via the YesWeHack bug-bounty platform — a direct CH-discovered identity-infrastructure issue rather than a vendor-only disclosure. CERT-FR / ANSSI issued advisory CERTFR-2026-AVI-0654 on 2026-05-28 framing the impact as "un problème de sécurité non spécifié par l'éditeur" and recommending immediate patching. Full technical details are withheld pending the standard security grace window. Apereo CAS is the dominant open-source SSO platform in European higher education and is also deployed across Swiss federal and cantonal administrations.
Why it matters to us: CH-relevant identity infrastructure with an EU-wide deployment footprint and a CH-sourced disclosure. Until technical detail is public, prioritise upgrade to the fixed version 7.3.7.1 on any CAS instance acting as an OIDC IdP and monitor OIDC token-issuance logs for unexpected client_id values, anomalous sub claims and tokens granted to unregistered clients.
FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
Arctic Wolf Labs published technical evidence on 2026-05-27 of an in-the-wild campaign abusing CVE-2026-35616, the CWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 (CVSS 9.1; on CISA KEV since 2026-04-06). The vulnerable code path trusts the X-SSL-CLIENT-VERIFY HTTP header set by a fronting reverse proxy or load balancer instead of validating client-certificate state itself; an unauthenticated attacker on the network spoofs the header to reach privileged management APIs. In the observed campaign, attackers modify Remote Access Profile configurations to push a PowerShell payload signed under the trusted fortitray.exe binary that fetches FortiEndpoint_Patch.exe — actually the EKZ Infostealer. EKZ copies itself into Chromium/Gecko browser-profile directories (Chrome, Microsoft Edge, Firefox, LibreWolf, Waterfox, Pale Moon, Thunderbird) to clear elevation-validation checks, then dumps encrypted credential and cookie stores via nss3.dll. Compromise of a single EMS server cascades to every managed endpoint. Patch is FortiClient EMS 7.4.7.
Why it matters to us: FortiClient EMS is widely deployed across Swiss federal and cantonal network-security estates and across EU public-sector networks. Deep-dive treatment in § 5 below.
Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive
Rapid7 Labs disclosed on 2026-05-28 an authenticated-RCE zero-day in Gogs, the open-source self-hosted Git service. The root cause is in the Merge() function inside internal/database/pull.go: when the "Rebase before merging" strategy is invoked on a pull request, Gogs passes the source-branch name unsanitised to process.ExecDir, bypassing the safer git-module wrappers. An attacker creates a branch named e.g. --exec=<command>; when git rebase runs, that flag is interpreted as a --exec argument and the command executes under the Gogs service account. Affected: Gogs 0.14.2 and 0.15.0+dev (commit b53d3162); all prior versions that support the rebase-merge strategy are likely affected too. The maintainer acknowledged the report on 2026-03-28 (reported 2026-03-17) but has not shipped a fix; Rapid7 published after the standard 90-day window expired. Rapid7 also released a full Metasploit module covering Windows and Linux targets. Shodan shows ~1,141 internet-facing Gogs instances. Class is CWE-88 argument injection — same technique family as CVE-2024-39930 / 39932 / 39933 in prior Gogs disclosures. The Hacker News writeup corroborates and adds that no admin privileges are required, only account creation and repository access.
Why it matters to us: Self-hosted Gogs is common in European public-sector code and research infrastructure as a lightweight GitHub alternative. Until a patched fork (Gitea / Forgejo) is adopted, set DISABLE_REGISTRATION = true in app.ini, disable the Rebase before merging strategy under instance settings, and watch for git child processes carrying --exec under the Gogs binary's process tree (Sysmon EID 1 / auditd EXECVE).
Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
Carnival Corporation filed substitute notices with state attorneys-general on 2026-05-27 confirming 5,995,277 individuals were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the Maine Attorney General data-breach filing, with secondary coverage in The Record and The Register. The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of individuals with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The Maine AG filing records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team identified the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign (covered 2026-05-25 and 2026-05-27); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.
Dutch Police + NCSC dismantle Asocks residential-proxy botnet (~17 M devices, 200 NL-hosted servers seized)
On 2026-05-28 the Cybercrime Team of the Dutch Politie Unit The Hague and the NCSC.nl jointly took down the Asocks residential-proxy infrastructure. Investigators identified and seized 200 control servers physically hosted at a Netherlands-based provider; the operation was triggered by a security-researcher tip routed through NCSC.nl to Politie (NL Times English summary; Risky Business News bulletin). The Asocks network covertly enrolled victim devices — computers, routers, tablets, smartphones, IoT — using malware tied to the PROXYLIB Go-based library and rented bandwidth to criminal customers for spam, phishing, credential-stuffing and DDoS. Reported total: ~17 million enrolled endpoints globally. Residential-proxy services like Asocks are the standard infrastructure layer behind source-IP-anonymised credential stuffing, account takeover and consent-grant phishing against public-facing login portals and VPN concentrators.
TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike
TechCrunch reported on 2026-05-27 that ukvisaportal.com — a third-party site marketed as an immigration portal but not affiliated with the UK Government — exposed roughly 100,000 documents via a misconfigured Amazon S3 bucket. The bucket was not publicly listed, but a backend bug exposed directory listing, enabling enumeration of every object; individual files were readable to anyone with the URL. Exposed material included full passport pages (passport number, nationality, DOB, place of birth, issue / expiry dates), accompanying address documents and selfie photographs whose EXIF GPS metadata could pinpoint the applicant's home address. The operator — UAE-registered Active Leadgen LLC — marketed under brand names including "UK Visit" and "ETA-Pass" and impersonated the official GOV.UK service; some applicants told TechCrunch they paid fees believing it was the genuine government portal. TechCrunch and TechRadar report the bucket was secured overnight after publication; no ICO breach notification has surfaced in-window.
2. Trending Vulnerabilities
CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
The Samba Project shipped coordinated releases 4.22.10 / 4.23.8 / 4.24.3 on 2026-05-27 covering six CVEs; two reach CVSS 10.0. CVE-2026-4408 is a shell-metacharacter injection in SamValidatePasswordChange and SamValidatePasswordReset RPC handlers in the Samba DCE/RPC SAMR server — the client-controlled username is substituted into the check password script smb.conf option via %u without escaping. Prerequisites are non-default but real: a check password script containing %u must be configured, and samba-dcerpcd must be running as a system service (which requires the non-default rpc start on demand helpers = no). AD DCs are unaffected. CVE-2026-4480 is a parallel injection in the print-command path: the %J substitution in the print command smb.conf option is fed the client-controlled job description without sanitisation; guest printing is on by default and the prerequisites are raw / classic printing backend (not CUPS / iprint). ANSSI / CERT-FR advisory CERTFR-2026-AVI-0651 and the Samba-team announcement on oss-security corroborate the disclosure. No public exploit observed. Patch immediately; if a same-day patch is impossible, remove %u from check password script and wrap %J in single quotes in print command.
CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership
SUSE Rancher patched three vulnerabilities on 2026-05-27. CVE-2026-44939 (CVSS 9.6, GHSA-mhc6-2gfq-xx62) is a command injection in the cluster-import endpoint /v3/import/{token}_{clusterId}.yaml: the authImage query parameter is not sanitised, so URL-encoded newlines (%0A) break out of the YAML image: field and inject arbitrary YAML keys into the cluster-import manifest. When an admin runs kubectl apply against the malicious manifest, attacker-controlled commands run on control-plane nodes through a deployed DaemonSet with elevated privileges. Affected: 2.10.0–2.10.11, 2.11.0–2.11.13, 2.12.0–2.12.9, 2.13.0–2.13.5, 2.14.0–2.14.1. CVE-2026-41052 (CVSS 8.4, GHSA-vx8h-4prv-g744) lets project-owner users flip namespace Pod Security Admission labels to privileged, enabling container-to-host escape. CVE-2026-41053 (CVSS 8.8, GHSA-4j6x-2764-m8gh) is an authorization bug in the GitHub-App auth provider that grants group principals for every GitHub-org team to any user who belongs to at least one team. BSI advisory WID-SEC-2026-1716 carries the German-CERT corroboration. Fixed in 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2.
CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4)
Portainer shipped CE 2.33.8 / 2.39.2 / 2.41.0 on 2026-05-28 closing two CVSS 9.4 authorization bypasses; CCB Belgium issued a "Patch Immediately" advisory on the same day. CVE-2026-44848 (GHSA-rrmm-9v76-h3p4) — the Docker plugin-management endpoints (/plugins/*) are not registered in Portainer's proxy-authorization handler map, so any authenticated non-admin user with endpoint access can POST /plugins/pull to install a plugin from any registry and POST /plugins/{name}/enable to activate it; Docker runs enabled plugins as root on the host with the plugin's declared capabilities and mounts, giving OS-level code execution. CVE-2026-44849 (GHSA-5fxq-qcf3-244w) — Portainer's seven EndpointSecuritySettings restrictions (privileged mode, host PID, device mapping, capabilities, sysctls, security-opt, bind mounts) are enforced on the standard container-create path but not on the Docker Swarm service API; POST /services/create validates only Mounts[] (1 of 7 checks), and POST /services/{id}/update performs no checks at all. Non-admin users can submit arbitrary CapabilityAdd, Sysctls and Privileges values; a volume-driver bypass additionally allows bind-mount equivalents via Type: volume with VolumeOptions.DriverConfig.Options{type: none, o: bind}. Affected: CE 2.33.0–2.33.7, 2.39.0–2.39.1, 2.40.x. Temporary mitigation: revoke Swarm endpoint access for non-admin users via Portainer RBAC, disable plugin management for non-admin users.
CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
IBM disclosed nine vulnerabilities in IBM HTTP Server (IHS) and WebSphere Application Server on 2026-05-26; the most severe is CVE-2026-9170 — CWE-94 improper input validation in the HTTP request-parsing layer that lets a remote, unauthenticated attacker trigger arbitrary code execution by sending a crafted HTTP request to the default web listener. NCSC.ch flagged the advisory as Security Hub post 12601 on 2026-05-28. NVD entry CVE-2026-9170 carries the CVSS 9.8 base score. Affected: IBM HTTP Server 9.0 and 8.5 branches; WebSphere Application Server Traditional 9.0 and 8.5 before the listed fix packs. Other notable CVEs in the same batch: CVE-2026-8855 (CVSS 8.1, RCE in TLS mutual-auth configs); CVE-2026-8834 (CVSS 8.0, heap-based buffer overflow in the Administration Server); CVE-2026-8856 / CVE-2026-8850 / CVE-2026-8854 (DoS). IBM recommends applying interim fix APAR PH71265 or the corresponding fix pack and disabling unused optional modules (mod_ibm_upload, mod_mem_cache). No public exploitation observed.
CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration
GitLab shipped patch versions 19.0.1, 18.11.4 and 18.10.7 on 2026-05-27 closing six CVEs. The most severe is CVE-2026-4868 (CVSS 8.2, CWE-639) — an improper identity-resolution flaw in the GitLab Duo AI integration that allows an authenticated user to impersonate another user when Duo AI workflows are triggered, with the workflow runners executing under the second user's identity. CVE-2026-6713 (CVSS 5.3) lets an unauthenticated attacker enumerate private projects via an incorrect authorization issue in GitLab's GraphQL WorkItem API. Other CVEs in the batch: CVE-2026-1402 (CVSS 6.5, Wiki DoS via malformed markup), CVE-2026-2601 (CVSS 4.3, deployment-data exposure to Developer-role users), CVE-2026-5296 (CVSS 4.3, Developer-role flow-restriction bypass) and CVE-2026-8716 (CVSS 4.3, CI cross-reference data exposure). NCSC-NL advisory NCSC-2026-0168 rates the batch high; CERT-FR / ANSSI carries CERTFR-2026-AVI-0658 as the FR-CERT corroboration. No exploitation reported.
CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
Veeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27. CVE-2026-32996 (CVSS 7.3) is a local privilege escalation in the Veeam Agent for Microsoft Windows component — an attacker with limited system access can elevate to enable arbitrary command execution, security-control disablement or lateral movement; reporter Alibaba via HackerOne. CVE-2026-32997 (CVSS 8.6) is an arbitrary file write in the Veeam Software Appliance (Linux) constrained to authenticated users with the Backup Administrator role; depending on the target path (cron, authorized_keys, library hijack), this is a stepping stone to RCE or persistence. Both affect all version-13 builds before fixed version 13.0.2.29. CERT-FR / ANSSI advisory CERTFR-2026-AVI-0652 corroborates. No exploitation reported; Veeam notes patch-reverse-engineering risk after disclosure. Veeam is the dominant backup platform in EU public-sector on-premise environments — patch the appliance and Windows agent fleet in tandem with backup-administrator least-privilege review.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-35616 | Fortinet FortiClient EMS 7.4.5–7.4.6 | 9.1 | 43.2% | Yes (2026-04-06) | Yes — EKZ Infostealer | EMS 7.4.7 | Fortinet PSIRT |
| CVE-2026-4408 | Samba (SAMR RPC) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | Samba Project |
| CVE-2026-4480 | Samba (print command) | 10.0 | n/a | No | No | 4.22.10 / 4.23.8 / 4.24.3 | Samba Project |
| CVE-2026-9170 | IBM HTTP Server / WebSphere | 9.8 | 0.049% | No | No | APAR PH71265 | IBM Security Bulletin |
| CVE-2026-44939 | SUSE Rancher (cluster import) | 9.6 | n/a | No | No | 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-44848 | Portainer CE (Docker plugin endpoints) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | Portainer GHSA |
| CVE-2026-44849 | Portainer CE (Swarm service bypass) | 9.4 | n/a | No | No | 2.33.8 / 2.39.2 / 2.41.0 | CCB Belgium |
| CVE-2026-41053 | SUSE Rancher (GitHub App auth) | 8.8 | n/a | No | No | 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-32997 | Veeam Backup Linux appliance | 8.6 | n/a | No | No | version 13.0.2.29 | Veeam KB4852 |
| CVE-2026-41052 | SUSE Rancher (PSA priv-esc) | 8.4 | n/a | No | No | 2.12.10 / 2.13.6 / 2.14.2 | SUSE GHSA |
| CVE-2026-4868 | GitLab CE/EE (Duo AI) | 8.2 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | GitLab |
| CVE-2026-32996 | Veeam Windows Agent | 7.3 | n/a | No | No | version 13.0.2.29 | Veeam KB4852 |
| CVE-2026-6713 | GitLab CE/EE (project enumeration) | 5.3 | n/a | No | No | 19.0.1 / 18.11.4 / 18.10.7 | GitLab |
3. Research & Investigative Reporting
Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
Wiz CIRT identified and named JINX-0164 on 2026-05-27, a financially motivated cluster active since mid-2025 against cryptocurrency organisations. Initial access is LinkedIn-based social engineering — fake recruiter personas direct targets to fraudulent video-conferencing platforms that deliver AUDIOFIX, a compiled-Python macOS binary functioning as both infostealer and backdoor. AUDIOFIX harvests Keychain contents, Chrome / Firefox / Safari credentials, SSH keys, AWS / GCP / Azure cloud-provider credentials, and credentials from 51 cryptocurrency-wallet browser extensions; persistence is a LaunchAgent plist under ~/Library/LaunchAgents. From the endpoint, JINX-0164 pivots into CI/CD infrastructure using stolen developer credentials and injects poisoned commits under legitimate developer identities; any team member building from the affected branches receives MINIRAT, a lightweight Go-based backdoor. The supply-chain escalation materialised through the @velora-dex/sdk npm package version 4.9.1 (trojanised 2026-04-07), which staged MINIRAT via LaunchCtl persistence. Wiz notes TTP overlap with prior DPRK-adjacent tradecraft (UNC1069, Sapphire Sleet) but stops short of formal attribution. The Hacker News writeup corroborates with additional MINIRAT detail. Mapped to T1566.003 (Spearphishing via Service: LinkedIn), T1543.001 (Launch Agent), T1555 (Credentials from Password Stores), T1195.002 (Compromise Software Supply Chain) and T1098.005 (Device Registration). For Swiss / EU SOCs the relevant exposure is Crypto Valley and any organisation whose developers build from npm dependencies that fan out to internal CI/CD — Sigstore signature verification, lock-file pinning of @velora-dex/sdk, and CI runner least-privilege are the operational asks.
WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS
WatchGuard's Secplicity team published telemetry on 2026-05-26 covering a sustained 2026 Grandoreiro banking-trojan campaign against banks in Portugal and Spain (and across Latin America). The campaign deploys Delphi-11-compiled DLLs through DLL side-loading against four abused legitimate signed binaries; the Grandoreiro core has been re-tooled to use the sgcWebSockets library for command-and-control, with STUN and ICE protocols enabling NAT traversal — C2 traffic visually blends with web-conferencing data and bypasses standard protocol-inspection rules. WatchGuard names Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, Santander, Revolut and Wise as targeted institutions. A parallel Latin American mobile-banking strand: ESET WeLiveSecurity documents BTMOB, an Android RAT (evolved from SpySolr) sold malware-as-a-service, documented by ESET as targeting users in Brazil and Argentina. BTMOB requests Accessibility Service permissions and uses them for full device takeover — HTML-injected overlay phishing, keylogging and on-demand screen recording. The Hacker News provides a combined writeup with the WatchGuard / ESET coverage.
4. Updates to Prior Coverage
UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.
Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (
Set-MpPreference -DisableRealtimeMonitoring), stopsWinDefend, adds broadAdd-MpPreference -ExclusionProcessand drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via theNETLOGONshare and SCCM'sCcmExec.exe, and process names were masqueraded assvchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name isRansom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for
wevtutil cl Security|System|Applicationchained withsc stop WinDefendormsconfig; flagsvchost32.exespawned outside%SystemRoot%\System32; alert onCcmExec.exelaunching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hiddenshareSMB share.
5. Deep Dive — FortiClient EMS CVE-2026-35616 + EKZ Infostealer kill chain
Background. CVE-2026-35616 is the improper-access-control (CWE-284) flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6 disclosed on 2026-04-04 and added to the CISA KEV catalog on 2026-04-06; vendor coverage at disclosure focused on the auth-bypass primitive, with Arctic Wolf's 2026-05-27 publication being the first public exploitation-chain narrative tying the bypass to a downstream credential-theft payload (EKZ Infostealer). The vulnerability class — header-spoofing trust against a fronting reverse proxy — is the same shape as Microsoft's CVE-2026-45659 (separate product, same X-Forwarded-* trust pattern), and the EKZ delivery via the trusted EMS management channel is a defender-relevant escalation of the trusted-update-channel-as-supply-chain pattern previously associated with vendor-update vehicles.
Vulnerable component. The FortiClient EMS server's management API trusts the HTTP request header X-SSL-CLIENT-VERIFY to convey client-certificate validation state — the ProjectDiscovery Nuclei template for CVE-2026-35616 sends exactly that header with value SUCCESS as the entire exploit payload. The intended deployment model is that a fronting reverse proxy or load balancer performs the mutual-TLS handshake and stamps that header into the upstream request before forwarding to EMS. The server does not independently confirm that the negotiating peer presented a valid client certificate; it accepts the header as-is. An unauthenticated attacker on a network path to the EMS management plane spoofs X-SSL-CLIENT-VERIFY: SUCCESS and reaches privileged API endpoints without authenticating. CVSS:3.1 base 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). EPSS 43.2 % at the 97.6th percentile.
Exploitation prerequisites. Network reach to the EMS management API (typically over the management VLAN or, in misconfigured deployments, directly on the internet); a vulnerable EMS server version 7.4.5 or 7.4.6; no other authentication. AD-joined EMS, MFA-protected EMS console accounts, and other authentication controls applied to interactive logons are not in the request path the spoofed header bypasses.
Exploitation chain in the Arctic Wolf campaign. Mapped to MITRE ATT&CK throughout. Initial access: header-spoofing against EMS management API (T1190 Exploit Public-Facing Application). Persistence and distribution: attackers modify Remote Access Profile configurations through the now-privileged API endpoint to push an Update task to managed FortiClient endpoints — the malicious PowerShell payload is delivered through the EMS update channel under the trusted fortitray.exe parent process and is therefore signed in the operational sense (T1195.002 Compromise Software Supply Chain — EMS as distribution vector; T1218 System Binary Proxy Execution via the trusted FortiTray binary). The PowerShell payload fetches FortiEndpoint_Patch.exe, presented to operators and AV as a legitimate Fortinet patch — actually the EKZ Infostealer. Defense evasion: EKZ copies itself into per-browser profile directories under each user's AppData\Local\Google\Chrome\User Data\<profile>, AppData\Roaming\Mozilla\Firefox\Profiles\<profile> and equivalents for Microsoft Edge, LibreWolf, Waterfox, Pale Moon, Thunderbird, defeating elevation-validation checks that gate access to encrypted credential and cookie stores via nss3.dll (T1555.003 Credentials from Web Browsers). Collection and exfiltration: encrypted credential stores and session cookies dumped, then exfiltrated via HTTP POST to actor infrastructure (T1071.001, T1041). The single-server-to-fleet cascade is the campaign's defining property: one compromised EMS server simultaneously distributes EKZ to every managed endpoint in the deployment.
Affected and patched versions. Affected: FortiClient EMS 7.4.5 and 7.4.6 — only those two builds; earlier branches and 7.4.7+ are not vulnerable. Patched: FortiClient EMS 7.4.7. The Fortinet PSIRT FG-IR-26-099 advisory carries the vendor's complete affected-version matrix and the out-of-band hotfix references for organisations that cannot move to 7.4.7 in their change window.
Detection concepts. None of these require IOC sharing — they are behavioural patterns against the campaign's mechanics.
- EMS management-API access without proper mTLS handshake. Where the EMS server logs
X-SSL-CLIENT-VERIFYalong with peer-certificate fingerprint, alert on any request carryingSUCCESSwith no fingerprint or a fingerprint not from the operator-trusted CA. Where the reverse proxy in front of EMS logs the mTLS state, alert on EMS log records claiming success that do not correspond to a proxy log line with a matched negotiation. - Unsolicited Remote Access Profile modification. Alert on any modification to RAP / endpoint-policy XML or its API equivalents that was not initiated from an EMS admin console session in the change-management window.
- Push-from-EMS installers that are unsigned or have anomalous filenames. EMS-pushed installers that are neither
FortiClientSetup_*.exenor a vendor-signed update should never reach a managed endpoint; alert on Sysmon EID 1 where parent process is the FortiClient managed-service binary and child is an unsigned binary with--silentinstall flags. The fakeFortiEndpoint_Patch.exename from this campaign deviates from the genuineFortiClientSetup_*.exenaming convention. - Browser-profile-directory writes from non-browser processes. Sysmon EID 11 (
FileCreate) targetingAppData\Local\Google\Chrome\User Data\<profile>(and equivalents), where the source image is not the browser binary itself, the parent process is not a known package manager, and the file extension is.exe/.dll. This is the EKZ self-copy primitive. fortitray.exespawning PowerShell with-EncodedCommand/-enc. PowerShell-encfrom a Fortinet trusted-binary parent process is the in-campaign behaviour Arctic Wolf documents and is not expected operationally.- Outbound HTTP POST from an EMS-service account to non-Fortinet endpoints. Easy network-layer signal on egress firewall / SWG logs.
Hardening. Patch is the only complete remediation. Immediately upgrade FortiClient EMS to 7.4.7. While the change window is being scheduled, compensating controls: (1) block EMS management API ports from the internet completely, restricting access to a defined management network; (2) enforce mTLS termination at the proxy and have the proxy strip / overwrite the X-SSL-CLIENT-VERIFY header before forwarding to EMS, removing the spoof primitive entirely; (3) require admin-access MFA for the EMS console and rotate EMS service-account credentials post-patch; (4) audit all RAP / endpoint-policy XML against a known-good baseline. Post-incident: assume managed endpoints in any environment running 7.4.5 / 7.4.6 may have received EKZ; rotate cached browser credentials for sensitive accounts and treat session cookies in managed-endpoint browser stores as compromised.
6. Action Items
Upgrade Fortinet FortiClient EMS 7.4.5 / 7.4.6 → 7.4.7 immediately and assume managed-endpoint compromise where the patch lagged. Active ITW exploitation delivers EKZ Infostealer through the trusted EMS update channel. Apply Fortinet PSIRT FG-IR-26-099 per § 5 above; have the fronting reverse proxy strip / overwrite
X-SSL-CLIENT-VERIFYbefore forwarding to EMS as a defence-in-depth control. Rotate cached browser credentials and treat managed-endpoint session cookies as compromised wherever EMS ran 7.4.5/7.4.6 unpatched.Patch Samba to 4.22.10 / 4.23.8 / 4.24.3 on every Linux file / member server; AD DCs are unaffected. Compensating mitigation if the upgrade slips: remove
%ufrom anycheck password script, wrap%Jin single quotes insideprint command, and setrpc start on demand helpers = yes(default). Two CVSS 10.0 unauthenticated RCEs make this an immediate change-window candidate.Patch Portainer CE to 2.33.8 / 2.39.2 / 2.41.0 and revoke Docker / Swarm endpoint access for non-admin users in the interim. CCB Belgium's Patch Immediately warning targets exactly the deployment shape — non-admin users with endpoint access can reach the unguarded plugin endpoints and Swarm-service API and escalate to host code execution.
Upgrade SUSE Rancher to 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 and audit GitHub-App authentication / project-owner RBAC. Three concurrent paths to host code execution or cluster-admin escalation; the GitHub-App over-inclusive team membership in particular can be quietly abused.
Patch IBM HTTP Server / WebSphere via APAR PH71265; disable
mod_ibm_uploadandmod_mem_cachewhere unused. Pre-auth RCE at CVSS 9.8 on a middleware widely deployed in Swiss banking, insurance and federal IT — NCSC.ch flagged the advisory specifically for CH consumers.Mitigate the unpatched Gogs RCE on every self-hosted instance. Set
DISABLE_REGISTRATION = trueinapp.ini, disable Rebase before merging under instance settings, and consider migration to Gitea / Forgejo. Hunt forgitinvocations with--execwhose parent is the Gogs binary (Sysmon EID 1 /auditdEXECVE).Hunt for The Gentlemen kill-chain artefacts across the AD estate. Look for
wevtutil cl Security|System|Applicationchained withsc stop WinDefendormsconfig;svchost32.exespawned outside%SystemRoot%\System32;CcmExec.exelaunching non-SCCM payloads; GPO modifications (Event ID 5136) and the hidden SMBsharemount (Event ID 5140). Enable the Block process creations originating from PsExec and WMI commands ASR rule per Microsoft's ASR rules reference and run EDR in block mode where possible.Upgrade Apereo CAS to the fixed version 7.3.7.1 on any deployment configured as an OIDC IdP, even with technical detail withheld. CH-discovered (Coop Switzerland reporter) and CERT-FR-flagged; until detail is public, monitor OIDC token issuance logs for tokens to unregistered clients and anomalous
subclaim values.Patch GitLab to 19.0.1 / 18.11.4 / 18.10.7 and Veeam B&R / Agent to 13.0.2.29 within the next change window. Highest-severity GitLab issue is the Duo AI identity-impersonation flaw; Veeam's Linux-appliance arbitrary file write is constrained to Backup Administrator role but a viable stepping stone to RCE. Review Veeam backup-administrator least-privilege at the same time.
Refresh residential-proxy detection logic post-Asocks takedown. Asocks joins a recent sequence of disrupted networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot per Risky Bulletin); retune CGNAT / consumer-ISP-RDNS correlation rules on M365 / Entra ID sign-in logs and on VPN concentrator authentication.
7. Verification Notes
- Items dropped (already-covered, duplicate of in-window prior coverage):
- Tycoon 2FA AiTM detection-engineering analysis (Elastic Security Labs, 2026-05-26) — surfaced by S3 as a candidate, but the same Elastic Security Labs piece and the same eSentire OAuth-Device-Code corroboration were already the substance of the deep dive in 2026-05-27 and of the original Tycoon 2FA deep dive in 2026-05-18. No material new development in window. Drop per PD-8.
- Single-source items kept: none kept as
[SINGLE-SOURCE]in published items this run — both Apereo CAS (Apereo + CERT-FR) and the FortiClient / EKZ campaign (Arctic Wolf + Fortinet PSIRT + The Hacker News + NVD) cleared two-source verification. - Items dropped (low signal-to-noise for this audience):
- BTMOB Android RAT (ESET, 2026-05-26) — surfaced by S1 as SINGLE-SOURCE; folded into the § 3 Grandoreiro item as a corroborating Iberian-banking parallel rather than promoted to its own H3. ESET + WatchGuard via § 3 supply the two-source view.
- Reduced confidence: Apereo CAS patch version 7.3.7.1 carries MEDIUM confidence on technical impact because Apereo withheld full detail pending the security grace window. Tracked for follow-up.
- CVEs that did not clear § 2 inclusion gates (no exploitation, no PoC, no KEV, no pre-auth RCE on internet-exposed software): the lower-severity GitLab batch CVEs (
CVE-2026-1402,CVE-2026-2601,CVE-2026-5296,CVE-2026-8716) are documented inside the parent GitLab item but did not warrant their own H3. - Contradictions surfaced:
- Gogs zero-day CVE id: S1 documented no CVE assigned at publication, while S3 referenced CVE-2026-26194. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of
CVE-2026-26194is deferred to the next run. - GitLab patch-release CVE count: the § 2 GitLab item summarises six CVEs (CVE-2026-4868, -6713, -1402, -2601, -5296, -8716) — the GitLab patch-release page enumerates seven (an additional CVE-2026-2710 is listed inline). Brief should be read as covering the six highest-severity / most defender-relevant items in the bundle; CVE-2026-2710 details are left to the vendor page until next-run re-pivot.
- Carnival breach date: the Maine AG filing records the breach as occurring 2026-04-10 with discovery on 2026-04-14, while Carnival's PR Newswire substitute notice describes 2026-04-14 as the day the security team identified unauthorized activity. The brief reports both dates with the breach-vs-discovery distinction surfaced in body text rather than picking one.
- Gogs zero-day CVE id: S1 documented no CVE assigned at publication, while S3 referenced CVE-2026-26194. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of
- Sub-agents: all four returned within budget. S1 Sonnet 4.6 (684 s, 22 webfetch / 9 websearch / 14 bridge), S2 Sonnet 4.6 (348 s, 18 / 12 / 10), S3 Sonnet 4.6 (771 s, 12 / 4 / 18), S4 Sonnet 4.6 (753 s, 17 / 22 / 6). No stalled agents.
- Verification (Phase 5.7): four iterations (Opus → Sonnet → Opus → Sonnet). Iter 1 NEEDS_FIXES (truth=6, editorial=4, advisory=2) → iter 2 NEEDS_FIXES (1, 2, 0) → iter 3 NEEDS_FIXES (3, 1, 2) → iter 4 NEEDS_FIXES (1, 0, 0). Iter 4 was published via the v2.50 early-exit rule (truth+editorial ≤ 2 AND no F1/F4); the iter 4 finding ("Check Point count: brief said more than 332, source says approximately 332") was applied as a best-effort remediation in-place but the iteration's NEEDS_FIXES verdict stands.
verification_residual_count = 1. - Coverage gaps: databreaches-net (transport 403, no Wayback snapshot — Carnival breach covered via PR Newswire + The Record + The Register); sophos-xops (HTTP 503 on feed); inside-it-ch (HTTP 403 even via bridge); dragos, shadowserver, sekoia, volexity, greynoise (feeds returned 404 — likely upstream feed-URL drift, candidate for source-list review next run); cert-at, csirt-acn-it (not enumerated in this run); SEC EDGAR Item 1.05 (0 hits in window — Carnival filed substitute notice via PR Newswire and state AGs, not 8-K); CNIL-FR, EDPB, ICO-UK (no in-window enforcement actions); cisa-directives, tenable-research, cisco-psirt, greynoise (quiet in window). Inside-IT.ch's persistent 403 pattern is now the 4th run in 7 — candidate for the next source-list review.