On this page
On this page
- 0. TL;DR
- 1. Active Threats, Trending Actors, Notable Incidents & Disclosures
- 2. Trending Vulnerabilities
- 3. Research & Investigative Reporting
- 4. Updates to Prior Coverage
- 5. Deep Dive — Operation Dragon Weave: China-nexus espionage against Czech government with Azure Blob Storage dead-drop C2
- 6. Action Items
- 7. Verification Notes
Tags (21)
Regions (3)
References (27)
- CVE-2025-8088 ×2
- CVE-2026-41089 ×3
- CVE-2026-42251
- CVE-2026-8732
- CVE-2026-8931
- CVE-2026-44825
- CVE-2026-46243
- Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia)
- ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
- Spain arrests doxer publishing data on INCIBE/AG/Civil Guard staff (Police-ESP-Doxed)
- Miasma worm backdoors 32 @redhat-cloud-services npm packages (TeamPCP / Mini Shai-Hulud variant)
- Meta AI support chatbot social-engineered into resetting Instagram passwords (pro-Iranian)
- WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)
- Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2
- BleepingComputer
- BSI Germany — CERT-Bund WID (RSS)
- CERT Polska / NASK
- ENISA
- Help Net Security
- Infosecurity Magazine (RSS)
- Krebs on Security
- Microsoft Threat Intelligence
- Security Affairs
- Sekoia.io blog
- Wiz Research Blog
- Socket Security (socket.dev blog)
- Seqrite Labs (Quick Heal Technologies research arm)
0. TL;DR
- Windows Netlogon pre-auth RCE (CVE-2026-41089, CVSS 9.8) is now actively exploited. Belgium's national CSIRT (CCB) confirmed in-the-wild exploitation on 1 June against the stack-based buffer overflow in the Windows Netlogon service that yields SYSTEM on any domain controller without authentication (BleepingComputer, 2026-06-01). Patched in May 2026 Patch Tuesday; see the Immediate Action below and the §4 update.
- A wave of EU-CERT-disclosed public-sector vulnerabilities landed 1 June: a critical RCE in the Slovak Disig Web Signer electronic-signature client (CVE-2026-8931, CVSS 9.4, SK-CERT/ENISA EUVD), hardcoded-credential supply-chain exposure in Poland's KAMSOFT KS-SOMED healthcare software (CVE-2026-42251, CERT-PL), and unauthenticated admin access via hardcoded template credentials in Apache Solr with no patch yet (CVE-2026-44825, BSI).
- "Miasma" supply-chain worm compromised 32
@redhat-cloud-servicesnpm packages via a hijacked maintainer GitHub account and OIDC trusted-publishing abuse, adding new GCP and Azure cloud-identity collectors (Wiz, 2026-06-01). - China-nexus Operation Dragon Weave targets Czech and Taiwanese government, academic and financial organisations with a Rust loader and an AdaptixC2 agent that routes C2 through Microsoft Azure Blob Storage as a dead-drop — today's deep dive (Seqrite Labs, 2026-06-01).
- Spain's National Police arrested a doxer who published personal data on staff of INCIBE, the State Attorney General, the Civil Guard and the National Security Council (BleepingComputer, 2026-06-01); separately, attackers socially engineered Meta's AI support chatbot into resetting Instagram passwords, bypassing the account-recovery MFA envelope (Krebs on Security, 2026-06-01).
Immediate Action — Patch domain controllers against CVE-2026-41089 (Windows Netlogon) now. The May 2026 Patch Tuesday fixed an unauthenticated, network-reachable stack-based buffer overflow in the Windows Netlogon service that grants remote code execution as SYSTEM on a domain controller with no credentials and no user interaction (Microsoft MSRC). On 1 June, Belgium's Centre for Cybersecurity (CCB) and multiple outlets reported active in-the-wild exploitation; Microsoft had not yet updated its advisory to reflect exploitation (BleepingComputer, 2026-06-01). DC compromise yields the entire AD forest — treat this as an emergency change: apply the May cumulative update to every domain controller immediately and restrict Netlogon/LDAP exposure to trusted hosts.
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff
Spain's National Police arrested an individual in Granada on 27 May 2026 for publishing personal data belonging to staff of the State Attorney General's Office (Fiscalía General del Estado), the National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard and the National Security Council; the operation was overseen by Madrid Investigating Court No. 22 (BleepingComputer, 2026-06-01 · Policía Nacional, 2026-06-01). The data was published on BreachForums under the "Police-ESP-Doxed" handle. INCIBE has previously assessed that no direct compromise of its systems occurred — the dossiers were assembled from older breaches, credential dumps and OSINT, with some records containing names of staff who had left years earlier. The investigation opened after police detected "mass dissemination" of the data, which they assessed as an immediate risk to the named individuals and institutions.
Why it matters to us: This is the OSINT-aggregation-plus-prior-breach-enrichment pattern aimed squarely at the personnel of a national cybersecurity authority and security services — a reconnaissance precursor to targeted phishing, vishing and coercion against critical-infrastructure officials. Swiss and EU public-sector security teams should treat circulated staff dossiers as an elevated-phishing trigger and push data-broker opt-out / breach-exposure monitoring for sensitive-role employees.
CERT-PL discloses hardcoded-credential supply-chain flaw in KS-SOMED healthcare software (CVE-2026-42251)
CERT Polska disclosed CVE-2026-42251 (CWE-798, CVSS 4.0 8.7) in KAMSOFT's KS-SOMED healthcare practice-management suite, widely deployed across Poland's National Health Service (NFZ) network (CERT Polska, 2026-06-01 · ENISA EUVD, 2026-06-01). The KSPLUPDFTP.exe update client (through 30.00.00.056) and ANEKSKLIENT.EXE (through 29.00.02.026) shipped hardcoded FTP credentials for the server hosting the application's update packages. An attacker holding those credentials could upload a malicious update that the auto-update mechanism would then distribute and install on connected client machines as a legitimate vendor update — T1195.002 Compromise Software Supply Chain. KAMSOFT has removed the hardcoded credentials and restricted the previously exposed access to read-only.
Why it matters to us: A single set of leaked update-server credentials can trojanise every installation downstream — the same class of risk seen repeatedly across the npm and Packagist ecosystems, here against national public-healthcare software. Hunt for unexpected FTP connections to vendor update servers from non-vendor source IPs and for unsigned-binary replacement in clinical-software install directories.
"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
Threat actor cluster TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace, poisoning 96 releases across high-traffic packages — Wiz puts the combined weekly downloads at roughly 80,000, while Aikido counts closer to 117,000 (Wiz, 2026-06-01 · Aikido Security, 2026-06-01). Rather than compromising developer machines directly, the attack abused GitHub Actions OIDC trusted publishing so the CI/CD pipeline itself republished backdoored packages carrying obfuscated preinstall hooks. The "Miasma" payload — a new variant in the Mini Shai-Hulud / Shai-Hulud lineage — sweeps for GitHub Actions secrets, npm tokens, AWS keys, SSH keys, HashiCorp Vault and Kubernetes credentials, and now adds dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft toward cloud-account takeover (Socket, 2026-06-01). Wiz notes the new variant's cloud-identity focus explicitly.
Why it matters to us: Red Hat tooling has a broad EU public-sector DevOps footprint (OpenShift/OpenStack estates). Inventory installed @redhat-cloud-services/* versions across build agents and developer endpoints, alert on preinstall scripts spawning obfuscated node -e chains from npm/npx parent trees, and rotate any CI/CD cloud-identity tokens reachable from affected pipelines.
Attackers social-engineer Meta's AI support chatbot into resetting Instagram passwords
Over the weekend of 31 May–1 June, instructions circulated on Telegram showing how to coax Meta's conversational "AI support assistant" into linking an attacker-controlled email to a target Instagram account and triggering a password reset, bypassing Instagram's normal account-recovery friction (Krebs on Security, 2026-06-01 · TechCrunch, 2026-06-01). Pro-Iranian actors used the method to briefly deface high-profile accounts, including the archived Obama White House handle and that of the Chief Master Sergeant of the U.S. Space Force. The exploit reportedly failed against any account with MFA enabled; Meta said the issue was resolved by 1 June.
2. Trending Vulnerabilities
CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited
CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News, 2026-06-01 · BleepingComputer, 2026-05-31). The CVSS 9.8 rating is per The Hacker News. Exploitation is live — Wordfence reported blocking exploitation attempts at scale within 24 hours of disclosure. The fix is in version 6.1.1. Once an attacker holds an admin account, full site takeover (plugin/theme upload → webshell) follows.
CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client
ENISA's EU Vulnerability Database, on an entry assigned by SK-CERT, records CVE-2026-8931 as a critical remote-code-execution vulnerability in Disig Web Signer 2.0.3–2.5.3 with a CVSS 4.0 base score of 9.4 (ENISA EUVD EUVD-2026-33648, 2026-06-01 · Disig vendor advisory). Web Signer is the client-side electronic-signature application published by the Slovak trust-service vendor Disig. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network exploitability requiring only that a user trigger the signing workflow — e.g. via a malicious document or page — with high impact on subsequent systems (SC:H/SI:H/SA:H), reflecting the client's integration into the applications that invoke it. Disig's advisory directs users to update; the fixed release is Web Signer 2.5.5. No in-the-wild exploitation was reported at disclosure.
CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
CVE-2026-44825 (CVSS 8.1, CWE-798/1188) stems from Apache Solr's bin/solr auth enable BasicAuth bootstrap tool, which provisions fixed template accounts (superadmin, admin, search, index) with well-known default credentials in security.json and does not remove or randomise them after setup (BSI CERT-Bund WID-SEC-2026-1740, 2026-06-01 · THREATINT, 2026-06-01). An unauthenticated attacker reaching the Solr REST API (HTTP/8983 by default) can authenticate with those credentials and take full administrative control of the cluster — reading every core/collection, altering configsets, and pivoting to server-side script execution. Affected: 9.4.0–9.10.1 and 10.0.0; fixed builds (9.11.0 / 10.1.0) are not yet released, so the workaround is mandatory now: delete the four template users from security.json or rotate their passwords. Deployments that never ran bin/solr auth enable, or rotated template passwords immediately, are unaffected. Reported by Naveen Sunkavally (Horizon3.ai) via Apache's oss-security list.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-8732 | WP Maps Pro WordPress plugin ≤ 6.1.0 | 9.8 | n/a | No | Yes | 6.1.1 | BleepingComputer |
| CVE-2026-8931 | Disig Web Signer 2.0.3–2.5.3 (eIDAS client) | 9.4 | n/a | No | No | 2.5.5 | Disig |
| CVE-2026-44825 | Apache Solr 9.4.0–9.10.1, 10.0.0 | 8.1 | n/a | No | No | None yet (workaround) | BSI CERT-Bund |
| CVE-2026-41089 | Windows Netlogon (all supported Server) | 9.8 | n/a | No | Yes | May 2026 PT | BleepingComputer |
CVE-2026-41089 is treated as a §4 update (active exploitation of a previously-covered May Patch Tuesday fix); see §0 Immediate Action and §4.
3. Research & Investigative Reporting
Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
Sekoia's Threat Detection & Research team published part one of a Gamaredon (UAC-0010 / ACTINIUM, attributed to Russia's FSB) series describing a January 2026 campaign against Ukrainian government and military targets, introducing unified naming for two capability clusters: GammaPhish (the funnel from spearphishing through GammaLoad deployment) and GammaWorm (the propagation layer, subsuming the tooling previously tracked as LitterDrifter / PteroLNK) (Sekoia TDR, 2026-06-01 · Infosecurity Magazine, 2026-06-01). The chain begins with weaponised xHTML files exploiting CVE-2025-8088 (the WinRAR path-traversal flaw) to drop HTA payloads into Windows Startup directories via mshta.exe. GammaWorm itself is a 20,000+-line obfuscated VBScript worm that persists via scheduled tasks and RunOnce/Run registry keys, hides components in NTFS Alternate Data Streams, propagates across USB and mapped network drives using Ukrainian-language lures, and resolves C2 through dead-drop resolvers on Telegram, Telegra.ph, Teletype.in, Supabase and Cloudflare Workers.
Why it matters to us: The ADS-hiding + removable-media propagation + legitimate-service dead-drop pattern is highly transferable to any EU public-sector estate. Hunt for mshta.exe spawning wscript.exe, large obfuscated VBScripts executing from %APPDATA%, scheduled tasks with randomised GUID names pointing into user-profile paths, ADS on %TEMP%/%APPDATA% files, and outbound HTTPS to Telegra.ph / Supabase / Workers endpoints from non-developer hosts.
GoDaddy documents WordPress malware using Steam profile comments as a Unicode-steganography C2 resolver
GoDaddy Security detailed a WordPress malware campaign affecting roughly 2,000 sites that hides its command-and-control resolution inside benign-looking comments on Steam Community profile pages (GoDaddy Security, 2026-05-28 · BleepingComputer, 2026-06-01). The first-stage PHP backdoor on a compromised WordPress install fetches a specific Steam profile and decodes a URL hidden using six invisible Unicode characters (zero-width non-joiner/joiner U+200C/U+200D and the invisible-operator code points U+2061–U+2064), reconstructing a link to a malicious JavaScript file disguised as a legitimate library. A second-stage PHP backdoor then accepts base64-encoded PHP via cookie-authenticated HTTP POST, giving persistent arbitrary code execution. Initial access was traced to stolen FTP/SFTP credentials, vulnerable plugins/themes and supply-chain compromise.
Why it matters to us: Steam Community is allowlisted by most web proxies, so the C2 channel is effectively unblockable at the egress filter — defenders must detect at the host. Hunt for PHP files under wp-content/uploads containing @eval(base64_decode(...)), web-server processes issuing outbound requests to steamcommunity.com profile pages, and cookie-authenticated POSTs to .php endpoints. WordPress backs many Swiss municipal and cantonal sites; credential hygiene on FTP/SFTP and plugin patching are the front-line controls.
4. Updates to Prior Coverage
UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).
The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC. See §0 for the immediate action.
Changes since first coverage(1 prior appearance)
- 2026-05-132026-05-13May 2026 Patch Tuesday; ZDI flags wormable-candidate; MDASH-discovered.
UPDATE: ShinyHunters publishes the Charter Communications dataset after ransom refusal
UPDATE (originally covered 2026-05-27): After Charter Communications declined to pay, ShinyHunters published the stolen dataset on 30 May. Have I Been Pwned ingested it as 4.9 million unique email addresses, alongside names, phone numbers and physical addresses (Security Affairs, 2026-05-30 · Have I Been Pwned).
A subset of roughly 85,000 records originated from an internal employee directory and included job titles. ShinyHunters had originally claimed 42 million records and customer proprietary network information (CPNI); Charter confirmed the incident but stated no sensitive personal information or CPNI was exfiltrated. As established in prior coverage of the broader ShinyHunters Salesforce campaign, the access pattern is vishing-driven compromise of an employee Microsoft Entra account followed by a Salesforce export. The data is now public.
5. Deep Dive — Operation Dragon Weave: China-nexus espionage against Czech government with Azure Blob Storage dead-drop C2
Seqrite Labs disclosed Operation Dragon Weave on 1 June 2026: a China-linked espionage campaign delivering spearphishing ZIP attachments to government, research, academic, technology and financial-services organisations in the Czech Republic and Taiwan (Seqrite Labs, 2026-06-01 · The Hacker News, 2026-06-01). A January 2026 iteration of the same activity used Cobalt Strike and additionally hit Cambodia and South Korea; the June reporting documents an evolved toolset and is the reason a Czech-government-targeting campaign warrants a Swiss/EU public-sector deep dive — the targeting set (a Central-European EU member's ministries and universities) is directly representative of the threat surface a Swiss federal SOC defends.
Infection chains. Two variants were observed, both arriving as ZIP attachments (T1566.001 Spearphishing Attachment). The first executes a malicious LNK disguised as a PDF, which launches PowerShell (T1059.001 PowerShell) to stage the next component; the second drops and runs a binary directly. In both cases a Rust-based dropper that Seqrite names RUSTCLOAK performs DLL side-loading (T1574.002 DLL Side-Loading) against a legitimate signed executable to load a malicious library, which deploys the final payload, AZUREVEIL.
AZUREVEIL and the dead-drop C2. AZUREVEIL is an agent built on AdaptixC2 — an open-source command-and-control framework increasingly adopted by both red teams and intrusion sets — compiled with 36 post-exploitation commands spanning file operations, shell execution, process management and beacon-object-file (BOF) injection. Its distinguishing feature is the C2 channel: operator commands are routed through Microsoft Azure Blob Storage as a dead-drop resolver (T1102.001 Dead Drop Resolver), with the agent polling and posting to blob endpoints over ordinary HTTPS (T1071.001 Web Protocols). Because traffic terminates at *.blob.core.windows.net, it blends with the legitimate Azure usage of almost any modern enterprise and is allowlisted by most egress proxies — the same "abuse a trusted cloud service for C2" pattern seen this run in the WordPress/Steam campaign (§3) and recurring across recent intrusion sets.
Attribution. Seqrite attributes the activity to a China-based cluster at moderate confidence and names no specific group. The Hacker News's broader China-nexus roundup covers SteppeDriver and UNC5221 as separate actor clusters reported in the same window — these are distinct from Dragon Weave, and neither Seqrite nor The Hacker News connects Dragon Weave to either cluster (The Hacker News, 2026-06-01). Treat the China nexus as the researcher's assessment rather than settled fact, and do not infer a group identity the sources do not assert.
Detection concepts (no IOCs). Hunt for: PowerShell spawned from non-standard parent processes immediately after archive extraction; LNK files masquerading as PDFs in mail-derived paths; signed-binary executions that side-load an unexpected DLL from a writable user-profile directory (Sysmon EID 7 image-load anomalies against a known-good binary); and — the highest-value network concept — outbound HTTPS to blob.core.windows.net from host processes with no legitimate Azure-SDK reason to talk to Blob Storage (browsers, Office, line-of-business apps that are not Azure-native). Baseline which of your hosts legitimately reach Azure Blob Storage and alert on the long tail.
Hardening. Enforce attachment policies that strip or detonate LNK-in-ZIP payloads at the mail gateway; apply WDAC/AppLocker rules that block user-writable-directory DLL side-loading against your signed-application inventory; and, where your environment does not legitimately use Azure Blob Storage, consider egress controls or monitoring that treat *.blob.core.windows.net as a named-service destination rather than blanket-allowlisting the Azure namespace. For estates that do use Azure, scope the allowlist to your own storage-account hostnames rather than the entire blob.core.windows.net wildcard.
6. Action Items
- Emergency-patch every domain controller against CVE-2026-41089 (Windows Netlogon) — unauthenticated RCE to SYSTEM, now reported exploited in the wild. Apply the May 2026 Patch Tuesday cumulative update to all DCs immediately and restrict Netlogon/LDAP reachability to trusted hosts. (see §0 Immediate Action and the §4 update).
- Update WP Maps Pro to 6.1.1 on any WordPress estate, then audit for rogue administrator accounts created during the exposure window — exploitation is live (see §2).
- Remediate Apache Solr template credentials now (no patch released): delete the
superadmin/admin/search/indextemplate users fromsecurity.jsonor rotate their passwords, and confirm Solr's API is not internet-exposed (see §2). - Update Disig Web Signer to 2.5.5 on government and regulated-sector workstations that perform eIDAS qualified-signing workflows; inventory for older 2.0.3–2.5.3 builds (see §2).
- Inventory
@redhat-cloud-services/*npm versions across build agents and developer endpoints; rotate any CI/CD cloud-identity tokens (AWS/GCP/Azure/Vault/Kubernetes) reachable from affected pipelines and alert on obfuscatedpreinstallnode -echains (see §1). - Verify KS-SOMED auto-update integrity in any environment running KAMSOFT healthcare software, and hunt for FTP connections to vendor update servers from non-vendor source IPs (see §1).
- Hunt for the Gamaredon GammaWorm pattern and the WordPress/Steam C2 pattern —
mshta.exe→wscript.exechains, NTFS-ADS-hidden scripts and Telegra.ph/Supabase/Workers dead-drops; web-server processes reachingsteamcommunity.comprofile pages and@eval(base64_decode(...))PHP underwp-content/uploads(see §3). - Review any AI helpdesk/account-recovery agent's authority to change credentials or recovery linkages — require out-of-band challenge to the currently registered second factor before any such change (see §1).
- Baseline legitimate Azure Blob Storage egress and alert on
blob.core.windows.nettraffic from non-Azure-native host processes to catch Dragon Weave-style dead-drop C2 (see §5).
7. Verification Notes
- Items dropped (out of window, window_hours = 36):
- PHANTOMPULSE blockchain-C2 RAT (Elastic Security Labs) — primary dated 2026-05-22, well outside window; single-source. Strong analysis but stale for a daily.
- Check Point AI Threat Landscape Digest (Mar–Apr 2026) — primary dated 2026-05-26, out of window; overlaps the W22 weekly's AI-tooling coverage; also carried several unverifiable forward-looking model/CVE claims that could not be corroborated.
- CIFSwitch — Linux kernel CIFS LPE (CVE-2026-46243) — freshest source 2026-05-30 (out of window) and a local-privilege-escalation that does not clear a §2 inclusion gate (no active exploitation, not pre-auth RCE). Notable item; may resurface if exploitation emerges.
- Vodafone source-code leak (Lapsus$) — the underlying leak occurred 2026-05-12 (out of window); the 1 June heise re-reporting carries no fresh delta, and the technical corroboration (OpsecInsider) is reduced-confidence. Reduced confidence on the hardcoded-credential detail.
- CVEs referenced but not given a §2 entry:
- CVE-2024-21182 (Oracle WebLogic T3/IIOP, CVSS 7.5) — added to the CISA KEV catalog on 2026-06-01 (active-exploitation signal noted). Dropped from §2 because the only in-window source is the CISA KEV catalog (a blocked listing URL) and Oracle's July-2024 CPU advisory is out of window — no citable in-window primary for the listing. Per PD-13 the US FCEB BOD 22-01 due date (2026-06-04) is not the operational driver in any case.
- Single-source items dropped:
- Dashlane brute-force / credential-stuffing lockouts (BleepingComputer, single-source) — routine credential-stuffing with no confirmed backend compromise; below the daily relevance bar. Defender note retained here: ensure password-manager accounts require a second factor for new-device enrolment.
- Deferred to the weekly horizon view: Anthropic "Mythos" / Project Glasswing — ENISA access (Bloomberg, 2026-06-01). In-window and EU-public-sector-relevant, but it is a policy/horizon development rather than a 1–7-day operational item and is framed around vendor performance metrics this brief excludes. Better suited to the weekly § Policy & regulatory horizon. Standing defender takeaway: vulnerabilities in widely-used software may become known to EU bodies before they are shared with non-EU jurisdictions (including Switzerland) — keep independent vulnerability-management cadence high on internet-facing systems.
- Contradiction — CVE-2026-41089 network vector: sub-agent returns disagreed on the exact trigger. One framed it as the Netlogon RPC interface (MS-NRPC); another, citing heise, described an oversized field in a CLDAP (LDAP locator) request over UDP/389. BleepingComputer's coverage specifies only "a specially crafted network request to a domain controller" and Microsoft's advisory states the component (Netlogon) without a port/protocol. The brief therefore describes the affected component and the unauthenticated-network nature precisely and does not assert a specific port. Detection guidance was kept at the component/behaviour level accordingly.
- Exploitation-attribution nuance — CVE-2026-41089: active exploitation is asserted by CCB Belgium (national CSIRT) and corroborated by BleepingComputer, Help Net Security and SecurityWeek; Microsoft had not updated its advisory to mark the CVE exploited as of 2026-06-01. The Immediate Action and §4 update both attribute the exploitation signal to CCB rather than the vendor.
- Candidate source added this run (one max):
seqrite-labs(Seqrite Labs / Quick Heal research arm) — provided the original Operation Dragon Weave research underpinning today's deep dive; fills an India/APAC-plus-EU gap in the source list. Added ascandidate. Separately, the existing candidateccb-belgiumcontributed corroborating content again this run (CVE-2026-41089 exploitation confirmation) and had its successful-fetch timestamp advanced — progressing toward promotion, not a new addition. - Sourcing notes (reduced-confidence / journalistic-only primaries): CVE-2026-8732 (WP Maps Pro) — no public vendor PSIRT advisory exists for the plugin; the strongest available primaries are BleepingComputer and The Hacker News carrying Wordfence's exploitation data. Meta AI support-bot Instagram takeover — Meta issued no detailed technical advisory; reporting rests on Krebs on Security and TechCrunch. Both items are corroborated across two independent outlets and are reported with that limitation noted.
- Coverage gaps: sec-edgar (EDGAR full-text search returned HTTP 500 for both date windows; no 8-K Item 1.05 filings retrievable); sophos-xops (HTTP 503, rotation-priority, unrecovered); therecord (feed HTTP 404; partially recovered via BleepingComputer/WebSearch); inside-it-ch (rotation-priority, not attempted in window); databreaches-net (rotation-priority, not attempted); cert-fr-actualite (feed stalled at Oct 2025); anssi-fr (most recent CERT-FR avis dated 2026-05-22, out of window).