Recency window. window_hours = 36 (gap 24 h since briefs/2026-05-13.md + 12 h safety overlap); developing_window_hours = 72. Items whose primary source is older than 36 h are dropped from main sections unless they carry a fresh in-window development (UPDATE rule) or appear as deep-dive Background.
Items dropped — already covered last 7 days (PD-8): S2's findings on Mini Shai-Hulud / TanStack npm worm (last_covered 2026-05-13 deep dive — campaign:mini-shai-hulud); SEPPmail CVE-2026-44128 cluster (incident covered 2026-05-09 deep dive + § 2); Fortinet FortiAuthenticator / FortiSandbox (CVE-2026-44277 / CVE-2026-26083 in yesterday's § 2); SAP May 2026 Patch Day (CVE-2026-34260 / CVE-2026-34263 in yesterday's § 2); Microsoft May 2026 Patch Tuesday (CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 in yesterday's § 2); Europol IOCTA 2026 (annual-report covered 2026-05-10). Each lacks an in-window material delta sufficient to open § 4 UPDATE.
Items dropped — out-of-window (PD-7). S3 returned a structured "developing-window" set whose primary sources are all older than 36 h. Drop list with primary-source dates: QLNX / Quasar Linux RAT (Trend Micro 2026-05-05, BleepingComputer 2026-05-05); TCLBANKER / REF3076 (Elastic Security Labs 2026-05-07); UAT-8302 (Cisco Talos 2026-05-05); Cline CVE-2026-44211 (Oasis Security 2026-05-07); AiTM "code of conduct" phishing campaign (Microsoft Security Blog 2026-05-04); Progress MOVEit Automation CVE-2026-4670 / CVE-2026-5174 (Progress / Airbus SecLab 2026-04-30 / The Hacker News 2026-05-04). Reason in every case: out-of-window: primary source <date>, window_hours=36. None carry a fresh in-window development that would qualify under PD-7 carve-outs (a/b/c).
Items dropped — § 2 inclusion gate not cleared. HPE ArubaOS May 2026 multi-CVE batch (HPE Aruba HPESBNW05048 / HPESBNW05049, CERT-FR CERTFR-2026-AVI-0573, 2026-05-13) — highest issue CVE-2026-23819 is CVSS 8.8 stored-XSS post-auth, with several CVSS 7.2 authenticated command-injection findings and CVSS 7.5 unauthenticated DoS on the PAPI port. No ITW exploitation, no public PoC, no pre-auth RCE on widely-deployed internet-exposed software — neither CISA-KEV nor ENISA-EUVD critical band nor § 2 catch-all gate (a–e) is cleared. Notable for CH / EU public-sector wireless infrastructure (cantonal government, education, healthcare) but operationally a routine patch cycle. Coverage gap consequence: zero.
Items dropped — single-source dark-web only. Anubis ransomware listing for A.R.Ge.Co (France) (Malware.news, 2026-05-13) — leak-site claim only, no victim confirmation, no HIGH-reliability journalism corroboration, per PD-6 fake-news guard on leak-site claims.
Single-source items (PD-5 carve-out applied). One § 4 item: the PAN-OS CVE-2026-0300 UPDATE on the wave-2 patch delay relies on Palo Alto-affiliated primaries only (Palo Alto Networks PSIRT advisory + Unit 42 research blog) after Phase 5.7 iteration 1 flagged a false-corroboration SecurityWeek citation that did not in fact mention Palo Alto. Independent corroboration for the wave-2 build list (ETA 2026-05-28) was not located in HIGH-reliability third-party coverage within the 36-h window; item is flagged [SINGLE-SOURCE] in its heading and the wave-2 build list should be re-verified against the live PSIRT entry. Active-exploitation status itself remains multi-source (Unit 42 + CISA KEV listing + prior briefs' coverage).
Phase 5.7 verifier remediations applied (four iterations, model-rotated). Iteration 1 (Opus): NEEDS_FIXES truth=6 editorial=2 advisory=3 — § 4 Gentlemen UPDATE attributed four claims to Check Point Research the article does not support (ZeroPulse-via-Ethereum-smart-contracts-via-1rpc.io for C2 resolution; 4VPS as hosting provider; "32% of victims were European in Q1"; Moscow business-hours timestamp clustering) — all four removed and detection guidance rewritten. § 4 PAN-OS UPDATE's SecurityWeek 2026-05-13 corroboration was false (the article covers only Fortinet + Ivanti) — citation removed, item flagged [SINGLE-SOURCE]. § 5 deep dive's specific "Bcm/year" figures and Italy/Greece/Bulgaria recipient list replaced with Bitdefender's actual framing ("13 European countries, including new deliveries to Germany and Austria"). Advisories (F11): GemStuffer's "219 of 224 versions" detail rewritten to match Socket; ATT&CK mapping tagged as analyst-derived; Salt Typhoon attribution routed to THN explicitly.
Iteration 2 (Sonnet): NEEDS_FIXES truth=3 — leftover instances of iter-1 issues that hadn't been remediated in non-TL;DR locations. § 6 Gentlemen action item still carried the 1rpc.io detection sentence (removed); § 6 misattributed Bedrock-Safeguard/gentlemen-decryptor to Check Point Research instead of BankInfoSecurity (re-attributed); "Nova ransomware" attribution to NMDL breach removed from § 0 + § 1.
Iteration 3 (Opus): NEEDS_FIXES truth=7 — iter-2's "Neither IGJ nor Computable attributes the breach to a named ransomware operator" was itself an unsupported assertion (Computable does name Nova) — Nova attribution restored citing Computable. FamousSparrow wave attribution inverted in deep dive — Bitdefender's actual wave map is W1 = Deed RAT via Hamachi sideloading with Init/ComMain export override + StartServiceCtrlDispatcherW patch, W2 = TernDoor via separate sideloading host, W3 = Modified Deed RAT + updated C2; brief had Hamachi as W3. § 0 TL;DR, § 5 heading, § 5 background paragraph, § 5 exploitation-chain bullets, and § 5 detection paragraph all rewritten. "Runtime export call graph inspection" framing overstated the technique — tightened to "two specific exported functions overridden". Gentlemen 1,570 figure was attributed to "an affiliate's exposed C2 server" but Check Point in fact attributes it to a SystemBC C&C server; 332 = first five months of 2026 (CP's full comparison cites 412 cumulative DLS listings) — § 0 TL;DR + § 4 paragraph rewritten. GemStuffer "2026-05-12 signup suspension" date not in cited primaries — removed; version-rotation / hash-IOC paragraph not in Socket — removed.
Iteration 4 (Sonnet): NEEDS_FIXES truth=1 editorial=0 advisory=0 — single F3 finding: § 5 Wave 2 sideloading host was described as USOShared (implying a legitimate Microsoft-signed binary). Bitdefender actually names the host as deskband_injector64.exe renamed to USOShared.exe and placed in C:\ProgramData\USOShared\; the malicious loader is winmm.dll in the same directory. The directory name reuses "USOShared" for camouflage; no legitimate Microsoft USOShared signed binary is involved. § 5 exploitation-chain bullet + detection paragraph rewritten to specify deskband_injector64.exe and the C:\ProgramData\USOShared\ path. Early-exit on low-defect convergence (v2.50): with truth + editorial = 1 and no F1 / F4 findings, iteration 4 qualifies as the early-exit point per prompt § Phase 5.7 — remediation applied, residual logged, brief published without spawning iteration 5. verification_residual_count = 1.
Model rotation across the verification loop: iter 1 / iter 3 = Claude Opus 4.7 (cti-verification), iter 2 / iter 4 = Claude Sonnet 4.6 (cti-verification-alt). Both verifier definitions carry the identical operational system prompt; the rotation surfaces model-specific blind spots — Sonnet caught the Nova-attribution false disclaimer in iter 2 that Opus had introduced in iter 1's remediation; Opus caught the wave-attribution inversion in iter 3 that Sonnet's iter 2 had not flagged.
Sub-agent stalls. None. All four sub-agents returned within the 30-min wall-clock cap: S1 (443 s, Claude Sonnet 4.6), S2 (414 s, Claude Sonnet 4.6), S3 (797 s, Claude Sonnet 4.6), S4 (979 s, Claude Sonnet 4.6).
Fetch failures (consolidated across sub-agents). databreaches-net 403 (Cloudflare Managed Challenge — bridge + WebSearch fallback documented per source spec); sec-disclosures-edgar 403 on EDGAR full-text search (S4) — no fresh 8-K Item 1.05 disclosures recovered for the May 12-14 window; ico-uk SPA-empty body even via bridge; inside-it-ch Cloudflare-blocked across all attempts (no in-window stories surfaced via WebSearch fallback); bleepingcomputer SPA-rendering on article level (recovered via THN/SecurityWeek corroboration); trendmicro-research 403 on direct WebFetch (recovered via BleepingComputer / The Hacker News paraphrase — Trend Micro is HIGH-reliability primary attribution); cert-eu SPA-empty on listing, recovered via per-advisory URL; helpnetsecurity 429 (recovered via THN); community.progress.com (SPA empty body); bsi-de per-advisory SPA (RSS feed cross-checked); forums.ivanti.com Salesforce SPA (recovered via Ivanti vendor blog).
Contradictions / reduced-confidence flags. None this run. Two distinct sub-agents (S1 + S2) independently arrived at the CVE-2026-0300 second-patch-wave delta from different discovery paths (CISA KEV listing notes vs. NCSC-CH Patch Tuesday compilation); both led to the same primary Palo Alto PSIRT advisory.
Coverage gaps: databreaches-net (Cloudflare Managed Challenge, no UA bypass — WebSearch fallback only); sec-disclosures-edgar (EDGAR full-text feed 403 on routine UA — no fresh 8-K Item 1.05 disclosures recovered in window); ico-uk (SPA + sitemap discovery insufficient to surface in-window enforcement actions); inside-it-ch (Cloudflare Managed Challenge); trendmicro-research (403 — recommend bridge allow-list addition for desktop-Chrome UA, would have unlocked direct fetch on two QLNX / InstallFix items even if those were out-of-window today).
Self-evolution candidate (source list). No new candidate added this run; the active list is already at 94 sources and recent rotation-priority gaps are transport-blocking rather than coverage-gap caused. Recommend tracking trendmicro-research as a bridge allow-list addition in a future tooling commit (separate from this brief commit).
Unmatched action items (migrated)
- Continue PAN-OS Captive Portal interim mitigation on the eight "ETA 05/28" build streams until 28 May. Disable User-ID Authentication Portal on untrusted-zone interfaces or restrict it to trusted zones only; for Threat Prevention subscribers, ensure Threat ID 510019 is enabled (PAN-OS 11.1+). CL-STA-1132 in-the-wild exploitation is ongoing; the FCEB KEV deadline has no jurisdictional weight in CH / EU but the active exploitation does. See § 4.
- For active Gentlemen ransomware incidents — attempt decryption before negotiation. BankInfoSecurity's 2026-05-11 reporting identifies the
Bedrock-Safeguard/gentlemen-decryptor GitHub release as the recovery path; Check Point Research's 2026-05-13 backend-leak analysis additionally maps the EDR-suppression toolchain (EDRStartupHinder, gfreeze, glinker — custom binaries, not commodity) and the CertiHound AD CS abuse utility. Hunt those tool names on hosts in scope; monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers / templates) consistent with CertiHound. See § 4. - Verify Exchange ProxyNotShell remediation completeness with
HealthChecker.ps1, not CU-level alone. FamousSparrow re-exploited the same CVE-2022-41040 / CVE-2022-41082 chain across three intrusion waves at one victim despite remediation attempts — patch-rollback or surviving persistence is the structural cause. Run Microsoft's HealthChecker.ps1 on every on-premise Exchange server; audit FrontEnd\HttpProxy\owa\auth\ and FrontEnd\HttpProxy\ecp\auth\ for files modified post-patch. See § 5. - Hunt outbound
gem push (and npm publish / pip upload) from build agents and dev workstations that lack a publisher role. GemStuffer's structural innovation is exploiting the inbound-monitoring-only blind spot of most CI/CD security tooling. Flag new RubyGems publisher accounts with >10 versions/day on freshly created packages; inspect outbound POSTs to rubygems.org from non-publisher contexts. The same monitoring asymmetry exists across npm and PyPI. See § 3. - For Swiss healthcare entities — schedule the EPDG-equivalent NEN 7510 audit; do not wait for the regulator. The IGJ ruling on Clinical Diagnostics / NMDL specifically cites absence of third-party security audit and absence of periodic risk assessment as the structural failures behind a 941,000-record breach. Swiss cantonal supervisors track the same hygiene baselines via the EPDG profile; equivalent compliance gaps in Swiss healthcare carry equivalent regulatory exposure under FINMA and cantonal data-protection authorities. See § 1.
Migrated from briefs/2026-05-14.md (v2).