Microsoft Office Equation Editor RCE (cited as veteran exploit by Kaspersky Q1 2026 exploit report)

External references

NVD · cve.org · CISA KEV

All cited sources (315)

• securelist.comprimaryinlineKaspersky Securelist — Exploits and Vulnerabilities Q1 2026https://securelist.com/vulnerabilities-and-exploits-in-q1-2026/119733/
  source profile · cited in 2026-W19
• securelist.comprimaryinlineSecurelist (Kaspersky), 2026-05-12https://securelist.com/state-of-ransomware-in-2026/119761/
  source profile · cited in 2026-05-13
• securelist.comprimaryinlineKaspersky Securelist, 2026-06-22https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
  source profile · cited in 2026-06-24
• access.redhat.cominlineRed Hat, updated 2026-05-09https://access.redhat.com/security/vulnerabilities/RHSB-2026-003
  cited in 2026-05-11
• advisories.ncsc.nlinlineNCSC-NL NCSC-2026-0158, 2026-05-15https://advisories.ncsc.nl/advisory?id=NCSC-2026-0158
  source profile · cited in 2026-05-16
• advisories.ncsc.nlinlineNCSC-NL NCSC-2026-0159, 2026-05-15https://advisories.ncsc.nl/advisory?id=NCSC-2026-0159
  source profile · cited in 2026-05-16
• advisories.ncsc.nlinlineNCSC-NL, 2026-06-11https://advisories.ncsc.nl/advisory?id=NCSC-2026-0185
  source profile · cited in 2026-06-12
• advisories.ncsc.nlinlineNCSC-NL 0189https://advisories.ncsc.nl/advisory?id=NCSC-2026-0189
  source profile · cited in 2026-06-12
• aikido.devinlineAikidohttps://www.aikido.dev/blog/multiple-jetbrains-ide-plugins-caught-stealing-ai-keys
  source profile · cited in 2026-W25
• aikido.devinlineAikido Securityhttps://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
  source profile · cited in 2026-W23
• akamai.cominlineAkamai Security Researchhttps://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202
  cited in 2026-W19
• almalinux.orginlineAlmaLinux bloghttps://almalinux.org/blog/2026-05-07-dirty-frag/
  cited in 2026-W20
• amd.cominlineAMD Product Security, 2026-05-12https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7052.html
  cited in 2026-05-16
• arcticwolf.cominlinein-the-wild campaign abusing CVE-2026-35616https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
  cited in 2026-05-29
• attack.mitre.orginlineT1021.002https://attack.mitre.org/techniques/T1021/002/
  cited in 2026-06-12
• attack.mitre.orginlineT1021.004https://attack.mitre.org/techniques/T1021/004/
  cited in 2026-06-12
• attack.mitre.orginlineT1021.007 (Remote Services: Cloud Services)https://attack.mitre.org/techniques/T1021/007/
  cited in 2026-05-20
• attack.mitre.orginlineT1027https://attack.mitre.org/techniques/T1027/
  cited in 2026-05-16
• attack.mitre.orginlineT1041https://attack.mitre.org/techniques/T1041/
  cited in 2026-05-29, 2026-05-20
• attack.mitre.orginlineT1053.005https://attack.mitre.org/techniques/T1053/005/
  cited in 2026-06-12
• attack.mitre.orginlineT1055https://attack.mitre.org/techniques/T1055/
  cited in 2026-06-12
• attack.mitre.orginlineT1056.001https://attack.mitre.org/techniques/T1056/001/
  cited in 2026-05-16
• attack.mitre.orginlineT1068https://attack.mitre.org/techniques/T1068/
  cited in 2026-05-16
• attack.mitre.orginlineWeb Protocolshttps://attack.mitre.org/techniques/T1071/001/
  cited in 2026-06-02, 2026-05-29, 2026-05-16
• attack.mitre.orginlineT1078.004 (Valid Accounts: Cloud Accounts)https://attack.mitre.org/techniques/T1078/004/
  cited in 2026-05-20
• attack.mitre.orginlineT1083 (File and Directory Discovery)https://attack.mitre.org/techniques/T1083/
  cited in 2026-05-20
• attack.mitre.orginlineCloud Account Discoveryhttps://attack.mitre.org/techniques/T1087/004/
  cited in 2026-05-27
• attack.mitre.orginline`T1090` Proxyhttps://attack.mitre.org/techniques/T1090/
  cited in 2026-06-17
• attack.mitre.orginlineT1090.001https://attack.mitre.org/techniques/T1090/001/
  cited in 2026-05-16
• attack.mitre.orginlineT1095https://attack.mitre.org/techniques/T1095/
  cited in 2026-05-16
• attack.mitre.orginlineT1098.005 (Account Manipulation: Device Registration)https://attack.mitre.org/techniques/T1098/005/
  cited in 2026-05-20
• attack.mitre.orginlineDead Drop Resolverhttps://attack.mitre.org/techniques/T1102/001/
  cited in 2026-06-02
• attack.mitre.orginlineT1114.002https://attack.mitre.org/techniques/T1114/002/
  cited in 2026-05-16
• attack.mitre.orginline`T1136.001`https://attack.mitre.org/techniques/T1136/001/
  cited in 2026-06-17
• attack.mitre.orginline`T1140`https://attack.mitre.org/techniques/T1140/
  cited in 2026-05-26
• attack.mitre.orginline`T1190` Exploit Public-Facing Applicationhttps://attack.mitre.org/techniques/T1190/
  cited in 2026-06-17, 2026-06-12, 2026-05-29
• attack.mitre.orginlineT1195.002https://attack.mitre.org/techniques/T1195/002/
  cited in 2026-06-12, 2026-05-29
• attack.mitre.orginlineUser Execution: Malicious Filehttps://attack.mitre.org/techniques/T1204/002/
  cited in 2026-06-25
• attack.mitre.orginlineT1218https://attack.mitre.org/techniques/T1218/
  cited in 2026-05-29
• attack.mitre.orginline`T1480.001`https://attack.mitre.org/techniques/T1480/001/
  cited in 2026-05-26
• attack.mitre.orginline`T1485`https://attack.mitre.org/techniques/T1485/
  cited in 2026-05-26
• attack.mitre.orginlineCloud Service Discoveryhttps://attack.mitre.org/techniques/T1526/
  cited in 2026-05-27
• attack.mitre.orginlineSteal Application Access Tokenhttps://attack.mitre.org/techniques/T1528/
  cited in 2026-05-27, 2026-05-16
• attack.mitre.orginlineT1530 (Data from Cloud Storage)https://attack.mitre.org/techniques/T1530/
  cited in 2026-05-20
• attack.mitre.orginlineSteal Web Session Cookiehttps://attack.mitre.org/techniques/T1539/
  cited in 2026-05-27
• attack.mitre.orginlineT1542.001https://attack.mitre.org/techniques/T1542/001/
  cited in 2026-06-12
• attack.mitre.orginline`T1543.003`https://attack.mitre.org/techniques/T1543/003/
  cited in 2026-05-26
• attack.mitre.orginlineWeb Session Cookiehttps://attack.mitre.org/techniques/T1550/004/
  cited in 2026-05-27
• attack.mitre.orginlineT1552.001 (Unsecured Credentials: Credentials In Files)https://attack.mitre.org/techniques/T1552/001/
  cited in 2026-05-20
• attack.mitre.orginline`nss3.dll`https://attack.mitre.org/techniques/T1555/003/
  cited in 2026-05-29
• attack.mitre.orginlineT1556https://attack.mitre.org/techniques/T1556/
  cited in 2026-05-16
• attack.mitre.orginlineT1556.006 (Modify Authentication Process: Multi-Factor Authentication)https://attack.mitre.org/techniques/T1556/006/
  cited in 2026-05-20
• attack.mitre.orginlineAdversary-in-the-Middlehttps://attack.mitre.org/techniques/T1557/
  cited in 2026-05-27, 2026-05-16
• attack.mitre.orginlineT1562.001https://attack.mitre.org/techniques/T1562/001/
  cited in 2026-06-12, 2026-05-16
• attack.mitre.orginlineT1562.007 (Impair Defenses: Disable or Modify Cloud Firewall)https://attack.mitre.org/techniques/T1562/007/
  cited in 2026-05-20
• attack.mitre.orginlineT1566.004https://attack.mitre.org/techniques/T1566/004/
  cited in 2026-05-16
• attack.mitre.orginline`T1574.002`https://attack.mitre.org/techniques/T1574/002/
  cited in 2026-06-17
• bitdefender.cominlineBitdefender Labs, 2026-05-13https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
  cited in 2026-05-14
• bleepingcomputer.cominlineBleepingComputer, 2026-06-01https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
  source profile · cited in 2026-W23, 2026-06-11, 2026-06-02
• bleepingcomputer.cominlineBleepingComputerhttps://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
  source profile · cited in 2026-W24, 2026-06-11
• bleepingcomputer.cominlineBleepingComputerhttps://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/
  source profile · cited in 2026-W24
• bleepingcomputer.cominlineBleepingComputer — MiniPlasma zero-day PoChttps://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/
  source profile · cited in 2026-W22, 2026-W21, 2026-05-19
• bleepingcomputer.cominlineBleepingComputer, 2026-06-24https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
  source profile · cited in 2026-06-25
• bleepingcomputer.cominlineBleepingComputer, 2026-06-04https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
  source profile · cited in 2026-W23, 2026-06-05
• bleepingcomputer.cominlineBleepingComputer, 2026-05-20https://www.bleepingcomputer.com/news/security/grafana-breach-caused-by-missed-token-rotation-after-tanstack-attack/
  source profile · cited in 2026-05-21
• bleepingcomputer.cominlineBleepingComputerhttps://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/
  source profile · cited in 2026-06-25
• bleepingcomputer.cominlineBleepingComputer, 2026-06-18https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/
  source profile · cited in 2026-W25, 2026-06-21
• bleepingcomputer.cominlineBleepingComputer corroboration on 2026-05-19https://www.bleepingcomputer.com/news/security/microsoft-self-service-password-reset-abused-in-azure-data-theft-attacks/
  source profile · cited in 2026-05-20
• bleepingcomputer.cominlineBleepingComputer — MuddyWater hackers use Chaos ransomware as a decoyhttps://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks/
  source profile · cited in 2026-W19
• bleepingcomputer.cominlineBleepingComputer — IronWormhttps://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/
  source profile · cited in 2026-W23
• bleepingcomputer.cominlineBleepingComputer 2026-05-05https://www.bleepingcomputer.com/news/security/new-stealthy-quasar-linux-malware-targets-software-developers/
  source profile · cited in 2026-05-14
• bleepingcomputer.cominlineBleepingComputer, 2026-06-11https://www.bleepingcomputer.com/news/security/nottingham-university-data-breach-affects-over-450-000-students/
  source profile · cited in 2026-06-12
• bleepingcomputer.cominlineBleepingComputer, 2026-05-15https://www.bleepingcomputer.com/news/security/pwn2own-day-two-hackers-demo-microsoft-exchange-windows-11-red-had-enterprise-linux-zero-days/
  source profile · cited in 2026-05-17
• bleepingcomputer.cominlineBleepingComputer, 2026-06-16https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
  source profile · cited in 2026-06-17
• bleepingcomputer.cominlineBleepingComputer, 2026-05-17https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing/
  source profile · cited in 2026-05-18
• bleepingcomputer.cominlineBleepingComputer, 2026-05-13https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/
  source profile · cited in 2026-05-15
• blog.ammaraskar.cominlineAmmar Askar, 2026-06-02https://blog.ammaraskar.com/github-token-stealing/
  cited in 2026-06-04
• blog.calif.ioinlineCalif/Codex, 2026-06-02https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
  source profile · cited in 2026-06-04
• blog.fox-it.cominlineFox-IT, 2026-05-22https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
  source profile · cited in 2026-05-26
• blog.sekoia.ioinlineSekoia TDR, 2026-06-11https://blog.sekoia.io/apt28-an-evolution-of-tradecraft/
  source profile · cited in 2026-06-14
• blog.sekoia.ioinlineSekoia's reference analysishttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/
  source profile · cited in 2026-05-18
• blog.talosintelligence.cominlineCisco Talos, 2026-05-05https://blog.talosintelligence.com/cloudz-pheno-infostealer/
  source profile · cited in 2026-05-07
• blog.talosintelligence.cominlineCisco Talos 2026-05-05https://blog.talosintelligence.com/uat-8302/
  source profile · cited in 2026-05-14
• blogs.microsoft.cominlineMicrosoft On the Issues — DCU legal action, 2026-05-19https://blogs.microsoft.com/on-the-issues/2026/05/19/disrupting-fox-tempest-a-cybercrime-service/
  source profile · cited in 2026-05-20
• broadcom.cominlineSymantec, 2026-06-24https://www.broadcom.com/support/security-center/protection-bulletin/backdoor-mistic-new-backdoor-may-be-linked-to-ransomware-access-broker
  cited in 2026-06-25
• ccb.belgium.beinlineCCB Belgium, 2026-05-08https://ccb.belgium.be/advisories/warning-dirty-frag-new-linux-local-privilege-escalation-vulnerability-was-disclosed
  source profile · cited in 2026-05-11
• cert.europa.euinlineCERT-EU 2026-005https://cert.europa.eu/publications/security-advisories/2026-005/
  source profile · cited in 2026-W19, 2026-05-09
• cert.europa.euinlineCERT-EU, 2026-06-10https://cert.europa.eu/publications/security-advisories/2026-007/
  source profile · cited in 2026-06-11
• cert.plinlineCERT Polska CVE-2026-42096https://cert.pl/en/posts/2026/05/CVE-2026-42096/
  source profile · cited in 2026-05-20
• cert.ssi.gouv.frinlineCERT-FR — CERTFR-2026-ACT-016, 2026-05-08https://www.cert.ssi.gouv.fr/actualite/CERTFR-2026-ACT-016/
  source profile · cited in 2026-W19
• cert.ssi.gouv.frinlineCERT-FR / ANSSI advisory CERTFR-2026-AVI-0652https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0652/
  source profile · cited in 2026-05-29
• cisa.govinlineCISA KEV cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog
  source profile · cited in 2026-05-29, 2026-05-17, 2026-05-09
• cisa.govinlineCISA Alert AA21-321A, 2021-11-17https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a
  source profile · cited in 2026-05-16
• cloud.google.cominlineGoogle Threat Intelligence Group, 2026-05-15https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
  source profile · cited in 2026-05-16
• cloud.google.cominlineMandiant GTIG, 2026-06-11https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
  source profile · cited in 2026-06-12
• cloud.google.cominlineMandiant, 2026-04-23https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
  source profile · cited in 2026-06-09
• cpomagazine.cominlineCPO Magazinehttps://www.cpomagazine.com/cyber-security/microsoft-doubles-down-on-opposition-to-public-disclosure-as-chaotic-eclipse-wave-of-zero-day-vulnerabilities-continues/
  cited in 2026-W23
• csoonline.cominlineCSO Onlinehttps://www.csoonline.com/article/4189132/be-on-the-lookout-for-mistic-a-new-backdoor-used-by-ransomware-broker.html
  cited in 2026-06-25
• cyberscoop.cominlineCyberScoop, 2026-05-22https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/
  source profile · cited in 2026-05-23
• cyera.cominlineCyera Research, 2026-05-15https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
  cited in 2026-05-16
• drupal.orginlineDrupal PSA-2026-05-18https://www.drupal.org/psa-2026-05-18
  cited in 2026-05-20
• edri.orginlineEDRi, 2026-05-28https://edri.org/our-work/inside-italys-low-cost-spyware-economy/
  cited in 2026-06-01
• elastic.coinlineElastic Security Labs, 2026-06-19https://www.elastic.co/security-labs/aad-graph-activity-logs-threat-detection
  source profile · cited in 2026-06-23
• elastic.coinlineElastic Security Labs 2026-05-07https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
  source profile · cited in 2026-05-14
• elastic.coinlineElastic Security Labs, 2026-05-26https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
  source profile · cited in 2026-05-27
• enisa.europa.euinlineENISA, 2026-06-11https://www.enisa.europa.eu/news/cyber-europe-2026-all-eyes-on-the-eus-collective-response-and-resilience
  source profile · cited in 2026-06-14
• enki.co.krinlineENKI WhiteHat, 2026-05-27https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
  cited in 2026-05-30
• esentire.cominlineeSentire TRU, 2026-05-12https://www.esentire.com/blog/tycoon-2fa-operators-adopt-oauth-device-code-phishing
  cited in 2026-05-18
• europol.europa.euinlineEuropol, 2026-06-24https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
  cited in 2026-06-25
• fortiguard.fortinet.cominlineCWE-284 improper-access-control flaw in Fortinet FortiClient EMS 7.4.5 and 7.4.6https://fortiguard.fortinet.com/psirt/FG-IR-26-099
  cited in 2026-05-29
• genians.co.krinlineGenians, 2026-06-16https://www.genians.co.kr/en/blog/threat_intelligence/narwhalrat
  cited in 2026-06-18
• github.bloginlineGitHub Changelog, 2026-06-18https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
  cited in 2026-06-25
• github.cominlineResearcher write-up (V4bel), 2026-05-07https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md
  source profile · cited in 2026-05-09
• github.cominlineHealthChecker.ps1https://github.com/microsoft/CSS-Exchange
  source profile · cited in 2026-05-14
• github.cominlineGitHub GHSA-2ww3-72rp-wpp4https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4
  source profile · cited in 2026-W19, 2026-05-10
• github.cominlineGitHub GHSA-xjw9-4gw8-4rqxhttps://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
  source profile · cited in 2026-W19, 2026-05-10
• github.cominlineGitHub Security Advisory GHSA-c9ph-gxww-7744, 2026-04-29https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-c9ph-gxww-7744
  source profile · cited in 2026-05-13
• grafana.cominlineGrafana Labs, 2026-05-19https://grafana.com/blog/grafana-labs-security-update-latest-on-tanstack-npm-supply-chain-ransomware-incident/
  cited in 2026-05-21
• hackread.cominlineHackread, 2026-05-16https://hackread.com/pwn2own-berlin-2026-hits-capacity-hackers-0-days/
  cited in 2026-05-17
• haveibeenpwned.cominlineHave I Been Pwnedhttps://haveibeenpwned.com/Breach/Charter
  cited in 2026-06-02
• heise.deinlineheise Securityhttps://www.heise.de/en/news/Too-many-zero-days-Microsoft-threatens-legal-action-11310736.html
  source profile · cited in 2026-05-30
• helpnetsecurity.cominlineHelp Net Security, 2026-04-29https://www.helpnetsecurity.com/2026/04/29/windows-cve-2026-32202-exploited/
  source profile · cited in 2026-W19
• helpnetsecurity.cominlineHelp Net Security, 2026-05-08https://www.helpnetsecurity.com/2026/05/08/dirty-frag-linux-vulnerability-cve-2026-43284-cve-2026-43500/
  source profile · cited in 2026-05-09
• helpnetsecurity.cominlineHelp Net Security, 2026-05-12https://www.helpnetsecurity.com/2026/05/12/microsoft-may-2026-patch-tuesday/
  source profile · cited in 2026-05-13
• helpnetsecurity.cominlineHelp Net Security, 2026-05-20https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/
  source profile · cited in 2026-05-21
• helpnetsecurity.cominlineHelp Net Security, 2026-05-22https://www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/
  source profile · cited in 2026-05-23
• helpnetsecurity.cominlineHelp Net Security, 2026-05-26https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
  source profile · cited in 2026-05-28
• helpnetsecurity.cominlineHelp Net Securityhttps://www.helpnetsecurity.com/2026/06/01/windows-netlogon-rce-exploited-cve-2026-41089/
  source profile · cited in 2026-W23, 2026-06-02
• helpnetsecurity.cominlineHelp Net Security forecasthttps://www.helpnetsecurity.com/2026/06/05/june-2026-patch-tuesday-forecast/
  source profile · cited in 2026-W23
• helpnetsecurity.cominlineHelp Net Security, 2026-06-16https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/
  source profile · cited in 2026-06-17
• helpnetsecurity.cominlineHelp Net Security, 2026-06-17https://www.helpnetsecurity.com/2026/06/17/rogueplanet-zero-day-cve-2026-50656/
  source profile · cited in 2026-W25, 2026-06-19
• helpnetsecurity.cominlineHelp Net Security, 2026-06-18https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/
  source profile · cited in 2026-06-19
• huntress.cominlineHuntress Labs' 2026-05-21 IR reporthttps://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
  source profile · cited in 2026-05-29
• huntress.cominlineHuntress, 2026-06-03https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler
  source profile · cited in 2026-06-04
• infosecurity-magazine.cominlineInfosecurity Magazine, 2026-05-20https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/
  source profile · cited in 2026-05-21
• isc.sans.eduinlineSANS ISC diary 33016 — Mini Shai-Hulud framework / Microsoft SDKhttps://isc.sans.edu/diary/33016
  source profile · cited in 2026-W22, 2026-05-26
• isc.sans.eduinlineSANS ISC Diary, 2026-05-04https://isc.sans.edu/diary/Cleartext+Passwords+in+MS+Edge+In+2026/32954/
  source profile · cited in 2026-05-06
• isc.sans.eduinlineSANS ISC, 2026-06-01https://isc.sans.edu/diary/rss/33034
  source profile · cited in 2026-06-01
• isc.sans.eduinlineSANS ISC, 2026-06-05https://isc.sans.edu/diary/rss/33054
  source profile · cited in 2026-06-07
• isc.sans.eduinlineSANS ISC, 2026-06-09https://isc.sans.edu/diary/rss/33064
  source profile · cited in 2026-06-10
• krebsonsecurity.cominlineKrebs on Security, 2026-05-12https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/
  source profile · cited in 2026-05-13
• krebsonsecurity.cominlineKrebsOnSecurity, 2026-06-10https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
  source profile · cited in 2026-06-12
• labs.cloudsecurityalliance.orginlineCSA research notehttps://labs.cloudsecurityalliance.org/research/csa-research-note-shai-hulud-megalodon-supply-chain-cascade/
  source profile · cited in 2026-W21
• labs.infoguard.chinlineInfoGuard, 2026-06-09https://labs.infoguard.ch/posts/ghost-sender/
  source profile · cited in 2026-06-10
• labs.watchtowr.cominlinewatchTowr Labs, 2026-06-12https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
  source profile · cited in 2026-06-14
• learn.microsoft.cominlineASR rules referencehttps://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
  source profile · cited in 2026-05-29
• learn.microsoft.cominlineMicrosoft Authentication Broker clienthttps://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code
  source profile · cited in 2026-05-18
• learn.microsoft.cominlineEntra Conditional Access policyhttps://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows
  source profile · cited in 2026-05-18
• malwarebytes.cominlineMalwarebytes — Shub Stealer earlier wave, 2026-03https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-cleanmymac-site-installs-shub-stealer-and-backdoors-crypto-wallets
  source profile · cited in 2026-05-10
• microsoft.cominlineMicrosoft Threat Intelligence, 2021-03-02https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
  source profile · cited in 2026-05-16
• microsoft.cominlineMicrosoft Security Blog, 2026-05-01https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
  source profile · cited in 2026-05-06
• microsoft.cominlineMicrosoft Security Blog 2026-05-04https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
  source profile · cited in 2026-05-14, 2026-05-06
• microsoft.cominlineMicrosoft Security Blog, 2026-05-06https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
  source profile · cited in 2026-05-10
• microsoft.cominlineMicrosoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
  source profile · cited in 2026-W19, 2026-05-10
• microsoft.cominlineMicrosoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/
  source profile · cited in 2026-W20, 2026-W19, 2026-05-11, 2026-05-09
• microsoft.cominlineMicrosoft Security Blog, 2026-05-12https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-finds-16-new-vulnerabilities/
  source profile · cited in 2026-05-13
• microsoft.cominlineMicrosoft Security Blog, 2026-05-12https://www.microsoft.com/en-us/security/blog/2026/05/12/undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise/
  source profile · cited in 2026-05-18, 2026-05-16
• microsoft.cominlineMicrosoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
  source profile · cited in 2026-W20, 2026-05-16
• microsoft.cominlineMicrosoft Security Blog, 2026-05-18https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/
  source profile · cited in 2026-05-20
• microsoft.cominlineMicrosoft Threat Intelligence — Fox Tempesthttps://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
  source profile · cited in 2026-W21, 2026-06-09, 2026-05-20
• microsoft.cominlineMicrosoft Security Blog — search-poisoning cryptojackinghttps://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
  source profile · cited in 2026-W22, 2026-05-28
• microsoft.cominlineMicrosoft Threat Intelligence, 2026-05-28https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
  source profile · cited in 2026-06-12, 2026-05-29
• microsoft.cominlineMicrosoft, 2026-05-30https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/
  source profile · cited in 2026-06-01
• microsoft.cominlineMicrosoft, 2026-06-08https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
  source profile · cited in 2026-06-09
• microsoft.cominlineMicrosoft Security, 2026-06-17https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
  source profile · cited in 2026-06-19
• microsoft.cominlineMicrosoft Security, 2026-06-17https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/
  source profile · cited in 2026-W25, 2026-06-21
• microsoft.cominlineMicrosofthttps://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
  source profile · cited in 2026-W25, 2026-06-20
• microsoft.cominlineMicrosoft, 2026-06-24https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/
  source profile · cited in 2026-06-25
• msrc.microsoft.cominlineMicrosoft MSRC, 2026-06-09https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-26142
  source profile · cited in 2026-06-12
• msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41089
  source profile · cited in 2026-W23, 2026-06-02
• msrc.microsoft.cominlineMicrosoft MSRC — CVE-2026-41091https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091
  source profile · cited in 2026-W21, 2026-05-22, 2026-05-20
• msrc.microsoft.cominlineMSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42822
  source profile · cited in 2026-W21, 2026-05-21
• msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897
  source profile · cited in 2026-W20, 2026-05-18, 2026-05-17, 2026-05-16
• msrc.microsoft.cominlineMSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45584
  source profile · cited in 2026-W21, 2026-05-20
• msrc.microsoft.cominlineMSRC — CVE-2026-45585https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45585
  source profile · cited in 2026-W21, 2026-05-20
• msrc.microsoft.cominlineMSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45657
  source profile · cited in 2026-W24, 2026-06-12
• msrc.microsoft.cominline`CVE-2026-45659`https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45659
  source profile · cited in 2026-05-29, 2026-05-28
• msrc.microsoft.cominlineMSRChttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-47291
  source profile · cited in 2026-W24, 2026-06-10
• msrc.microsoft.cominlineMicrosoft MSRC, 2026-06-09https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-47643
  source profile · cited in 2026-06-12
• msrc.microsoft.cominlineMicrosoft MSRC, 2026-06-04https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-48579
  source profile · cited in 2026-06-12
• msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202
  source profile · cited in 2026-W19, 2026-05-08
• msrc.microsoft.cominlineMSRC Security Update Guidehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
  source profile · cited in 2026-W20
• msrc.microsoft.cominlineMSRC Security Update Guidehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41096
  source profile · cited in 2026-W20
• msrc.microsoft.cominlineMSRC Security Update Guidehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41103
  source profile · cited in 2026-W20
• msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824
  source profile · cited in 2026-06-16
• msrc.microsoft.cominlineMSRC Security Update Guidehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898
  source profile · cited in 2026-W20
• msrc.microsoft.cominlineMicrosoft MSRChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45585
  source profile · cited in 2026-W22, 2026-05-30
• msrc.microsoft.cominlineMSRChttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
  source profile · cited in 2026-W25, 2026-06-19
• ncsc.admin.chinlineNCSC-CH, 2026-06-23https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_25.html
  source profile · cited in 2026-06-25
• noscope.cominlineNoScope, 2026-05-25https://www.noscope.com/blog/gitea-instances-exposing-private-container
  cited in 2026-05-28
• nottingham.ac.ukinlineUniversity of Nottingham, 2026-06-10https://www.nottingham.ac.uk/currentstudents/news/student-and-alumni-data-has-been-compromised-in-a-data-security-incident
  cited in 2026-06-12
• novee.securityinlineNovee Security, 2026-06-23https://novee.security/blog/cordyceps/
  cited in 2026-06-25
• nvd.nist.govinlineNVD — CVE-2026-32202https://nvd.nist.gov/vuln/detail/CVE-2026-32202
  cited in 2026-05-08
• nvd.nist.govinlineCISA KEV since 2026-04-06https://nvd.nist.gov/vuln/detail/CVE-2026-35616
  cited in 2026-05-29
• oasis.securityinlineOasis Security 2026-05-07https://www.oasis.security/blog/cline-kanban-websocket-hijack
  cited in 2026-05-14
• obsidiansecurity.cominlineObsidian, 2026-06-16https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce
  cited in 2026-W25
• opensourcemalware.cominlineOpenSourceMalwarehttps://opensourcemalware.com/blog/miasma-reaches-azure
  cited in 2026-W23, 2026-06-06
• openwall.cominlineoss-security, 2026-06-03https://www.openwall.com/lists/oss-security/2026/06/03/3
  cited in 2026-06-04
• oracle.cominlineOracle, 2026-06-10https://www.oracle.com/security-alerts/alert-cve-2026-35273.html
  source profile · cited in 2026-06-12
• permiso.ioinlinePermiso Security — ChatGPhishhttps://permiso.io/blog/chatgpt-markdown-rendering-vulnerability
  cited in 2026-W22
• posthogstatus.cominlinePostHog status, 2026-05-30https://www.posthogstatus.com/incidents/01KSV6HJYKG5QJAP8HVTSQVSM1
  cited in 2026-06-01
• proofpoint.cominlineProofpoint/IBM X-Force, 2026-06-24https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame
  cited in 2026-06-25
• pushsecurity.cominlinePush Security — LLMSharehttps://pushsecurity.com/blog/llmshare-malvertising-campaign
  source profile · cited in 2026-W22
• rapid7.cominlineRapid7, 2026-06-09https://www.rapid7.com/blog/post/em-patch-tuesday-june-2026
  source profile · cited in 2026-06-10
• rapid7.cominlineRapid7 — Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomwarehttps://www.rapid7.com/blog/post/tr-muddying-tracks-state-sponsored-shadow-behind-chaos-ransomware/
  source profile · cited in 2026-W19
• redcanary.cominlineRed Canary, 2026-06-08https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-assistive-agents/
  source profile · cited in 2026-06-10
• redcanary.cominlineRed Canary — Entra Agent IDhttps://redcanary.com/blog/threat-detection/entra-id-ai-workflows/
  source profile · cited in 2026-W22, 2026-05-30
• reliaquest.cominlineReliaQuest, 2026-06-05https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512
  cited in 2026-06-06
• research.checkpoint.cominlineCheck Point Research, 2026-05-13https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
  source profile · cited in 2026-06-12, 2026-05-29
• research.jfrog.cominlineJFrog, 2026-06-22https://research.jfrog.com/post/from-postcss-typosquat-to-windows-rat/
  cited in 2026-06-24
• research.jfrog.cominlineJFrog Security Research — IronWormhttps://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/
  cited in 2026-W23, 2026-06-06
• seclists.orginlineCalif/oss-securityhttps://seclists.org/oss-sec/2026/q2/790
  cited in 2026-W23
• security-hub.ncsc.admin.chinlineNCSC-CH Security Hub #12574, 2026-05-14https://security-hub.ncsc.admin.ch/#/posts/12574
  source profile · cited in 2026-05-15
• security-hub.ncsc.admin.chinlineNCSC.ch Security Hub #12577https://security-hub.ncsc.admin.ch/#/posts/12577
  source profile · cited in 2026-W20, 2026-05-16
• security-hub.ncsc.admin.chinlineNCSC-CH post 12594https://security-hub.ncsc.admin.ch/#/posts/12594
  source profile · cited in 2026-05-28
• security-hub.ncsc.admin.chinlineNCSC-CH, 2026-06-09https://security-hub.ncsc.admin.ch/#/posts/12619
  source profile · cited in 2026-06-10
• security-hub.ncsc.admin.chinlineNCSC-CH CSH, 2026-06-11https://security-hub.ncsc.admin.ch/#/posts/12622
  source profile · cited in 2026-06-12, 2026-06-11
• security-hub.ncsc.admin.chinlineNCSC-CH Security Hub post 12547, 2026-05-08https://security-hub.ncsc.admin.ch/api/posts/12547/details
  source profile · cited in 2026-05-11, 2026-05-09
• security-hub.ncsc.admin.chinlineNCSC.ch Security Hub #12577https://security-hub.ncsc.admin.ch/api/posts/12577/details
  source profile · cited in 2026-W20
• security.cominlineSymantec / Broadcom, 2026-06-16https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
  cited in 2026-06-17
• security.cominlineBroadcom/Symantec, 2026-06-03https://www.security.com/threat-intelligence/stock-exchange-espionage
  cited in 2026-06-04
• securityaffairs.cominlineSecurity Affairs, 2026-05-30https://securityaffairs.com/192907/uncategorized/shinyhunters-leaks-charter-communications-data-potentially-impacting-5-million-customers.html
  source profile · cited in 2026-06-02
• securityaffairs.cominlineSecurity Affairs, 2026-06-11https://securityaffairs.com/193530/hacking/cve-2026-10520-exploited-ivanti-sentry-gateways-compromised-shortly-after-patch-release.html
  source profile · cited in 2026-06-14
• securityweek.cominlineSecurityWeek, 2026-06-02https://www.securityweek.com/exclusive-how-one-line-of-code-put-billions-of-microsoft-android-app-downloads-at-risk/
  source profile · cited in 2026-06-04
• securityweek.cominlineSecurityWeek, 2026-06-24https://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/
  source profile · cited in 2026-06-25
• securityweek.cominlineSecurityWeekhttps://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
  source profile · cited in 2026-W24, 2026-06-12
• securityweek.cominlineSecurityWeek, 2026-06-03https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/
  source profile · cited in 2026-06-04
• securityweek.cominlineSecurityWeek — Iranian APT intrusion masquerades as Chaos ransomware attackhttps://www.securityweek.com/iranian-apt-intrusion-masquerades-as-chaos-ransomware-attack/
  source profile · cited in 2026-W19
• securityweek.cominlineSymantec, 2026-06-24https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/
  source profile · cited in 2026-06-25
• securityweek.cominlineSecurityWeek, 2026-06-10https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/
  source profile · cited in 2026-06-11
• securityweek.cominlineSecurityWeek, 2026-06-11https://www.securityweek.com/oracle-addresses-peoplesoft-vulnerability-amid-reports-of-zero-day-attacks/
  source profile · cited in 2026-06-12
• seqrite.cominlineSeqrite Labs, 2026-06-01https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
  source profile · cited in 2026-06-02
• seqrite.cominlineSeqrite Labs, 2026-05-29https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
  source profile · cited in 2026-06-03
• snyk.ioinlineSnyk, 2026-06-16https://snyk.io/blog/a-forgotten-contributor-account-compromised-the-entire-mastra-npm-package-scope/
  source profile · cited in 2026-06-21
• socket.devinlineSocket — TrapDoorhttps://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates
  source profile · cited in 2026-W22
• sonatype.cominlineSonatype, 2026-05-28https://www.sonatype.com/blog/inside-a-176-package-npm-campaign-built-to-beat-your-internal-dependencies
  source profile · cited in 2026-06-01
• sophos.cominlineSophos bloghttps://www.sophos.com/en-us/blog/sophos-state-of-identity-security-2026
  source profile · cited in 2026-W20
• stepsecurity.ioinlineStepSecurityhttps://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials
  cited in 2026-05-20
• stepsecurity.ioinlineStepSecurityhttps://www.stepsecurity.io/blog/miasma-worm-hits-microsoft-again-azure-functions-action-and-72-other-repositories-disabled-after-supply-chain-attack-targeting-ai-coding-agents
  cited in 2026-W23
• sysdig.cominlineSysdig TRT — LLM-agent post-exploitationhttps://www.sysdig.com/blog/ai-agent-at-the-wheel-how-an-attacker-used-llms-to-move-from-a-cve-to-an-internal-database-in-4-pivots
  cited in 2026-W22
• techcommunity.microsoft.cominlineMS Exchange Bloghttps://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
  source profile · cited in 2026-W21, 2026-W20, 2026-05-18, 2026-05-16
• techcommunity.microsoft.cominlineMicrosoft, 2021-09-28https://techcommunity.microsoft.com/blog/exchange/new-security-feature-in-september-2021-cumulative-update-for-exchange-server/2783477
  source profile · cited in 2026-05-16
• techzine.euinlineTechzine, 2026-02-16https://www.techzine.eu/news/security/138806/data-breach-at-odido-responsibility-and-compensation-under-discussion/
  cited in 2026-05-13
• tenable.cominlineTenablehttps://www.tenable.com/blog/microsofts-june-2026-patch-tuesday-addresses-198-cves-cve-2026-49160-cve-2026-50507
  source profile · cited in 2026-W24, 2026-06-10
• tenable.cominlineTenable, 2026-05-12https://www.tenable.com/blog/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103
  source profile · cited in 2026-05-13
• thedfirreport.cominlineThe DFIR Report's 2026-05-11 alerthttps://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
  source profile · cited in 2026-05-29, 2026-05-18
• thehackernews.cominlineThe Hacker News, 2026-05-27https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html
  cited in 2026-05-28
• thehackernews.cominlineThe Hacker News, 2026-05-15https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
  cited in 2026-05-16
• thehackernews.cominlineThe Hacker Newshttps://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html
  cited in 2026-W20
• thehackernews.cominlineThe Hacker News, 2026-05-27https://thehackernews.com/2026/05/gitea-vulnerability-exposes-private.html
  cited in 2026-05-28
• thehackernews.cominlineThe Hacker Newshttps://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html
  cited in 2026-W21, 2026-05-21
• thehackernews.cominlineThe Hacker News, 2026-05-29https://thehackernews.com/2026/05/kimsuky-deploys-httpspy-expands-arsenal.html
  cited in 2026-05-30
• thehackernews.cominlineThe Hacker Newshttps://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html
  cited in 2026-W21, 2026-05-22
• thehackernews.cominlineThe Hacker News, 2026-05-19https://thehackernews.com/2026/05/mini-shai-hulud-pushes-malicious-antv.html
  cited in 2026-05-26
• thehackernews.cominlineThe Hacker News, 2026-05-18https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html
  cited in 2026-05-19
• thehackernews.cominlineThe Hacker News, 2026-05-15https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
  cited in 2026-05-16
• thehackernews.cominlineThe Hacker News 2026-05-04https://thehackernews.com/2026/05/progress-patches-critical-moveit.html
  cited in 2026-05-14
• thehackernews.cominlineThe Hacker News, 2026-05-25https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
  cited in 2026-W22
• thehackernews.cominlineThe Hacker News — Turla Kazuarhttps://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html
  cited in 2026-W20, 2026-05-16
• thehackernews.cominlineThe Hacker News, 2026-05-20https://thehackernews.com/2026/05/webworm-deploys-echocreep-and-graphworm.html
  cited in 2026-05-21
• thehackernews.cominlineThe Hacker News, 2026-06-19https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
  cited in 2026-06-20
• thehackernews.cominlineThe Hacker News, 2026-06-04https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html
  cited in 2026-W23, 2026-06-05
• thehackernews.cominlineThe Hacker News, 2026-06-17https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
  cited in 2026-06-18
• thehackernews.cominlineThe Hacker News, 2026-06-23https://thehackernews.com/2026/06/malicious-npm-packages-pose-as-postcss.html
  cited in 2026-06-24
• thehackernews.cominlineThe Hacker Newshttps://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
  cited in 2026-W23, 2026-06-06
• thehackernews.cominlineThe Hacker News, 2026-06-03https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html
  cited in 2026-06-04
• thehackernews.cominlineThe Hacker News, 2026-06-17https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html
  cited in 2026-06-19
• thehackernews.cominlineThe Hacker News, 2026-06-18https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
  cited in 2026-06-19
• thehackernews.cominlineThe Hacker News, 2026-06-04https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html
  cited in 2026-06-04
• thehackernews.cominlineThe Hacker News, 2026-06-15https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html
  cited in 2026-06-16
• thehackernews.cominlineThe Hacker News, 2026-06-02https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html
  cited in 2026-06-03
• thehackernews.cominlineThe Hacker News, 2026-06-11https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html
  cited in 2026-06-12
• thehackernews.cominlineThe Hacker News, 2026-06-03https://thehackernews.com/2026/06/unpatched-windows-search-uri.html
  cited in 2026-06-04
• thehackernews.cominlineThe Hacker Newshttps://thehackernews.com/2026/06/verdantbamboo-deploys-bsd-variant-of.html
  cited in 2026-W24
• thehackernews.cominlineThe Hacker News, 2026-06-23https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html
  cited in 2026-06-24
• therecord.mediainlineThe Record, 2026-05-22https://therecord.media/fbi-warns-of-kali365-phishing-attacks
  source profile · cited in 2026-05-23
• therecord.mediainlineThe Record, 2026-05-20https://therecord.media/github-confirms-teampcp-hack-customers-unaffected
  source profile · cited in 2026-05-21
• therecord.mediainlineRecorded Future News, 2026-05-19https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage
  source profile · cited in 2026-05-20
• therecord.mediainlineThe Recordhttps://therecord.media/microsoft-calls-zero-day-releases-never-justifiable-as-researcher-threatens-more
  source profile · cited in 2026-W22, 2026-05-30
• therecord.mediainlineThe Record, 2026-05-19https://therecord.media/microsoft-disrupts-fox-tempest-malware-signing-service
  source profile · cited in 2026-05-20
• therecord.mediainlineThe Record, 2026-06-11https://therecord.media/university-of-nottingham-cyber-incident-shiny-hunters
  source profile · cited in 2026-06-12
• theregister.cominlineThe Register, 2026-02-27https://www.theregister.com/2026/02/27/odido_shinyhunters_leaks/
  cited in 2026-05-13
• theregister.cominlineThe Register, 2026-05-22https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024
  cited in 2026-05-23
• theregister.cominlineThe Register, 2026-05-13https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/5239224
  cited in 2026-05-13
• theregister.cominlineThe Register, 2026-05-13https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758
  cited in 2026-05-15
• theregister.cominlineThe Register, 2026-06-11https://www.theregister.com/security/2026/06/11/nightmare-eclipse-drops-claimed-bitlocker-bypass-for-microsoft-windows/5254371
  cited in 2026-06-12
• thezdi.cominlineZDI, 2026-05-12https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review
  cited in 2026-05-13
• thezdi.cominlineZDI, 2026-05-13https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results
  cited in 2026-05-17
• thezdi.cominlineZDI Pwn2Own Day Twohttps://www.thezdi.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results
  cited in 2026-W20
• thezdi.cominlineZDI, 2026-05-16https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn
  cited in 2026-05-17
• threatlocker.cominlineThreatLocker — exploitation on fully-patched systemshttps://www.threatlocker.com/blog/miniplasma-windows-privilege-escalation-zero-day-affects-fully-patched-systems
  cited in 2026-W22
• unit42.paloaltonetworks.cominlineUnit 42, 2026-05-11https://unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/
  source profile · cited in 2026-05-18
• unit42.paloaltonetworks.cominlineUnit 42, 2026-06-22https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks/
  source profile · cited in 2026-06-24
• unit42.paloaltonetworks.cominlineUnit 42 — Copy Failhttps://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/
  source profile · cited in 2026-W19
• unit42.paloaltonetworks.cominlineUnit 42https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/
  source profile · cited in 2026-W25
• unit42.paloaltonetworks.cominlineUnit 42, 2026-06-08https://unit42.paloaltonetworks.com/microsoft-teams-phishing/
  source profile · cited in 2026-06-09
• unit42.paloaltonetworks.cominlineUnit 42 — ROADtools cloud attackshttps://unit42.paloaltonetworks.com/roadtools-cloud-attacks/
  source profile · cited in 2026-W21, 2026-05-23
• unit42.paloaltonetworks.cominlineUnit 42, 2026-05-22https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
  source profile · cited in 2026-05-23
• varonis.cominlineVaronishttps://www.varonis.com/blog/searchleak
  cited in 2026-W25, 2026-06-16
• veeam.cominlineVeeam shipped KB4852 / Backup & Replication patch version 13.0.2.29 on 2026-05-27https://www.veeam.com/kb4852
  cited in 2026-05-29
• volexity.cominlineVolexity — OAuth device-code backgroundhttps://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/
  source profile · cited in 2026-W21, 2026-05-23
• volexity.cominlineVolexityhttps://www.volexity.com/blog/2026/06/04/verdantbamboo-just-another-brickstorm-in-the-firewall/
  source profile · cited in 2026-W24, 2026-06-05
• welivesecurity.cominlineESET, 2026-06-24https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/
  source profile · cited in 2026-06-25
• welivesecurity.cominlineESET WeLiveSecurityhttps://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
  source profile · cited in 2026-W20
• welivesecurity.cominlineESET, 2026-06-18https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
  source profile · cited in 2026-06-19
• welivesecurity.cominlineESET WeLiveSecurity, 2026-06-11https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
  source profile · cited in 2026-06-12
• welivesecurity.cominlineESET Research, 2026-05-20https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
  source profile · cited in 2026-05-21
• wid.cert-bund.deinlineBSI WID-SEC-2026-1536, 2026-05-14https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1536
  source profile · cited in 2026-05-16
• wiz.ioinlineWiz Researchhttps://www.wiz.io/blog/dirty-frag-linux-kernel-local-privilege-escalation-via-esp-and-rxrpc
  source profile · cited in 2026-W20, 2026-W19, 2026-05-09
• wiz.ioinlineWiz, 2026-05-20https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
  source profile · cited in 2026-05-21
• wiz.ioinlineWiz Researchhttps://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages
  source profile · cited in 2026-W23
• wpscan.cominlineWPScan, 2026-06-11https://wpscan.com/vulnerability/68addf8c-9ea6-4b62-9f85-e95350b3992e/
  cited in 2026-06-14
• xenbits.xen.orginlineXSA-490https://xenbits.xen.org/xsa/advisory-490.html
  cited in 2026-05-16
• zerodayinitiative.cominlineZero Day Initiative, 2026-05-15https://www.zerodayinitiative.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results
  source profile · cited in 2026-05-17
• zscaler.cominlineZscaler, 2026-06-23https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution
  cited in 2026-06-25