Check Point LangGraph checkpointer SQLi->RCE chain (CVE-2025-67644 + CVE-2026-28277 + CVE-2026-27022)

If you did nothing this week: a Remote Access VPN gateway running the deprecated IKEv1 path is an active ransomware entry point — a Qilin affiliate is using this bypass for initial access.

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June — a certificate-validation logic flaw in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access on Security Gateway (Check Point; daily 06-09). The disclosure noted exploitation by a Qilin ransomware affiliate, which puts this firmly in the inaction-equals-incident column: VPN gateways are the front door, and a ransomware crew is already through it on unpatched IKEv1 deployments.

Apply the hotfix and, where operationally possible, disable IKEv1 entirely in favour of IKEv2 — the flaw lives in a protocol path most estates no longer need. Hunt for anomalous VPN session establishment without corresponding successful certificate validation and for new Remote Access sessions from unexpected geographies.

Check Point Research disclosed a vulnerability chain in LangGraph, the open-source stateful-agent framework published under LangChain (Check Point Research, 2026-06-11). CVE-2025-67644 is a SQL injection in the SQLite checkpointer's get_state_history() function, which interpolates user-controlled metadata filter keys directly into SQL without sanitisation. Chained with CVE-2026-28277, an unsafe msgpack deserialization in checkpoint loading, an attacker injects a crafted checkpoint row via the SQLi and triggers arbitrary Python module import and command execution when the application later loads that checkpoint — full server-side RCE (The Hacker News, 2026-06-12). A parallel SQLi in the Redis checkpointer is tracked as CVE-2026-27022. Exploitation requires a self-hosted deployment using the SQLite or Redis checkpointer that exposes get_state_history() to user-controlled filter input; PostgreSQL-backed deployments and LangChain's managed LangSmith cloud are not affected. Per Check Point, the fixes shipped in langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644), langgraph 1.0.10 (CVE-2026-28277) and langgraph-checkpoint-redis 1.0.2 (CVE-2026-27022). Maps to T1190 and T1059.006. This is the substantive technical disclosure behind the agentic-AI attack surface that Swiss/EU public-sector AI pilots are increasingly building on. Defender action: pin the fixed versions, treat get_state_history() filter input as untrusted even in internal tooling, and never expose the state-history API unauthenticated.

ESET documents two SPECTRALVIPER-delivered OceanLotus (APT32) intrusions running from mid-2024 into 2026: a long-dwell espionage compromise of a Vietnamese infrastructure/transport construction firm (likely via RCE on a public-facing Microsoft SQL Server, T1190) and — more transferable — a supply-chain attack on FireAnt MetaKit, a stock-investment platform, between October 2025 and March 2026 (ESET WeLiveSecurity, 2026-06-11). The platform's update mechanism fetched its version.xml over plain HTTP with no integrity validation; OceanLotus replaced the update binary with a downloader that fingerprinted hosts and delivered the SPECTRALVIPER backdoor via process injection and DLL side-loading (T1195.002, T1055) to only a small subset of victims — investigative targeting, not mass compromise. ESET's disclosure attempts to the vendor went unanswered. [SINGLE-SOURCE — ESET Research.] Defender takeaway: the pattern (unsigned updates, cleartext transport, no version-file integrity check) is endemic in regional/vertical software far beyond Vietnam — inventory third-party auto-updaters in your estate and flag any fetching over HTTP or lacking signature validation; egress-monitor the hosts that run them.

Check Point Research details a malware-distribution operation that impersonates open-source reversing tools using CloudFront-hosted JavaScript to hijack download clicks and route victims through a Traffic Distribution System enforcing geo/device/VPN/frequency filtering before delivering one of three payloads (Check Point Research, 2026-06-03). The payloads are SessionGate (a per-session multi-stage loader with AES-encrypted modules), RemusStealer (targeting 20+ browsers, 220+ wallet extensions, 77 password-manager extensions and 18 2FA tools), and AnimateClipper (a clipboard hijacker with on-chain C2). The targeting is notable for this audience: it goes after security researchers and developers searching for trusted tools, bypassing standard phishing-awareness training (T1566, T1204, T1555, T1111). Hunt for ghidra/dnspy/ilspy download-then-execute chains under browser child processes and clipboard-API access from unexpected processes. [SINGLE-SOURCE] (Check Point primary research).

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June 2026 — a logic-flow weakness in certificate validation in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access deployments. An unauthenticated remote attacker can establish a VPN session without a valid user password; post-authentication activity is still required to reach internal resources (Check Point, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day and links observed exploitation to a Qilin ransomware affiliate (NCSC-CH, 2026-06-08); CISA added the CVE to its KEV catalog on 8 June. Full technical treatment, exploitation prerequisites and hardening are in § 5 below. The companion CVE-2026-50752 (CVSS 7.4, site-to-site IKEv1 MitM, no observed exploitation) should be patched in the same window.

Portainer shipped CE 2.33.8 / 2.39.2 / 2.41.0 on 2026-05-28 closing two CVSS 9.4 authorization bypasses; CCB Belgium issued a "Patch Immediately" advisory on the same day. CVE-2026-44848 (GHSA-rrmm-9v76-h3p4) — the Docker plugin-management endpoints (/plugins/*) are not registered in Portainer's proxy-authorization handler map, so any authenticated non-admin user with endpoint access can POST /plugins/pull to install a plugin from any registry and POST /plugins/{name}/enable to activate it; Docker runs enabled plugins as root on the host with the plugin's declared capabilities and mounts, giving OS-level code execution. CVE-2026-44849 (GHSA-5fxq-qcf3-244w) — Portainer's seven EndpointSecuritySettings restrictions (privileged mode, host PID, device mapping, capabilities, sysctls, security-opt, bind mounts) are enforced on the standard container-create path but not on the Docker Swarm service API; POST /services/create validates only Mounts[] (1 of 7 checks), and POST /services/{id}/update performs no checks at all. Non-admin users can submit arbitrary CapabilityAdd, Sysctls and Privileges values; a volume-driver bypass additionally allows bind-mount equivalents via Type: volume with VolumeOptions.DriverConfig.Options{type: none, o: bind}. Affected: CE 2.33.0–2.33.7, 2.39.0–2.39.1, 2.40.x. Temporary mitigation: revoke Swarm endpoint access for non-admin users via Portainer RBAC, disable plugin management for non-admin users.

UPDATE (originally covered 2026-05-23): Following Unit 42's coverage of UNC1549 / Screening Serpens AppDomainManager hijacking, Check Point Research (published 2026-05-22, widely re-reported this week) adds material technical depth on three February–April 2026 campaign waves keyed to Operation Epic Fury (Check Point Research, 2026-05-22; The Hacker News, 2026-05-26). The IRGC-affiliated actor replaced its MiniJunk family with a new backdoor, MiniFast — a 64-bit DLL with a single CheckForUpdates export and a JSON HTTP C2 using API-style endpoints (/agent/init, /agent/poll, /upload/) and a 14-opcode command set including DLL injection, UAC elevation and scheduled-task persistence.

Two persistence/delivery techniques are new versus the prior coverage: (1) Zoom scheduled-task hijacking (T1053.005) — instead of creating a suspicious new task, the malware watches for the legitimate ZoomUpdateTaskUser-<SID> task and hijacks it; (2) SEO poisoning (T1598.003) via a fake SQL Developer download domain ranked on Bing/DuckDuckGo, alongside T1574.008 AppDomain hijacking via redirected .config files. The loader chain validates parent=svchost.exe before proceeding and abused two SSL.com-issued code-signing certificates (Check Point Research, 2026-05-22). Hunt for ZoomUpdateTaskUser-* task modifications by non-Zoom processes, non-default AppDomainManager values in .NET .config files, and execution from user-writable AppData paths.

Horizon research surfaced a quarterly report the dailies did not cover: Check Point's Q1 2026 State of Ransomware (published 2026-05-11). The synthesis that matters for a CH/EU public-sector SOC is structural, not the leaderboard: after two years of fragmentation driven by law-enforcement pressure on LockBit, ALPHV/BlackCat and others, the ecosystem is reconsolidating — the top ten leak-site operations now account for roughly 71% of listed victims, with Qilin holding the top spot for a third straight quarter and The Gentlemen (§ 7) entering the top three. The single most defender-relevant finding is LockBit's comeback paired with a deliberate geographic shift toward European and Latin American targets — which moves the rebuilt operation directly into this audience's threat model rather than leaving it a US-centric concern. Read alongside the Gentlemen internal-leak intelligence in § 7, the picture is a smaller number of higher-capability operations with European intent; prioritise the edge-appliance and identity hardening those operators are documented to rely on.

The most consequential campaign development of the window is one no daily captured: on 2026-05-04 a rival actor leaked The Gentlemen's internal Rocket database backend on underground forums, and KELA (2026-05-20) and Check Point ("Thus Spoke The Gentlemen", 2026-05-13) published deep analyses of the resulting six-month (Nov 2025 – Apr 2026) chat archive (key: item:the-gentlemen-raas-czech-university-and-swiss-engineering-fi). The leak exposes the inner circle (admin/infrastructure alias zeta88, also operating as hastalamuerte, alongside Wick, mAst3r, Kunder and others) and — far more useful to defenders — the operation's initial-access playbook: Fortinet and Cisco edge appliances, NTLM relay, harvested OWA / M365 credential logs, and GPO-based deployment of the encryptor. A linked affiliate runs a SystemBC SOCKS5 botnet of 1,570+ victims. This is an intelligence gift: every named access path maps to an existing hunt — prioritise edge-appliance patch state, NTLM-relay hardening (SMB/LDAP signing, channel binding) and anomalous-GPO-creation monitoring. Per Check Point's Q1 data the group sits at #3 globally (§ 6) — though its victims concentrate in Thailand, Brazil and India (US ~13%), so the European and Swiss listings carried over from W21 run against its centre of gravity, which is precisely what makes a CH/EU hit worth surfacing rather than treating as background.

Unit 42 published a comprehensive write-up on Screening Serpens (a.k.a. UNC1549, Smoke Sandstorm, Nimbus Manticore) on 2026-05-22 covering operations from February through April 2026 timed to the onset of the U.S.–Israeli Middle East conflict that began 2026-02-28 (Unit 42, 2026-05-22 · Cybersecurity Dive, 2026-05-22). The group deployed new RAT variants across two malware families: MiniUpdate in four variants used between 2026-03-26 and 2026-04-17 with lures impersonating aviation, healthcare and financial-services firms, and MiniJunk V2 in two variants used between 2026-02-17 and 2026-03-27 against Middle Eastern and U.S. targets.

The technically significant evolution is AppDomainManager hijacking (T1574.014) paired with classic DLL sideloading (T1574.001): the infection chain drops a legitimate Microsoft .NET executable alongside a weaponised UpdateChecker.dll / InitInstall.dll / Updater.dll and — critically — a malicious .runtimeconfig.json that redirects the CLR's AppDomainManager loading at process startup, silently disabling ETW tracing and strong-name validation before the RAT executes. That leaves the host's EDR operating in a reduced-telemetry mode on every infected workstation. Delivery is high-touch — fake recruitment PDFs, spoofed video-conference meeting invitations, and ZIP archives containing a legitimate executable as the trigger; persistence uses scheduled tasks; C2 routes through Azure-hosted domains. Confirmed targets: U.S., Israel, UAE, plus at least two further Middle Eastern entities consistent with prior UNC1549 focus on aerospace, defence and telecommunications. The CH/EU nexus is indirect but real — Swiss aerospace and defence suppliers (RUAG, Pilatus and defence export channels) sit squarely in the sector profile, as do EU R&D firms historically swept up in Iranian collection campaigns.

Detection vantage: alert on .runtimeconfig.json writes by non-installer processes; watch the Microsoft-Windows-DotNETRuntime ETW provider for StrongNameVerification=0 startup events and CLR debug-mode initialisation; watch scheduled-task creation from processes with .dll parent images loading via rundll32.exe / svchost.exe. Hardening: enforce a code-integrity policy (UMCI + trusted-signers allowlist) so unsigned DLLs cannot load into the .NET CLR; restrict .runtimeconfig.json writes outside install paths via FIM.

Check Point Research's March-April 2026 AI Threat Landscape Digest (published 2026-05-22) is the operationally most striking annual / periodic AI report of the past month. The centrepiece — researched by Gambit Security and summarised in the Check Point post — documents a single unidentified operator compromising nine Mexican government agencies between December 2025 and February 2026, covering tax records, civil registry, patient files and electoral infrastructure. The structural innovation: the attacker ran two commercial AI platforms in parallel — one managing live exploitation and issuing >5,000 AI-executed commands, a second processing harvested data and feeding instructions back into the first. Persistence for the AI itself was simple: modifying the AI client's startup configuration file to embed persistent instructions inherited by every subsequent session.

Two further findings have direct EU/CH public-sector implications. First, the EvilTokens platform — a commercial jailbreak-as-a-service tool packaging AI-driven phishing generation, financial-data extraction and similar capabilities as a subscription — represents the same commoditisation curve as Kali365 (§ 1) but for AI-assisted intrusion. Second, CPR explicitly calls out that stolen API keys for Anthropic, OpenAI, Groq and Mistral are now high-value criminal targets, since they grant access to powerful AI services without an account; Swiss federal and cantonal agencies using commercial AI APIs should treat key rotation cadence and source-IP scoping (Conditional Access on the API layer) on par with classic privileged-credential hygiene. Detection vantage: bulk exfiltration events temporally co-located with anomalous API call patterns to commercial AI services from non-standard processes; process trees in which AI client libraries spawn data-collection subprocesses; cloud audit logs showing API key issuance followed immediately by large-volume inference calls from unusual source IPs.

HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) (Hadrian Security, 2026-05-19; BleepingComputer, 2026-05-19). The vulnerable endpoint is POST /api/v2/tenants/{tenant}/databases/{db}/collections: when the request body sets trust_remote_code: true with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code before the auth check fires, then politely returns 403 Forbidden after the code has run. The flaw exists only in the Python FastAPI server (chromadb[server] pip package) — the default Rust server (chroma run) does not traverse this code path. Per BleepingComputer's reporting of Shodan queries, approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. As of disclosure, ChromaDB v1.5.9 (latest) is unpatched. Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set trust_remote_code: false server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by uvicorn / gunicorn workers with non-default lineage; access logs showing POST /api/v2/.../collections bodies referencing HuggingFace repository slugs with attacker-controlled patterns. T1190 Exploit Public-Facing Application; the impact maps to T1059.006 Python execution under the server context.

BigBlueButton (BBB) — the de facto open-source virtual classroom platform deployed across German DFN, Swiss SWITCH, and pan-European GÉANT academic networks, including cantonal school deployments — published three GitHub Security Advisories on 2026-05-17 covering distinct flaws in its bbb-web component, all in versions before 3.0.21 (two of three) and 3.0.23 (one). CVE-2026-46351 (CVSS 8.1) is a CWE-330 weakness: the sessionToken is generated with insufficiently random values, letting an authenticated low-privilege attacker who shares or has observed a meeting determine other participants' session tokens and impersonate any conference user (BBB GHSA-7959-pf2v-xc4h, 2026-05-17). CVE-2026-46353 (CVSS 8.1) is a CWE-284 access-control bypass in the presentationUploadExternalUrl endpoint: by supplying specific URL parameters an attacker can bypass checksum validation and send valid API requests to restricted endpoints without proper authentication, with high confidentiality + integrity impact (BBB GHSA-43hc-5g2m-cqff, 2026-05-17). CVE-2026-46404 (CVSS 6.8) is a CWE-918 SSRF in presentation URL validation: insufficient redirect-following checks allow a high-privilege authenticated attacker to reach RFC1918 and link-local (169.254.0.0/16) addresses from the BBB server context (BBB GHSA-xqm3-6q7q-4v5h, 2026-05-17). BSI's WID-SEC-2026-1568 corroborated on 2026-05-18 (BSI WID-SEC-2026-1568, 2026-05-18).

Why it matters to us: BBB is operated at scale by Swiss cantonal Volksschule deployments, German Länder ministries of education and university IT, EU national-research-and-education networks (NRENs). The combination of session-token prediction + checksum bypass would let a low-privilege classroom participant impersonate other students and teachers or send arbitrary authenticated API calls; SSRF on the server gives a presenter-role lateral-movement primitive into RFC1918 networks (KVM hosts, internal LDAP, SIS endpoints). Upgrade bbb-web to ≥ 3.0.21 for the first two CVEs and ≥ 3.0.23 for the SSRF; monitor bbb-web logs for anomalous joins using close-by sessionTokens and for API calls to presentationUploadExternalUrl carrying unexpected URL parameters; alert on egress from the BBB server process to RFC1918 / 169.254/16 ranges. MITRE T1212 (Exploitation for Credential Access) covers the session-token-prediction primitive; the SSRF maps to T1190 (Exploit Public-Facing Application) chained with internal-network reach.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

UPDATE (originally covered 2026-W21 weekly): VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17, promoting the 18-year-old ngx_http_rewrite_module heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited. The flaw is reachable by an unauthenticated remote attacker via a single crafted HTTP request to any NGINX instance running a rewrite-rule configuration that uses unnamed PCRE captures ($1, $2); successful exploitation crashes the worker process (DoS reliable on ASLR-enabled hosts) and reaches RCE on hosts where ASLR is disabled.

Affected per F5 PSIRT advisory K000161019: NGINX Open Source 0.6.27 through 1.30.0 (every release since 2008) and NGINX Plus R32 through R36, plus F5 NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, F5 WAF for NGINX, and NGINX App Protect DoS. Patches: NGINX Open Source 1.30.1 / 1.31.0; NGINX Plus R32 P6, R36 P4. Interim mitigation if immediate upgrade is not possible: convert unnamed PCRE captures in all rewrite directives to named captures ((?P<name>...) syntax). Detection-engineering anchors that follow from the flaw class (heap-overflow worker crash under specific rewrite-rule configurations) are NGINX worker-process crash events (SIGSEGV / SIGABRT and immediate respawn) in syslog / journald, correlated with inbound HTTP requests carrying unusually long or deeply-nested rewrite-rule input strings from the same source; defenders should validate these against their own rewrite-rule configuration before depending on them.

HiddenLayer / Hadrian researchers disclosed a CVSS 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0): the embedding-function model is loaded before the authentication check runs, so an unauthenticated request reaches code execution "before it asks who you are." Public PoC, still unpatched in v1.5.9. ChromaDB is a common vector-store backend for retrieval-augmented-generation stacks now appearing in public-sector AI pilots; any internet-reachable instance is exposed. Take ChromaDB off the public internet and front it with an authenticating reverse proxy until a fix ships.

Check Point's AI Threat Landscape Digest (published 2026-05-22, covered 2026-05-23) documents a single operator running two AI platforms in parallel to breach nine Mexican government agencies — the most concrete public example yet of AI tooling operationalised for end-to-end intrusion rather than reconnaissance assistance. Single-source (Check Point only); the synthesis relevant to this audience is the trajectory, not the victim count: where the Verizon and Rapid7 reports show AI compressing the exploitation timeline, this shows AI compressing the operator skill floor — fewer skilled humans needed per campaign. Treat as a directional indicator pending independent corroboration.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

For every Jenkins controller running the Checkmarx Jenkins AST plugin: confirm installed plugin version; if 2026.5.09 was ever pulled (auto-update enabled, or manual install in window), declare a secrets-compromise incident, rotate every credential the runner could read (GitHub PATs, AWS / Azure / GCP access keys, Kubernetes service-account tokens, Docker registry credentials, SSH keys, Checkmarx One API tokens, and any LLM API keys exposed to CI), and audit any artefact built or deployed in the window. Pin the plugin to 2.0.13-829.vc72453fa_1c16 per Checkmarx's ongoing-security-updates page. Where the Jenkins platform supports it, migrate runners to OIDC-federated short-lived credentials so the next supply-chain compromise yields no usable secrets.