Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification

ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 (Sekoia TDR, 2026-06-16). Affiliates compromise WordPress sites by credential-stuffing wp-login.php (one victim saw seven residential IPs in an 80-second window) or via WP File Manager CVE-2020-25213, then deploy a PHP backdoor as a must-use plugin (session-manager.php) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.

Why it matters to us: A reliable hunt artefact is the distinctive PowerShell comment block <# Code Verification: NNNNNNNNNNNN #> Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under wp-content/mu-plugins/ (auto-loaded, no activation needed), credential-stuffing bursts on wp-login.php, and outbound requests from the web-server process to blockchain RPC endpoints.

ESET published its APT Activity Report covering October 2025 through March 2026 on 28 May 2026 (ESET WeLiveSecurity, 2026-05-28). EU- and NATO-relevant findings for public-sector defenders: Sandworm (Russia/GRU) intensified destructive winter operations against Ukrainian infrastructure and targeted a Polish energy company in December 2025 — a NATO member state critical-infrastructure attack attributed with medium confidence; this represents continued Sandworm willingness to conduct wiper operations beyond Ukraine's borders. Sednit/APT28 deployed Covenant and BeardShell implants against Ukrainian military, drone manufacturers, and logistics companies. Lazarus Group ran Operation DreamJob targeting European drone manufacturers — ESET assesses this as technology acquisition for North Korea's weapons programme. Operation DangerousPassword compromised the axios JavaScript library (100+ million weekly npm downloads), injecting trojanised code and demonstrating ongoing North Korea supply-chain interest in developer ecosystem targeting. UNC5221 (China-nexus) deployed a new implant assessed as part of the SPAWN toolset, specifically targeting Ivanti VPN appliances (Connect Secure, Policy Secure); organisations running unpatched Ivanti VPN should audit for SPAWN toolset artefacts including SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, and SPAWNSLOTH log-tampering utility. The report PDF is available at https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf. Key defender actions: (a) confirm Sandworm wiper detection capability (file-destruction followed by MBR/VBR overwrite patterns, VSS deletion); (b) review Ivanti VPN logs for SPAWN footprints per CISA AA24-060A indicators; (c) audit npm dependency trees for axios versions <1.8.0 or 0.x released after the DangerousPassword campaign window.

ESET's APT Activity Report covering Q4 2025–Q1 2026 landed mid-window (first covered 2026-05-30). The daily recapped the headline findings — a rare out-of-Ukraine Sandworm destructive incident (a medium-confidence December 2025 attack on a single Polish energy company), Lazarus targeting the EU drone/defence sector, and UNC5221 pivoting to the Ivanti SPAWN toolset. The synthesis a daily reader could not see from those three bullets is that they are the same story told by three different state programmes: Russia-, North-Korea- and China-nexus operators are independently converging on (a) European energy and defence-industrial-base supply chains as the target set — Sandworm's move against a Polish energy target being notable precisely because the operator rarely acts destructively outside Ukraine — and (b) internet-facing edge appliances (Ivanti) as the entry vector. For a Swiss / European public-sector SOC the implication is a prioritisation argument rather than a new IOC list: edge-appliance patch SLAs and defence-supplier third-party-risk review are where all three programmes are applying pressure simultaneously, so they should outrank generic campaign awareness in the next planning cycle. The report reinforces, with cross-actor telemetry, the structural shift the W21 Verizon DBIR and Rapid7 reports flagged — exploitation of exposed software as the dominant access vector.

Check Point Research's March-April 2026 AI Threat Landscape Digest (published 2026-05-22) is the operationally most striking annual / periodic AI report of the past month. The centrepiece — researched by Gambit Security and summarised in the Check Point post — documents a single unidentified operator compromising nine Mexican government agencies between December 2025 and February 2026, covering tax records, civil registry, patient files and electoral infrastructure. The structural innovation: the attacker ran two commercial AI platforms in parallel — one managing live exploitation and issuing >5,000 AI-executed commands, a second processing harvested data and feeding instructions back into the first. Persistence for the AI itself was simple: modifying the AI client's startup configuration file to embed persistent instructions inherited by every subsequent session.

Two further findings have direct EU/CH public-sector implications. First, the EvilTokens platform — a commercial jailbreak-as-a-service tool packaging AI-driven phishing generation, financial-data extraction and similar capabilities as a subscription — represents the same commoditisation curve as Kali365 (§ 1) but for AI-assisted intrusion. Second, CPR explicitly calls out that stolen API keys for Anthropic, OpenAI, Groq and Mistral are now high-value criminal targets, since they grant access to powerful AI services without an account; Swiss federal and cantonal agencies using commercial AI APIs should treat key rotation cadence and source-IP scoping (Conditional Access on the API layer) on par with classic privileged-credential hygiene. Detection vantage: bulk exfiltration events temporally co-located with anomalous API call patterns to commercial AI services from non-standard processes; process trees in which AI client libraries spawn data-collection subprocesses; cloud audit logs showing API key issuance followed immediately by large-volume inference calls from unusual source IPs.

The Dutch Health & Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd, IGJ) issued a public finding on 2026-05-13 concluding that Clinical Diagnostics LCPL BV and NMDL BV (Rijswijk) did not meet the mandatory NEN 7510 information-security standard at the time of their July 2025 ransomware breach, and had not fully remediated the deficiencies as of IGJ's December 2025 follow-up inspection (IGJ, 2026-05-13; native title: "Clinical Diagnostics voldeed niet aan wettelijke norm voor informatiebeveiliging" — "Clinical Diagnostics did not meet the statutory information-security standard"). NEN 7510 is the Dutch statutory information-security baseline for healthcare organisations under the Wabvpz, structurally aligned with ISO/IEC 27001 but extended for health-data obligations; non-compliance is independently actionable by multiple regulators.

IGJ's two named failures are foundational rather than technical: (1) no independent audit of the laboratory's information security had ever been performed, and (2) the organisation had not periodically assessed its processing risks, leaving it unable to determine which controls were necessary. The July 2025 breach — Computable's prior reporting attributes it to the Nova ransomware group — exposed approximately 941,000 patients' personal and medical records, including cervical-cancer screening results processed for the population-screening programme Bevolkingsonderzoek Nederland (Computable, 2026-05-13). IGJ has no fining power and has demanded short-term independent NEN 7510 certification; Autoriteit Persoonsgegevens (Dutch DPA), whose GDPR enforcement carries fines, is running a parallel investigation. IGJ also signalled sector-wide enforcement intent by publicly calling for all healthcare providers to demonstrate independent certification — a leading indicator of broader inspection cadence.

For a Swiss SOC the parallel is direct: NEN 7510 is the regulatory analogue of the EPDG (Bundesgesetz über das elektronische Patientendossier) security profile, and the two specific failures — absence of third-party audit, absence of periodic risk assessment — are the same hygiene-baseline gaps Swiss healthcare providers face under cantonal supervision. The breach scale (941k records, mass-screening data) is the proximate consequence of those structural gaps; the operationally useful read for defenders is detection of NEN-7510-style baseline gaps via third-party assessment, not signature hunting.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

Despite the low base CVSS of 4.3 (network vector, no privileges, user interaction required), this is a priority-patch item for any organisation in scope of APT28's targeting of the predecessor vulnerability: APT28 (Fancy Bear) was attributed by CERT-UA to the predecessor CVE-2026-21510 LNK exploitation against Ukraine and EU countries in December 2025 (Akamai Security Research). Microsoft flipped the "exploited" flag on CVE-2026-32202 on 2026-04-27 (Help Net Security, 2026-04-29); neither Akamai nor Help Net Security explicitly attributes current CVE-2026-32202 in-the-wild exploitation to APT28, so the actor for CVE-2026-32202 exploitation specifically remains publicly unattributed at week-end (Microsoft MSRC — CVE-2026-32202 · daily 2026-05-08). Akamai's PatchDiff-AI analysis published 2026-04-23 reveals that Microsoft's February 2026 patch for CVE-2026-21510 successfully blocked RCE and SmartScreen bypass but left a residual zero-click NTLM coercion path intact — now tracked as CVE-2026-32202 (Akamai Security Research, 2026-04-23 · Help Net Security, 2026-04-29).

The mechanism: Windows Explorer automatically resolves UNC paths embedded in the LinkTargetIDList structure of malicious LNK files via PathFileExistsW, triggering an outbound SMB authentication handshake that leaks the user's Net-NTLMv2 hash to an attacker-controlled server — folder-open is sufficient, no user click required. Trust verification was applied only during ShellExecuteExW calls in the February 2026 patch, not in the earlier code paths where the credential theft occurs. Microsoft confirmed active exploitation on 2026-04-27 and CISA added CVE-2026-32202 to KEV the following day with a deadline of 2026-05-12. The April 14 patch shipped without the "exploited" flag, creating a 13-day window where security teams had no formal signal to treat it as urgent. Net-NTLMv2 hashes can be relayed (NTLM relay attacks) or cracked offline — both paths to lateral movement.

Patch path: April 2026 Windows cumulative updates. Supplementary controls are blocking outbound TCP 445 to non-business internet destinations at the perimeter firewall, enabling the "Restrict NTLM" Group Policy (set to "Deny all" for outbound), and migrating authentication to Kerberos-only where operationally feasible. Detection priorities for SOC hunting: SMBv2 outbound connections from explorer.exe to non-corporate IPs; NTLM authentication event 4625 / 4776 with Net-NTLMv2 from workstations; LNK file inspection at mail gateway and EDR for LinkTargetIDList entries pointing to UNC paths. ATT&CK: T1187 Forced Authentication, T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay.

Eurail began issuing breach notifications to 308,777 customers in late April 2026, three months after the December 2025 incident in which an attacker accessed personal data including passport numbers, IBANs, and DiscoverEU pass details. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach; the regulatory review focuses on that compliance gap (daily 2026-05-08). The exposed dataset covers EU member-state travellers who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected.

W1 horizon research identified an in-window operator gap the daily briefs missed. "The Gentlemen" emerged in August 2025 and per ZeroFox surged to the second- or third-most-active ransomware operation globally in Q1 2026 — 192 attacks that quarter, a approximately 448% QoQ increase, 32% of Q1 2026 victims in Europe (up from 2% in Q4 2025) (ZeroFox Q1 2026 Wrap-Up, 2026-04-17). Check Point Research's DFIR report on the operator confirms the post-compromise tradecraft observed during a single incident-response engagement: Cobalt Strike delivered via RPC from a Domain Controller; Mimikatz for credential harvesting; GPO abuse to inject a scheduled task into Group Policy that propagates the encryptor to all domain-joined systems near-simultaneously (compressing time-to-encryption to minimise IR response window); SystemBC SOCKS5 C2 tunnelling and covert payload staging; encryption using X25519 Diffie–Hellman key exchange per file combined with XChaCha20 stream cipher, per-file ephemeral key pair with a random 32-byte private key (Check Point Research DFIR Report, 2026-04-20 · BleepingComputer — The Gentlemen + SystemBC, 2026-04-20). CPR explicitly states the precise initial-access vector could not be conclusively determined for the engagement it analysed; broader reporting attributes initial access to a FortiOS / FortiProxy attack surface that includes CVE-2024-55591 (authentication bypass, CVSS 9.8 — patched January 2025), with secondary reporting describing an operator database of pre-exploited devices and brute-forced VPN credentials primed for deployment — defenders should treat patch-state-alone as insufficient if the device was unpatched against CVE-2024-55591 at any point during the exposure window.

European victims surfaced in BleepingComputer's SystemBC coverage and in quarterly leak-site aggregation include Oltenia Energy Complex (Romania — described as a significant portion of national electricity supply, December 2025) and The Adaptavist Group; Comparitech's Q1 2026 healthcare roundup attributes 10 healthcare-sector claims to the operator in the quarter; the operator's leak-site footprint and the absence of an "off-limits" sector convention make hospitals, water utilities, and similar critical-infrastructure targets in-scope. The cross-finding with this week's other concerns: GPO-injected scheduled-task propagation defeats backup-isolation defences if the AD environment is in the encryption path; if the operator's initial-access funnel includes unpatched FortiGate devices, that surface intersects directly with the Polish water-OT NIS2 coverage-gap framing (§ 4, § 6) since small municipal CI operators are over-represented in the unpatched-FortiGate population. Defender priorities for 2026-W20: hunt scheduled tasks in SYSVOL pointing to UNC paths or temp directories; profile SystemBC SOCKS5 beacons; add XChaCha20 file-header pattern detection at backup / DLP tier; re-verify FortiGate patch state against CVE-2024-55591 and any later FortiOS / FortiProxy auth-bypass advisories.

Eurail began issuing breach notifications to 308 777 customers in late April 2026, revealing that an attacker accessed personal data — including passport numbers, IBANs, and DiscoverEU pass details — in a December 2025 incident. The three-month gap between discovery and notification is under review by the Autoriteit Persoonsgegevens (Dutch DPA) and the European Data Protection Supervisor (EDPS), which holds jurisdiction over EU institutional data processing. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness of a breach. The exposed dataset covers travellers from EU member states who registered DiscoverEU passes; Swiss nationals who applied through bilateral arrangement may also be affected. Affected individuals should monitor for identity fraud and, where banking regulations permit, consider IBAN replacement.