2026-05-14-e05c6e6e
One pipeline fire, in full · intel run of 2026-05-14 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-14/2026-05-14-e05c6e6e.md.
Run telemetry
- Items returned
- 3
- Duration
- 7m 23s
- Tool calls
- 14 WebFetch8 WebSearch11 bridge
- Cited sources
- 3 of 27 in slice
- Items returned
- 7
- Duration
- 6m 54s
- Tool calls
- 13 WebFetch11 WebSearch7 bridge
- Cited sources
- 3 of 30 in slice
- Items returned
- 9
- Duration
- 13m 17s
- Tool calls
- 25 WebFetch18 WebSearch0 bridge
- Cited sources
- 0 of 62 in slice
- Items returned
- 4
- Duration
- 16m 19s
- Tool calls
- 24 WebFetch22 WebSearch3 bridge
- Cited sources
- 3 of 23 in slice
Verification
Deep dive
2026-05-14/famoussparrow-three-wave-intrusion-of-an-azerbaijani-energy
Entries published (this run)
- Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed incident high
- CVE-2026-8043 Ivanti Xtraction external file control (CVSS 9.6) plus EPM SQL-injection-to-RCE and vTM admin OS-command injection — May 2026 advisory batch, no ITW vulnerability high
- GemStuffer — RubyGems weaponised as a one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern targets the asymmetric monitoring gap between package pull and push research high
- CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds vulnerability high
- The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub threat high
- FamousSparrow Three-Wave Intrusion of an Azerbaijani Energy Operator: ProxyNotShell Re-exploitation and a Wave-1 DLL-Sideload Loader That Overrides Two Hamachi Exports to Defeat Sandbox Analysis threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://databreaches.net/ | bridge:url → websearch | 403 transport-403 Cloudflare Managed Challenge — no UA bypass | WebSearch fallback |
| sec-disclosures-edgar | https://efts.sec.gov/LATEST/search-index?q=%22Item+1.05%22&forms=8-K&dateRange=c | webfetch | 403 transport-403 HTTP 403 Forbidden on EDGAR full-text search | WebSearch fallback; no fresh 8-K Item 1.05 disclosures found in window |
| ico-uk | https://ico.org.uk/action-weve-taken/enforcement/ | bridge:url | 200 spa-empty-body JS-rendered enforcement listing; sitemap discovery returned top-level only | WebSearch confirmed no new ICO enforcement in window |
| inside-it-ch | https://www.inside-it.ch/ | bridge:url → websearch | 403 transport-403 Cloudflare Managed Challenge — bridge:url failed (no UA bypass); WebSearch fallback per spawn-message guidance | WebSearch fallback yielded no in-window items |
| bleepingcomputer covered via alternate · should NOT be in this list | https://www.bleepingcomputer.com/news/security/ | bridge:url → webfetch | 200 Listing returns article titles only; per-article SPA rendering | Recovered via THN/SecurityWeek/Bitdefender corroboration |
| trendmicro-research | https://www.trendmicro.com/en_us/research/26/e/quasar-linux-qlnx-a-silent-footho | webfetch | 403 transport-403 HTTP 403 Forbidden — Trend Micro not on bridge allowlist | Recovered via BleepingComputer + The Hacker News paraphrase; item dropped out-of-window regardless |
| cert-eu covered via alternate · should NOT be in this list | https://cert.europa.eu/publications/security-advisories | bridge:url → webfetch | 200 spa-empty-body Angular SPA listing requires JS rendering | Fetched per-advisory URL (2026-006) directly via WebFetch |
| bsi-de covered via alternate · should NOT be in this list | https://wid.cert-bund.de/portal/wid/securityadvisory | bridge:bsi-rss | 200 RSS feed fetched; per-advisory HTML is Angular SPA | Cross-checked relevant items against prior_coverage |
| helpnetsecurity | https://www.helpnetsecurity.com/2026/05/04/critical-moveit-automation-auth-bypas | webfetch | 429 rate-limited HTTP 429 Too Many Requests | MOVEit item out-of-window; recovered via THN |
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 11 findings (truth=6, editorial=2, advisory=3) · Claude Opus 4.7 · 2m 47s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | updates | The Gentlemen RaaS — ZeroPulse C2 internals ZeroPulse Ethereum-smart-contract-via-1rpc.io C2 | Not in Check Point Research or BankInfoSecurity | removed claim from TL;DR and § 4 UPDATE; detection guidance rewritten without 1rpc.io DNS-signal fixed-clean |
| F4 hallucinated-fact | updates | The Gentlemen RaaS — infrastructure 4VPS-hosted infrastructure was compromised | Not in either cited primary | removed 4VPS specification; kept generic "infrastructure compromised" fixed-clean |
| F4 hallucinated-fact | updates | The Gentlemen RaaS — victim geography 32% of victims European in Q1 | Figure not in either cited primary | removed "32%" claim from TL;DR and § 4 UPDATE fixed-clean |
| F4 hallucinated-fact | updates | The Gentlemen RaaS — operator timezone Moscow business hours | Not in Check Point Research article | removed Moscow business-hours claim fixed-clean |
| F3 claim-not-supported | updates | CVE-2026-0300 false corroboration SecurityWeek article cited as corroborating wave-2 delay | SecurityWeek article covers only Fortinet+Ivanti, not Palo Alto | removed SecurityWeek citation; added [SINGLE-SOURCE] flag to heading fixed-degraded |
| F4 hallucinated-fact | tldr-and-deep-dive | FamousSparrow — Southern Gas Corridor specifics 12 Bcm/year; Italy 9 Bcm/year, Greece, Bulgaria | Specific Bcm figures and recipient list not in Bitdefender or THN | replaced with Bitdefender wording ("13 European countries incl. Germany and Austria") fixed-clean |
| F6 strengthen-primary-source | updates | PAN-OS vendor-only sourcing PSIRT + Unit 42 (both Palo Alto-affiliated) | After dropping SecurityWeek, both remaining sources are Palo Alto Networks divisions | added [SINGLE-SOURCE] flag to heading and § 7 entry; PSIRT + Unit 42 retained as best available fixed-degraded |
| F12 single-source-flag-missing | updates | PAN-OS UPDATE [SINGLE-SOURCE] flag item heading | After F5/F6 resolution, heading needed [SINGLE-SOURCE] flag | added [SINGLE-SOURCE] to H3 heading fixed-clean |
| F11 editorial-advisory | research | GemStuffer 219/224 detail 219 of 224 published versions delisted | Figures not in Socket primary | rewritten to match Socket's actual framing ("most versions delisted") fixed-clean |
| F11 editorial-advisory | research | GemStuffer ATT&CK mapping attribution T1583.001/T1027/T1567.004/T1552.001 implicit attribution | Mappings correct but should be tagged analyst-derived | prefixed mapping with "Analyst-derived ATT&CK mapping... (not cited in Socket's write-up)" fixed-clean |
| F11 editorial-advisory | deep-dive | Salt Typhoon attribution source Salt Typhoon (Microsoft taxonomy) | Salt Typhoon overlap mentioned in THN but not Bitdefender primary | attribution routed to THN explicitly in both Background and Named-clusters paragraphs fixed-clean |
Iteration #2 NEEDS_FIXES · 3 findings (truth=3, editorial=0, advisory=0) · Claude Sonnet 4.6 · 4m 40s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | action-items | Gentlemen 1rpc.io detection sentence persisted in § 6 flag DNS/proxy queries to 1rpc.io ... Ethereum smart contracts | Iter1 removed from TL;DR + § 4 but missed § 6 instance | removed entire 1rpc.io sentence from § 6 Gentlemen action item fixed-clean |
| F4 hallucinated-fact | action-items | Gentlemen Bedrock-Safeguard misattributed to Check Point Check Point Research disclosure includes the leak of ... Bedrock-Safeguard/gentlemen-decryptor | Decryptor info in BankInfoSecurity, not Check Point | re-attributed § 6 action item to BankInfoSecurity primary; added that source to footer fixed-clean |
| F4 hallucinated-fact | tldr-and-active-threats | NMDL — Nova ransomware attribution July 2025 Nova-ransomware breach / attributed to the Nova ransomware group | Nova not mentioned in IGJ primary or Computable secondary | removed Nova attribution from § 0 TL;DR and § 1 body; added explicit note that cited primaries do not name the operator fixed-clean |
Iteration #3 NEEDS_FIXES · 7 findings (truth=7, editorial=0, advisory=0) · Claude Opus 4.7 · 3m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 claim-not-supported | active-threats | NMDL — iter2 disclaimer was itself unsupported (Computable does name Nova) Neither IGJ nor Computable attributes the breach to a named ransomware operator in the cited primaries | Computable in fact names Nova; iter2 remediation introduced a false assertion | restored Nova attribution citing Computable; dropped the disclaimer sentence fixed-clean |
| F2 claim-not-supported | deep-dive | FamousSparrow wave attribution inverted Wave 3 loader gates payload behind LogMeIn Hamachi export call graph | Bitdefender places Hamachi sideloading in Wave 1 (Deed RAT), USOShared in Wave 2 (TernDoor), Modified Deed RAT + updated C2 in Wave 3 | re-mapped W1/W2/W3 attributions in TL;DR + § 5 background + § 5 exploitation-chain bullets fixed-clean |
| F3 claim-not-supported | deep-dive | Wave-3 technique characterisation overstated inspects the runtime export call graph of the legitimate Hamachi host binary | Bitdefender describes Init + ComMain export override + StartServiceCtrlDispatcherW patch; THN says overrides two specific exported functions | rewrote technique paragraph to specify Init/ComMain export override + StartServiceCtrlDispatcherW patch; reframed as Wave 1 fixed-clean |
| F4 claim-not-supported | deep-dive | Wave 2 description wrong Wave 2: TernDoor + modified Deed RAT | Bitdefender W2 = TernDoor via USOShared only; modified Deed RAT is W3 | rewrote W2 bullet to TernDoor-via-USOShared; W3 bullet now correctly cites Modified Deed RAT + updated C2 fixed-clean |
| F5 claim-not-supported | updates | Gentlemen 1,570 attribution wrong source affiliate s exposed C2 server revealed 1,570+ victim entries | Check Point attributes 1,570 to a SystemBC C&C server; 332 is public victims in first 5 months 2026; full comparison adds 412 total DLS listings | rewrote § 4 paragraph + § 0 TL;DR to attribute 1,570 to SystemBC C&C; 332 clarified as first 5 months 2026 fixed-clean |
| F6 hallucinated-fact | research | GemStuffer 2026-05-12 suspension date preceded RubyGems 2026-05-12 temporary signup suspension | Neither Socket nor THN gives 2026-05-12 specifically | removed specific date; reframed to Socket s own phrasing about new-account registration suspension fixed-clean |
| F7 hallucinated-fact | research | GemStuffer version-rotation / hash-IOC claim version-rotation pattern, most published versions later delisted, defeating hash-based IOCs | Not in Socket or THN | removed entire version-rotation sentence from § 3 fixed-clean |
Iteration #4 NEEDS_FIXES cap-breach · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | deep-dive | FamousSparrow Wave 2 sideloading host misidentified Wave 2: TernDoor deployed via DLL sideloading against `USOShared` | Bitdefender names host as deskband_injector64.exe renamed USOShared.exe in C:\ProgramData\USOShared\; brief implied USOShared was a Microsoft-signed binary | rewrote § 5 W2 exploitation bullet + detection paragraph to specify deskband_injector64.exe and C:\ProgramData\USOShared\winmm.dll fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-14-e05c6e6e · Claude Opus 4.7 · 6 entries published
Recency window. window_hours = 36 (gap 24 h since briefs/2026-05-13.md + 12 h safety overlap); developing_window_hours = 72. Items whose primary source is older than 36 h are dropped from main sections unless they carry a fresh in-window development (UPDATE rule) or appear as deep-dive Background.
Items dropped — already covered last 7 days (PD-8): S2's findings on Mini Shai-Hulud / TanStack npm worm (last_covered 2026-05-13 deep dive — campaign:mini-shai-hulud); SEPPmail CVE-2026-44128 cluster (incident covered 2026-05-09 deep dive + § 2); Fortinet FortiAuthenticator / FortiSandbox (CVE-2026-44277 / CVE-2026-26083 in yesterday's § 2); SAP May 2026 Patch Day (CVE-2026-34260 / CVE-2026-34263 in yesterday's § 2); Microsoft May 2026 Patch Tuesday (CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 in yesterday's § 2); Europol IOCTA 2026 (annual-report covered 2026-05-10). Each lacks an in-window material delta sufficient to open § 4 UPDATE.
Items dropped — out-of-window (PD-7). S3 returned a structured "developing-window" set whose primary sources are all older than 36 h. Drop list with primary-source dates: QLNX / Quasar Linux RAT (Trend Micro 2026-05-05, BleepingComputer 2026-05-05); TCLBANKER / REF3076 (Elastic Security Labs 2026-05-07); UAT-8302 (Cisco Talos 2026-05-05); Cline CVE-2026-44211 (Oasis Security 2026-05-07); AiTM "code of conduct" phishing campaign (Microsoft Security Blog 2026-05-04); Progress MOVEit Automation CVE-2026-4670 / CVE-2026-5174 (Progress / Airbus SecLab 2026-04-30 / The Hacker News 2026-05-04). Reason in every case: out-of-window: primary source <date>, window_hours=36. None carry a fresh in-window development that would qualify under PD-7 carve-outs (a/b/c).
Items dropped — § 2 inclusion gate not cleared. HPE ArubaOS May 2026 multi-CVE batch (HPE Aruba HPESBNW05048 / HPESBNW05049, CERT-FR CERTFR-2026-AVI-0573, 2026-05-13) — highest issue CVE-2026-23819 is CVSS 8.8 stored-XSS post-auth, with several CVSS 7.2 authenticated command-injection findings and CVSS 7.5 unauthenticated DoS on the PAPI port. No ITW exploitation, no public PoC, no pre-auth RCE on widely-deployed internet-exposed software — neither CISA-KEV nor ENISA-EUVD critical band nor § 2 catch-all gate (a–e) is cleared. Notable for CH / EU public-sector wireless infrastructure (cantonal government, education, healthcare) but operationally a routine patch cycle. Coverage gap consequence: zero.
Items dropped — single-source dark-web only. Anubis ransomware listing for A.R.Ge.Co (France) (Malware.news, 2026-05-13) — leak-site claim only, no victim confirmation, no HIGH-reliability journalism corroboration, per PD-6 fake-news guard on leak-site claims.
Single-source items (PD-5 carve-out applied). One § 4 item: the PAN-OS CVE-2026-0300 UPDATE on the wave-2 patch delay relies on Palo Alto-affiliated primaries only (Palo Alto Networks PSIRT advisory + Unit 42 research blog) after Phase 5.7 iteration 1 flagged a false-corroboration SecurityWeek citation that did not in fact mention Palo Alto. Independent corroboration for the wave-2 build list (ETA 2026-05-28) was not located in HIGH-reliability third-party coverage within the 36-h window; item is flagged [SINGLE-SOURCE] in its heading and the wave-2 build list should be re-verified against the live PSIRT entry. Active-exploitation status itself remains multi-source (Unit 42 + CISA KEV listing + prior briefs' coverage).
Phase 5.7 verifier remediations applied (four iterations, model-rotated). Iteration 1 (Opus): NEEDS_FIXES truth=6 editorial=2 advisory=3 — § 4 Gentlemen UPDATE attributed four claims to Check Point Research the article does not support (ZeroPulse-via-Ethereum-smart-contracts-via-1rpc.io for C2 resolution; 4VPS as hosting provider; "32% of victims were European in Q1"; Moscow business-hours timestamp clustering) — all four removed and detection guidance rewritten. § 4 PAN-OS UPDATE's SecurityWeek 2026-05-13 corroboration was false (the article covers only Fortinet + Ivanti) — citation removed, item flagged [SINGLE-SOURCE]. § 5 deep dive's specific "Bcm/year" figures and Italy/Greece/Bulgaria recipient list replaced with Bitdefender's actual framing ("13 European countries, including new deliveries to Germany and Austria"). Advisories (F11): GemStuffer's "219 of 224 versions" detail rewritten to match Socket; ATT&CK mapping tagged as analyst-derived; Salt Typhoon attribution routed to THN explicitly.
Iteration 2 (Sonnet): NEEDS_FIXES truth=3 — leftover instances of iter-1 issues that hadn't been remediated in non-TL;DR locations. § 6 Gentlemen action item still carried the 1rpc.io detection sentence (removed); § 6 misattributed Bedrock-Safeguard/gentlemen-decryptor to Check Point Research instead of BankInfoSecurity (re-attributed); "Nova ransomware" attribution to NMDL breach removed from § 0 + § 1.
Iteration 3 (Opus): NEEDS_FIXES truth=7 — iter-2's "Neither IGJ nor Computable attributes the breach to a named ransomware operator" was itself an unsupported assertion (Computable does name Nova) — Nova attribution restored citing Computable. FamousSparrow wave attribution inverted in deep dive — Bitdefender's actual wave map is W1 = Deed RAT via Hamachi sideloading with Init/ComMain export override + StartServiceCtrlDispatcherW patch, W2 = TernDoor via separate sideloading host, W3 = Modified Deed RAT + updated C2; brief had Hamachi as W3. § 0 TL;DR, § 5 heading, § 5 background paragraph, § 5 exploitation-chain bullets, and § 5 detection paragraph all rewritten. "Runtime export call graph inspection" framing overstated the technique — tightened to "two specific exported functions overridden". Gentlemen 1,570 figure was attributed to "an affiliate's exposed C2 server" but Check Point in fact attributes it to a SystemBC C&C server; 332 = first five months of 2026 (CP's full comparison cites 412 cumulative DLS listings) — § 0 TL;DR + § 4 paragraph rewritten. GemStuffer "2026-05-12 signup suspension" date not in cited primaries — removed; version-rotation / hash-IOC paragraph not in Socket — removed.
Iteration 4 (Sonnet): NEEDS_FIXES truth=1 editorial=0 advisory=0 — single F3 finding: § 5 Wave 2 sideloading host was described as USOShared (implying a legitimate Microsoft-signed binary). Bitdefender actually names the host as deskband_injector64.exe renamed to USOShared.exe and placed in C:\ProgramData\USOShared\; the malicious loader is winmm.dll in the same directory. The directory name reuses "USOShared" for camouflage; no legitimate Microsoft USOShared signed binary is involved. § 5 exploitation-chain bullet + detection paragraph rewritten to specify deskband_injector64.exe and the C:\ProgramData\USOShared\ path. Early-exit on low-defect convergence (v2.50): with truth + editorial = 1 and no F1 / F4 findings, iteration 4 qualifies as the early-exit point per prompt § Phase 5.7 — remediation applied, residual logged, brief published without spawning iteration 5. verification_residual_count = 1.
Model rotation across the verification loop: iter 1 / iter 3 = Claude Opus 4.7 (cti-verification), iter 2 / iter 4 = Claude Sonnet 4.6 (cti-verification-alt). Both verifier definitions carry the identical operational system prompt; the rotation surfaces model-specific blind spots — Sonnet caught the Nova-attribution false disclaimer in iter 2 that Opus had introduced in iter 1's remediation; Opus caught the wave-attribution inversion in iter 3 that Sonnet's iter 2 had not flagged.
Sub-agent stalls. None. All four sub-agents returned within the 30-min wall-clock cap: S1 (443 s, Claude Sonnet 4.6), S2 (414 s, Claude Sonnet 4.6), S3 (797 s, Claude Sonnet 4.6), S4 (979 s, Claude Sonnet 4.6).
Fetch failures (consolidated across sub-agents). databreaches-net 403 (Cloudflare Managed Challenge — bridge + WebSearch fallback documented per source spec); sec-disclosures-edgar 403 on EDGAR full-text search (S4) — no fresh 8-K Item 1.05 disclosures recovered for the May 12-14 window; ico-uk SPA-empty body even via bridge; inside-it-ch Cloudflare-blocked across all attempts (no in-window stories surfaced via WebSearch fallback); bleepingcomputer SPA-rendering on article level (recovered via THN/SecurityWeek corroboration); trendmicro-research 403 on direct WebFetch (recovered via BleepingComputer / The Hacker News paraphrase — Trend Micro is HIGH-reliability primary attribution); cert-eu SPA-empty on listing, recovered via per-advisory URL; helpnetsecurity 429 (recovered via THN); community.progress.com (SPA empty body); bsi-de per-advisory SPA (RSS feed cross-checked); forums.ivanti.com Salesforce SPA (recovered via Ivanti vendor blog).
Contradictions / reduced-confidence flags. None this run. Two distinct sub-agents (S1 + S2) independently arrived at the CVE-2026-0300 second-patch-wave delta from different discovery paths (CISA KEV listing notes vs. NCSC-CH Patch Tuesday compilation); both led to the same primary Palo Alto PSIRT advisory.
Coverage gaps: databreaches-net (Cloudflare Managed Challenge, no UA bypass — WebSearch fallback only); sec-disclosures-edgar (EDGAR full-text feed 403 on routine UA — no fresh 8-K Item 1.05 disclosures recovered in window); ico-uk (SPA + sitemap discovery insufficient to surface in-window enforcement actions); inside-it-ch (Cloudflare Managed Challenge); trendmicro-research (403 — recommend bridge allow-list addition for desktop-Chrome UA, would have unlocked direct fetch on two QLNX / InstallFix items even if those were out-of-window today).
Self-evolution candidate (source list). No new candidate added this run; the active list is already at 94 sources and recent rotation-priority gaps are transport-blocking rather than coverage-gap caused. Recommend tracking trendmicro-research as a bridge allow-list addition in a future tooling commit (separate from this brief commit).
Unmatched action items (migrated)
- Continue PAN-OS Captive Portal interim mitigation on the eight "ETA 05/28" build streams until 28 May. Disable User-ID Authentication Portal on untrusted-zone interfaces or restrict it to trusted zones only; for Threat Prevention subscribers, ensure Threat ID 510019 is enabled (PAN-OS 11.1+). CL-STA-1132 in-the-wild exploitation is ongoing; the FCEB KEV deadline has no jurisdictional weight in CH / EU but the active exploitation does. See § 4.
- For active Gentlemen ransomware incidents — attempt decryption before negotiation. BankInfoSecurity's 2026-05-11 reporting identifies the
Bedrock-Safeguard/gentlemen-decryptorGitHub release as the recovery path; Check Point Research's 2026-05-13 backend-leak analysis additionally maps the EDR-suppression toolchain (EDRStartupHinder,gfreeze,glinker— custom binaries, not commodity) and the CertiHound AD CS abuse utility. Hunt those tool names on hosts in scope; monitor for AD Certificate Services reconnaissance (certutilenumeration of CA servers / templates) consistent with CertiHound. See § 4. - Verify Exchange ProxyNotShell remediation completeness with
HealthChecker.ps1, not CU-level alone. FamousSparrow re-exploited the same CVE-2022-41040 / CVE-2022-41082 chain across three intrusion waves at one victim despite remediation attempts — patch-rollback or surviving persistence is the structural cause. Run Microsoft'sHealthChecker.ps1on every on-premise Exchange server; auditFrontEnd\HttpProxy\owa\auth\andFrontEnd\HttpProxy\ecp\auth\for files modified post-patch. See § 5. - Hunt outbound
gem push(andnpm publish/pip upload) from build agents and dev workstations that lack a publisher role. GemStuffer's structural innovation is exploiting the inbound-monitoring-only blind spot of most CI/CD security tooling. Flag new RubyGems publisher accounts with >10 versions/day on freshly created packages; inspect outbound POSTs torubygems.orgfrom non-publisher contexts. The same monitoring asymmetry exists across npm and PyPI. See § 3. - For Swiss healthcare entities — schedule the EPDG-equivalent NEN 7510 audit; do not wait for the regulator. The IGJ ruling on Clinical Diagnostics / NMDL specifically cites absence of third-party security audit and absence of periodic risk assessment as the structural failures behind a 941,000-record breach. Swiss cantonal supervisors track the same hygiene baselines via the EPDG profile; equivalent compliance gaps in Swiss healthcare carry equivalent regulatory exposure under FINMA and cantonal data-protection authorities. See § 1.
Migrated from briefs/2026-05-14.md (v2).
← Operations dashboard · day page 2026-05-14 · run-record contract: docs/pipeline.md