ctipilot.ch

2026-05-29-c7f56b00

One pipeline fire, in full · intel run of 2026-05-29 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-29/2026-05-29-c7f56b00.md.

Run telemetry

2026-05-29-c7f56b00 intel prompt v2.60
25m 27s duration 16 published 0 updates
Claude Opus 4.7 (claude-opus-4-7) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
8
Duration
11m 24s
Tool calls
22 WebFetch9 WebSearch14 bridge
Cited sources
14 of 23 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
8m 55s
Tool calls
18 WebFetch12 WebSearch10 bridge
Cited sources
13 of 20 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
6
Duration
9m 48s
Tool calls
12 WebFetch4 WebSearch18 bridge
Cited sources
13 of 26 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
3
Duration
12m 40s
Tool calls
17 WebFetch22 WebSearch6 bridge
Cited sources
12 of 18 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.7 · t=6 e=4 a=2 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=2 a=0 #3 NEEDS_FIXES · Claude Opus 4.7 · t=3 e=1 a=2 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=1 e=0 a=0

Deep dive

2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
databreaches-nethttps://www.databreaches.net/category/breach-incidents/webfetchbridge:url403 transport-403
bridge:url returned HTTP 403; no Wayback snapshot usable (seventh consecutive run)
Carnival breach covered via PR Newswire + The Record + The Register + Help Net Security
sophos-xopshttps://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242webfetchbridge:feed503 transport-5xx
bridge:feed returned HTTP 503 (sixth consecutive run)
WebSearch yielded no qualifying in-window Sophos content
inside-it-chhttps://www.inside-it.ch/webfetchbridge:url403 transport-403
bridge:url returned HTTP 403 even with desktop UA (fifth consecutive run)
WebSearch yielded no qualifying in-window CH-specific incidents

Bridge invocations (this run)

16 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

10 ok1 empty feed5 item not found
  • bridge:feed ×8
  • bridge:ncsc-csh.recent ×1
  • bridge:ncsc-csh.post ×1
  • bridge:cisa-kev ×1
  • bridge:bsi-rss ×1
  • bridge:cert-fr.avis-recent ×1
  • bridge:enisa-euvd.recent.lastvulnerabilities ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 14 findings (truth=6, editorial=4, advisory=2) · Claude Opus 4.7 · 8m 39s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
updatesThe Gentlemen UPDATE — 320+ victim count attributed to MicrosoftMicrosoft article carries no victim count; Check Point article has ~332Re-attributed to Check Point Research with approximately 332 framing fixed-clean
F3
claim-not-supported
updatesThe Gentlemen UPDATE — GPO-spread pathway attributed to Microsoft
GPO-spread pathway
Microsoft article doesn't mention GPO; Check Point doesRe-attributed GPO pathway to Check Point Research fixed-clean
F3
claim-not-supported
updatesASR rule GUID d4f940ab not in cited Microsoft article
d4f940ab-401b-4efc-aadc-ad5f3c50688a
GUID not in Microsoft articleReplaced GUID with rule name + link to MS Learn ASR rules reference fixed-clean
F3
claim-not-supported
active-threatsAsocks inversion — SocksEscort etc framed as migration targets vs prior-disrupte
shift to SocksEscort/IPIDEA/FirstVPN
Source frames them as previously-disrupted networks Asocks joins, not migration targetsRephrased to Asocks joins disrupted list fixed-clean
F4
hallucinated-fact
researchBTMOB technical claims not in ESET source
WebSocket port 443 / GPS geo-filter / IT-FR overlays
ESET source lacks these claimsTrimmed BTMOB paragraph to Accessibility Service abuse + HTML overlay + keylogging + on-demand screen recording fixed-clean
F4
hallucinated-fact
active-threatsCarnival 2026-04-22 exfiltration-confirmed date not in sources
exfiltration was confirmed by 2026-04-22
Date not in PR Newswire / The Record / The Register / Help Net SecurityDropped the date; reworked to Maine AG breach-date framing in iter 2 fixed-clean
F5
missing-citation
deep-diveX-SSL-CLIENT-VERIFY mechanism unbacked by Arctic Wolf / Fortinet PSIRT prose
X-SSL-CLIENT-VERIFY
Header mechanism not in Arctic Wolf or PSIRT prose; supported by Nuclei templateAdded ProjectDiscovery Nuclei template URL as inline citation at § 5 Vulnerable component fixed-clean
F5
missing-citation
active-threatsCarnival 5,995,277 figure not in cited news sources
5,995,277 individuals
Source is Maine AG filing per S4 YAMLAdded Maine AG agviewer URL inline fixed-clean
F8
needs-more-research
active-threatsCarnival records vs individuals (8.7M HIBP vs 5.99M)
8.7M HIBP records
Distinction meaningful for defender exposure scopeAdded reconciliation note fixed-clean
F9
surface-contradiction
trending-vulnerabilitiesGitLab patch count 6 vs 7
GitLab release notes lists CVE-2026-2710 as a seventh CVE
Brief said six CVEs; vendor page lists sevenAdded § 7 contradiction note; added CVE-2026-2710 to cves_seen.json fixed-clean
F10
missed-angle
active-threatsMaine AG filing missing inline
Maine AG agviewer
Strongest primary for the precise figureResolved together with F5 #2 fixed-clean
F10
missed-angle
deep-diveNuclei template missing inline
ProjectDiscovery Nuclei template
Primary support for X-SSL-CLIENT-VERIFY claimResolved together with F5 #1 fixed-clean
F11
editorial-advisory
trending-vulnerabilitiesGitLab footer underplays pre-auth angle
Auth: post-auth
CVE-2026-6713 is pre-auth; footer reads single valueno change (taxonomy parser does not accept comma list of Auth values) deferred
F11
editorial-advisory
tldrCarnival records vs individuals TL;DR phrasing
5,995,277-record breach
records implies database rows; figure is affected individualsUpdated TL;DR to breach affecting 5,995,277 individuals fixed-clean

Iteration #2 NEEDS_FIXES · 3 findings (truth=1, editorial=2, advisory=0) · Claude Sonnet 4.6 · 5m 07s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
active-threatsCarnival initial-access date — April 14 is identification, not initial access
Initial access on 2026-04-14
PR Newswire describes April 14 as identification; Maine AG records breach 2026-04-10Reframed to surface Maine AG 2026-04-10 breach date and PR Newswire 2026-04-14 identification date fixed-clean
F8
needs-more-research
researchBTMOB framed as Iberian-banking parallel; ESET says Brazil/Argentina
parallel Android-targeting half of the same Iberian-banking pressure wave
ESET source focuses on LATAM not IberiaReframed as Latin American banking parallel (Brazil and Argentina per ESET) fixed-clean
F9
surface-contradiction
active-threatsCarnival breach-date contradiction
April 10 vs April 14
Maine AG and PR Newswire disagree on date framingAdded § 7 contradiction note explaining the breach-date vs discovery-date framing fixed-clean

Iteration #3 NEEDS_FIXES · 6 findings (truth=3, editorial=1, advisory=2) · Claude Opus 4.7 · 6m 00s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
hallucinated-fact
active-threats / deep-diveEKZ browser list — Brave vs Microsoft Edge
Chrome, Firefox, Brave, LibreWolf, Waterfox, Pale Moon, Thunderbird
Arctic Wolf names Microsoft Edge not Brave; recurs in § 1 and § 5Replaced Brave with Microsoft Edge in both paragraphs fixed-clean
F2
claim-not-supported
trending-vulnerabilitiesGitLab CVE-2026-6713 API name
the public projects API
GitLab describes as GraphQL WorkItem APIReworded to 'incorrect authorization issue in GitLab's GraphQL WorkItem API' fixed-clean
F3
claim-not-supported
active-threatsApereo SAML/Kerberos affirmative statement
pure SAML / Kerberos deployments are unaffected
Apereo only scopes the bug to OIDC IdP without affirmative statement on non-OIDCReframed as our scoping inference, not Apereo confirmation fixed-clean
F4
strengthen-primary-source
active-threatsApereo reporter attribution
Coop Switzerland
Apereo names Artur Stoecklin and David Roth at Coop (Switzerland) via YesWeHackAdded researcher names and YesWeHack channel fixed-clean
F6
editorial-advisory
action-itemsAction Items density at 10 bullets
10-bullet action list
Upper-bound of reader actionabilityno change (F6 advisory) deferred
F7
editorial-advisory
deep-diveCVE-2026-45659 Microsoft comparison reads editorialised
same shape as Microsoft's CVE-2026-45659
Comparison reads as inferenceno change (F7 advisory; URL live) deferred

Iteration #4 NEEDS_FIXES cap-breach · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 53s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
claim-not-supported
updatesCheck Point victim count quantifier — more than 332 vs approximately 332
Check Point counts more than 332 victim organisations
Source says approximately 332 / 332; brief said more thanBest-effort: replaced 'more than 332' with 'approximately 332' in body + delta paragraph (early-exit per v2.50 truth+editorial ≤ 2 AND no F1/F4) fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-05-29-c7f56b00 · Claude Opus 4.7 · window 36 h · 16 entries published

  • Items dropped (already-covered, duplicate of in-window prior coverage):
    • Tycoon 2FA AiTM detection-engineering analysis (Elastic Security Labs, 2026-05-26) — surfaced by S3 as a candidate, but the same Elastic Security Labs piece and the same eSentire OAuth-Device-Code corroboration were already the substance of the deep dive in 2026-05-27 and of the original Tycoon 2FA deep dive in 2026-05-18. No material new development in window. Drop per PD-8.
  • Single-source items kept: none kept as [SINGLE-SOURCE] in published items this run — both Apereo CAS (Apereo + CERT-FR) and the FortiClient / EKZ campaign (Arctic Wolf + Fortinet PSIRT + The Hacker News + NVD) cleared two-source verification.
  • Items dropped (low signal-to-noise for this audience):
    • BTMOB Android RAT (ESET, 2026-05-26) — surfaced by S1 as SINGLE-SOURCE; folded into the § 3 Grandoreiro item as a corroborating Iberian-banking parallel rather than promoted to its own H3. ESET + WatchGuard via § 3 supply the two-source view.
  • Reduced confidence: Apereo CAS patch version 7.3.7.1 carries MEDIUM confidence on technical impact because Apereo withheld full detail pending the security grace window. Tracked for follow-up.
  • CVEs that did not clear § 2 inclusion gates (no exploitation, no PoC, no KEV, no pre-auth RCE on internet-exposed software): the lower-severity GitLab batch CVEs (CVE-2026-1402, CVE-2026-2601, CVE-2026-5296, CVE-2026-8716) are documented inside the parent GitLab item but did not warrant their own H3.
  • Contradictions surfaced:
    • Gogs zero-day CVE id: S1 documented no CVE assigned at publication, while S3 referenced CVE-2026-26194. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of CVE-2026-26194 is deferred to the next run.
    • GitLab patch-release CVE count: the § 2 GitLab item summarises six CVEs (CVE-2026-4868, -6713, -1402, -2601, -5296, -8716) — the GitLab patch-release page enumerates seven (an additional CVE-2026-2710 is listed inline). Brief should be read as covering the six highest-severity / most defender-relevant items in the bundle; CVE-2026-2710 details are left to the vendor page until next-run re-pivot.
    • Carnival breach date: the Maine AG filing records the breach as occurring 2026-04-10 with discovery on 2026-04-14, while Carnival's PR Newswire substitute notice describes 2026-04-14 as the day the security team identified unauthorized activity. The brief reports both dates with the breach-vs-discovery distinction surfaced in body text rather than picking one.
  • Sub-agents: all four returned within budget. S1 Sonnet 4.6 (684 s, 22 webfetch / 9 websearch / 14 bridge), S2 Sonnet 4.6 (348 s, 18 / 12 / 10), S3 Sonnet 4.6 (771 s, 12 / 4 / 18), S4 Sonnet 4.6 (753 s, 17 / 22 / 6). No stalled agents.
  • Verification (Phase 5.7): four iterations (Opus → Sonnet → Opus → Sonnet). Iter 1 NEEDS_FIXES (truth=6, editorial=4, advisory=2) → iter 2 NEEDS_FIXES (1, 2, 0) → iter 3 NEEDS_FIXES (3, 1, 2) → iter 4 NEEDS_FIXES (1, 0, 0). Iter 4 was published via the v2.50 early-exit rule (truth+editorial ≤ 2 AND no F1/F4); the iter 4 finding ("Check Point count: brief said more than 332, source says approximately 332") was applied as a best-effort remediation in-place but the iteration's NEEDS_FIXES verdict stands. verification_residual_count = 1.
  • Coverage gaps: databreaches-net (transport 403, no Wayback snapshot — Carnival breach covered via PR Newswire + The Record + The Register); sophos-xops (HTTP 503 on feed); inside-it-ch (HTTP 403 even via bridge); dragos, shadowserver, sekoia, volexity, greynoise (feeds returned 404 — likely upstream feed-URL drift, candidate for source-list review next run); cert-at, csirt-acn-it (not enumerated in this run); SEC EDGAR Item 1.05 (0 hits in window — Carnival filed substitute notice via PR Newswire and state AGs, not 8-K); CNIL-FR, EDPB, ICO-UK (no in-window enforcement actions); cisa-directives, tenable-research, cisco-psirt, greynoise (quiet in window). Inside-IT.ch's persistent 403 pattern is now the 4th run in 7 — candidate for the next source-list review.

Unmatched action items (migrated)

  • Upgrade Fortinet FortiClient EMS 7.4.5 / 7.4.6 → 7.4.7 immediately and assume managed-endpoint compromise where the patch lagged. Active ITW exploitation delivers EKZ Infostealer through the trusted EMS update channel. Apply Fortinet PSIRT FG-IR-26-099 per § 5 above; have the fronting reverse proxy strip / overwrite X-SSL-CLIENT-VERIFY before forwarding to EMS as a defence-in-depth control. Rotate cached browser credentials and treat managed-endpoint session cookies as compromised wherever EMS ran 7.4.5/7.4.6 unpatched.
  • Patch Samba to 4.22.10 / 4.23.8 / 4.24.3 on every Linux file / member server; AD DCs are unaffected. Compensating mitigation if the upgrade slips: remove %u from any check password script, wrap %J in single quotes inside print command, and set rpc start on demand helpers = yes (default). Two CVSS 10.0 unauthenticated RCEs make this an immediate change-window candidate.
  • Patch Portainer CE to 2.33.8 / 2.39.2 / 2.41.0 and revoke Docker / Swarm endpoint access for non-admin users in the interim. CCB Belgium's Patch Immediately warning targets exactly the deployment shape — non-admin users with endpoint access can reach the unguarded plugin endpoints and Swarm-service API and escalate to host code execution.
  • Upgrade SUSE Rancher to 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 and audit GitHub-App authentication / project-owner RBAC. Three concurrent paths to host code execution or cluster-admin escalation; the GitHub-App over-inclusive team membership in particular can be quietly abused.
  • Patch IBM HTTP Server / WebSphere via APAR PH71265; disable mod_ibm_upload and mod_mem_cache where unused. Pre-auth RCE at CVSS 9.8 on a middleware widely deployed in Swiss banking, insurance and federal IT — NCSC.ch flagged the advisory specifically for CH consumers.
  • Mitigate the unpatched Gogs RCE on every self-hosted instance. Set DISABLE_REGISTRATION = true in app.ini, disable Rebase before merging under instance settings, and consider migration to Gitea / Forgejo. Hunt for git invocations with --exec whose parent is the Gogs binary (Sysmon EID 1 / auditd EXECVE).
  • Hunt for The Gentlemen kill-chain artefacts across the AD estate. Look for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; svchost32.exe spawned outside %SystemRoot%\System32; CcmExec.exe launching non-SCCM payloads; GPO modifications (Event ID 5136) and the hidden SMB share mount (Event ID 5140). Enable the Block process creations originating from PsExec and WMI commands ASR rule per Microsoft's ASR rules reference and run EDR in block mode where possible.
  • Upgrade Apereo CAS to the fixed version 7.3.7.1 on any deployment configured as an OIDC IdP, even with technical detail withheld. CH-discovered (Coop Switzerland reporter) and CERT-FR-flagged; until detail is public, monitor OIDC token issuance logs for tokens to unregistered clients and anomalous sub claim values.
  • Patch GitLab to 19.0.1 / 18.11.4 / 18.10.7 and Veeam B&R / Agent to 13.0.2.29 within the next change window. Highest-severity GitLab issue is the Duo AI identity-impersonation flaw; Veeam's Linux-appliance arbitrary file write is constrained to Backup Administrator role but a viable stepping stone to RCE. Review Veeam backup-administrator least-privilege at the same time.
  • Refresh residential-proxy detection logic post-Asocks takedown. Asocks joins a recent sequence of disrupted networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot per Risky Bulletin); retune CGNAT / consumer-ISP-RDNS correlation rules on M365 / Entra ID sign-in logs and on VPN concentrator authentication.

Migrated from briefs/2026-05-29.md (v2).

← Operations dashboard · day page 2026-05-29 · run-record contract: docs/pipeline.md