Iranian APTs Weaponize Microsoft Teams, Palo Alto Firewall Zero-Day Exploited, and Massive Education Data Breaches Unfold

MuddyWater APT Leverages Microsoft Teams and False Flag Ransomware Tactics for Data Exfiltration

The Iranian state-sponsored advanced persistent threat (APT) group MuddyWater, also known as Mango Sandstorm, is conducting a sophisticated espionage campaign disguised as a ransomware attack. First observed in early 2026, the operation uses social engineering via Microsoft Teams to trick victims into revealing credentials during interactive screen-sharing sessions, bypassing MFA. Instead of encrypting files, the attackers deploy remote management tools like DWAgent and AnyDesk to exfiltrate data and establish long-term persistence. The campaign, attributed to MuddyWater with moderate confidence, targets organizations of strategic interest to Iran across the U.S., Europe, APAC, and the Middle East, using criminal tactics and off-the-shelf tools to obscure its state-sponsored origins.

MuddyWaterMango SandstormMicrosoft TeamsFalse FlagEspionage +4 more

Iranian APT MuddyWater Masquerades as Ransomware Group in Microsoft Teams-Based Espionage Campaign

Mirai Variant 'xlabs_v1' Builds DDoS Botnet by Hijacking IoT Devices with Exposed ADB Ports

New 'xlabs_v1' Botnet, a Mirai Derivative, Targets Exposed Android Debug Bridge (ADB) on IoT Devices for DDoS-for-Hire Service

A new DDoS botnet derived from the Mirai source code, named 'xlabs_v1', is actively compromising internet-exposed IoT and Android devices. The malware exploits open Android Debug Bridge (ADB) ports on TCP port 5555 to infect devices like Android TV boxes, smart TVs, and routers. Researchers at Hunt.io discovered the botnet's infrastructure, which hosts multi-architecture builds of the malware, indicating a wide range of targets. The botnet, operated by an actor named 'Tadashi', appears to be a DDoS-for-hire service, with specific attack vectors designed for gaming servers like Minecraft. The malware employs evasion techniques, including renaming itself to common system processes and terminating competing malware, to maintain control over the compromised devices.

Miraixlabs_v1BotnetDDoSIoT +4 more

Mirai Variant 'xlabs_v1' Builds DDoS Botnet by Hijacking IoT Devices with Exposed ADB Ports

Malicious PyPI Packages Use Zulip Chat App for C2 to Deploy 'ZiChatBot' Malware

'ZiChatBot' Malware Delivered via PyPI Abuses Zulip Chat APIs for Command and Control, OceanLotus APT Suspected

Researchers have discovered three malicious packages on the Python Package Index (PyPI) that deploy a novel malware called 'ZiChatBot' on both Windows and Linux systems. The malware distinguishes itself by using the REST APIs of the Zulip team chat application for its command-and-control (C2) communications, a technique that helps it evade detection by blending in with legitimate traffic. The malicious packages, named `uuid32-utils`, `colorinal`, and `termncolor`, were active on PyPI in July 2025. Based on code analysis, the campaign is suspected to be the work of the OceanLotus APT group, suggesting a possible shift in their tactics towards supply chain attacks. The packages and the associated Zulip organization have since been removed.

ZiChatBotOceanLotusAPT32PyPISupply Chain Attack +3 more

Malicious PyPI Packages Use Zulip Chat App for C2 to Deploy 'ZiChatBot' Malware

A Dozen Critical Sandbox Escape Flaws Found in Popular 'vm2' Node.js Library

CRITICAL

Twelve Critical Sandbox Escape Vulnerabilities Disclosed in vm2 Node.js Library, Enabling Arbitrary Code Execution

A dozen critical security vulnerabilities have been discovered in 'vm2', a popular Node.js library used for running untrusted code in a sandboxed environment. The flaws, several of which are rated 9.8 (Critical) on the CVSS scale, allow an attacker to bypass the sandbox's protections and execute arbitrary code on the host system. The affected versions are up to 3.10.4. The maintainer has released patches in version 3.11.2 and is urging all users to update immediately. Key vulnerabilities include CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, and CVE-2026-26332. This discovery highlights the inherent difficulty and risk associated with creating secure JavaScript sandboxes.

vm2Node.jsSandbox EscapeVulnerabilityRCE +4 more

A Dozen Critical Sandbox Escape Flaws Found in Popular 'vm2' Node.js Library

IBM's Italian Subsidiary, a Key Infrastructure Provider, Hit by Cyberattack; China-Linked Salt Typhoon Suspected

Suspected Salt Typhoon APT Group Targets IBM's Italian IT Provider Subsidiary in Major Cyberattack

Sistemi Informativi, an Italian IT infrastructure provider wholly owned by IBM, was hit by a significant cyberattack in late April 2026. The company manages IT systems for numerous Italian public agencies and private sector clients, making the incident a serious threat to national digital infrastructure. While IBM has confirmed and contained the breach, the full scope remains undisclosed. Investigative reports and intelligence sources suggest the attack may have been carried out by Salt Typhoon, a sophisticated cyber espionage group linked to China. Salt Typhoon is known for targeting critical infrastructure and leveraging exploits in network devices, aligning with the profile of this attack.

Salt TyphoonIBMSistemi InformativiCyberattackSupply Chain Attack +4 more

IBM's Italian Subsidiary, a Key Infrastructure Provider, Hit by Cyberattack; China-Linked Salt Typhoon Suspected

ESA Hosts Industry Workshop to Develop Standardized Cybersecurity for Space Systems

INFORMATIONAL

European Space Agency Leads Initiative to Create Off-the-Shelf Cybersecurity Products for Future Space Missions

The European Space Agency (ESA) is holding a cybersecurity workshop on May 7, 2026, to address the escalating cyber threats against space infrastructure. As space systems increasingly use commercial off-the-shelf components and are more interconnected, their vulnerability to attack has grown. The workshop, part of ESA's General Support Technology Programme (GSTP), aims to foster collaboration between the agency and industry partners to create a security reference architecture. The goal is to develop a set of standardized, modular cybersecurity 'building blocks' that can be used in future space missions to improve security, reduce costs, and ensure compliance with emerging regulations like the EU Space Act.

ESASpace SecurityCybersecurityPolicyGSTP +2 more

ESA Hosts Industry Workshop to Develop Standardized Cybersecurity for Space Systems

Accenture Invests in AI-Powered Offensive Security Platform XBOW

INFORMATIONAL

Accenture Makes Strategic Investment in XBOW to Advance Autonomous, AI-Driven Offensive Security Testing

Accenture has made a strategic investment in XBOW, a platform that utilizes agentic AI to perform autonomous cybersecurity testing and exposure management. The investment, made through Accenture Ventures, also establishes a partnership to integrate XBOW's capabilities into Accenture's Cyber.AI solution. The collaboration aims to help clients proactively manage their security posture against the backdrop of increasingly sophisticated AI-driven cyber threats. By combining human expertise with AI agents, Accenture seeks to shift security operations from human-speed to a continuous, machine-speed model, addressing the gap between the rapid adoption of AI and the slower pace of securing it.

AccentureXBOWAIArtificial IntelligenceOffensive Security +3 more

Accenture Invests in AI-Powered Offensive Security Platform XBOW

Orange Cyberdefense Becomes an Authorized CVE Numbering Authority (CNA)

INFORMATIONAL

Orange Cyberdefense Joins Global Cybersecurity Program as a CVE Numbering Authority

Orange Cyberdefense, a major European cybersecurity services firm, has been officially authorized as a CVE Numbering Authority (CNA). This designation, granted by the international Common Vulnerabilities and Exposures (CVE) Program, empowers Orange Cyberdefense to assign CVE identifiers to vulnerabilities. The company can now issue CVE IDs for flaws found in its own products and, significantly, for vulnerabilities its research teams discover in third-party products. This move enhances the company's role in the global security ecosystem, allowing it to streamline the coordinated disclosure process and provide greater risk visibility to its clients and the broader community.

Orange CyberdefenseCNACVEVulnerability DisclosurePolicy

3 min read

Orange Cyberdefense Becomes an Authorized CVE Numbering Authority (CNA)

Updated Articles (4)

Instructure Confirms Massive Breach; ShinyHunters Claims 275 Million User Records from Canvas LMS

Educational Tech Giant Instructure Hit by Major Data Breach, ShinyHunters Threatens to Leak Data of 275 Million Users

The notorious ShinyHunters group has further substantiated its claims regarding the Instructure Canvas LMS breach by providing a list of 8,809 affected educational institutions. This update highlights the increased risk of identity theft and targeted phishing, particularly for the millions of affected students, including minors. New recommendations include immediate credit freezes for minors and heightened vigilance against scams. The incident's aftermath emphasizes the need for robust user awareness and proactive identity protection measures.

May 4, 2026

InstructureCanvasShinyHuntersData BreachEducation +2 more

Instructure Confirms Massive Breach; ShinyHunters Claims 275 Million User Records from Canvas LMS

Vimeo Data Exposed in Supply-Chain Attack on Vendor Anodot; ShinyHunters Implicated

Vimeo Confirms User Data Exposure Following Breach at Third-Party Analytics Vendor Anodot

The notorious ShinyHunters group has publicly leaked a 106GB data archive allegedly stolen from Anodot, which includes data from Vimeo. The breach notification service Have I Been Pwned has indexed this data, confirming the exposure of 119,000 unique Vimeo user email addresses, along with names and technical metadata. This leak provides concrete evidence of the breach's scale and increases the risk of targeted phishing for affected users.

May 4, 2026

VimeoAnodotShinyHuntersSupply Chain AttackData Breach +2 more

Vimeo Data Exposed in Supply-Chain Attack on Vendor Anodot; ShinyHunters Implicated

Critical Palo Alto Networks Zero-Day (CVE-2026-0300) Actively Exploited for RCE

CRITICAL

Palo Alto Networks Warns of Unpatched PAN-OS Zero-Day Vulnerability Under Active Attack

New details on the active exploitation of CVE-2026-0300 attribute the attacks to a sophisticated state-sponsored threat actor. This actor has been observed deploying backdoors, enumerating Active Directory, and utilizing network tunneling tools like EarthWorm and ReverseSocks5 for persistent access. Palo Alto Networks has responded by releasing specific threat prevention signatures (ID 95187) to aid customers in detecting and blocking exploitation attempts, providing an immediate mitigation beyond just restricting portal access. The exploitation timeline indicates probing began around April 9, 2026.

May 6, 2026

CVE-2026-0300Zero-DayPalo Alto NetworksPAN-OSRCE +3 more

Critical Palo Alto Networks Zero-Day (CVE-2026-0300) Actively Exploited for RCE

CloudZ RAT Exploits Windows Phone Link to Intercept SMS and OTPs from Phones

New CloudZ RAT Campaign Abuses Microsoft Phone Link to Steal OTPs Without Infecting Mobile Device

This update provides additional technical details for detecting the CloudZ RAT campaign. New cyber observables include specific file paths (%LOCALAPPDATA%\Packages\Microsoft.YourPhone_...\LocalState) and process names (YourPhone.exe, PhoneExperienceHost.exe, ScreenConnect.ClientService.exe) to monitor for suspicious activity. The article also offers a more structured breakdown of MITRE ATT&CK techniques, such as T1036.005 for defense evasion and T1555.004 for credential access, enhancing understanding of the threat actor's tactics. Mitigation advice is also explicitly linked to MITRE mitigations M1032 and M1049.

May 6, 2026