Active Zero-Day Exploits Target Microsoft Defender & Windows; Widespread Supply Chain Attacks Hit Open-Source Ecosystems

The 'MiniPlasma' Windows zero-day, previously reported with a public PoC, is now confirmed to be actively exploited in the wild. This escalation significantly increases the threat level, as attackers are leveraging the vulnerability to gain SYSTEM privileges on fully patched Windows 11 and Server systems. Organizations should be aware that the exploit is being integrated into malicious toolkits. A new, high-impact mitigation involves disabling the `cldflt` service for systems not utilizing cloud file services, which can prevent exploitation but requires careful testing due to potential system instability. Enhanced behavioral monitoring remains critical.

This update details additional breaches impacting the healthcare sector, bringing the total to at least nine HIPAA-regulated entities. Notably, the University of Nebraska Medical Center (UNMC) disclosed a breach affecting 26,937 individuals due to an exploited vulnerability in third-party REDCap software, with attacker access from September 2023 to February 2026. Singing River Health System also reported a hacking incident. These new disclosures expand the scope of the ongoing wave of attacks, increasing the total number of exposed patient records to tens of thousands and highlighting diverse attack vectors including software vulnerabilities.

Microsoft has confirmed that over 1,000 malicious code-signing certificates associated with the Fox Tempest Malware-Signing-as-a-Service (MSaaS) platform were revoked as part of the recent takedown operation. This specific number highlights the scale of the disruption, significantly invalidating the 'disguise' used by various ransomware groups, including Qilin and Akira. The revocation forces these criminal groups to find new, more difficult methods to legitimize their code, increasing their operational costs and reducing the effectiveness of their initial attack vectors. This action further degrades the capabilities of threat actors relying on fraudulently signed malware.

A new report from CYFIRMA confirms that the Aur0ra ransomware explicitly deletes Volume Shadow Copies using the command `vssadmin.exe Delete Shadows /all /quiet` to hinder recovery efforts. This provides a more concrete indicator for detection and response. The report also reiterates the dual-extortion model, the stealthy encryption without filename changes, and its targeting of Windows systems across global industries. This update reinforces the technical understanding of Aur0ra's defense evasion tactics.

Microsoft has deployed emergency security updates to address the actively exploited CVE-2026-41091 and CVE-2026-45498 vulnerabilities in Microsoft Defender. These patches are rolling out automatically, but administrators should verify successful deployment. For CVE-2026-41091, ensure the Malware Protection Engine is newer than version 1.1.26030.3008. For CVE-2026-45498, the Antimalware Platform should be newer than 4.18. CISA has also set a mandatory patching deadline of June 3, 2026, for federal agencies. Immediate application of these updates is crucial to mitigate the risk of compromise.