Daily Threat Intelligence Brief: 6 May 2026

Executive Summary

The 24-hour window ending 2026-05-06 23:59 UTC is dominated by three converging pressures: continued mass exploitation of the critical cPanel authentication bypass (CVE-2026-41940) now confirmed against government and MSP networks, a freshly KEV-catalogued Linux privilege escalation ("Copy Fail," CVE-2026-31431) that converts any local foothold into root across virtually all Linux distributions, and active deployment of Windows zero-click NTLM credential coercion (CVE-2026-32202) by the Russian state-linked group APT28 against Ukrainian and EU government targets. Iranian-affiliated actors (CyberAv3ngers) continue to disrupt U.S. critical infrastructure PLCs, and a cross-ecosystem open-source supply chain campaign (Mini Shai-Hulud / Team PCP) has again struck the PyPI ecosystem targeting AI/ML developer credentials. Two further threads — China-nexus covert device networks (Salt Typhoon) and APT37's Android BirdCall backdoor — add to an already high-pressure environment.

Top Priorities:

CVE-2026-41940 (cPanel CVSS 9.8) is under mass multi-actor exploitation targeting government, MSP, and hosting networks. Upgrade to cPanel 11.118.0.22 or later immediately; block ports 2083, 2087, 2095, 2096 at the perimeter for any unpatched instance. Treat any cPanel instance internet-accessible since February 23, 2026 as potentially compromised.
CVE-2026-32202 (Windows zero-click NTLM coercion, APT28) remains exploitable on unpatched Windows systems. Apply KB5083769 (Windows 11 24H2/25H2) without delay; CISA federal deadline is 2026-05-12.
CVE-2026-31431 "Copy Fail" (Linux LPE, CVSS 7.8) is confirmed exploited in the wild and on the CISA KEV catalog. Patch all Linux hosts by 2026-05-15; prioritise cloud, CI/CD, and Kubernetes nodes where unprivileged user access is possible.
Iranian-affiliated APT (CyberAv3ngers) is actively disrupting PLCs in U.S. water, energy, and government sectors. Remove all Rockwell/Allen-Bradley PLCs from internet exposure immediately.
PyTorch Lightning versions 2.6.2 and 2.6.3 (PyPI) were trojanised and deliver a credential stealer targeting GitHub tokens, cloud credentials, and CI/CD secrets. Any environment that installed these versions should be treated as compromised pending rotation of all secrets.

Threat Level: CRITICAL

Threat Landscape Overview

#	Threat Cluster	Severity	Target Sectors	Attribution	Status
1	CVE-2026-41940 — cPanel Authentication Bypass	CRITICAL	Web Hosting, Government, MSPs, Technology	Multiple (criminal + nation-state aligned)	Actively Exploited — Multi-Actor
2	CVE-2026-32202 — Windows Zero-Click NTLM Coercion	CRITICAL	Government, Defence, Energy (Ukraine/EU)	APT28 / Forest Blizzard (Russia-linked)	Actively Exploited
3	CVE-2026-31431 "Copy Fail" — Linux Kernel LPE	HIGH	All Linux environments (cloud, CI/CD, Kubernetes)	Multiple — broad opportunistic exploitation	Confirmed Exploited — KEV Listed
4	Iranian APT PLC Campaign (CyberAv3ngers)	HIGH	Water/Wastewater, Energy, Government Facilities	CyberAv3ngers / Storm-0784 (Iran-IRGC linked)	Ongoing — Disruptions Confirmed
5	Mini Shai-Hulud Supply Chain (Team PCP) — PyPI	HIGH	AI/ML Developers, DevOps, CI/CD Pipelines	Team PCP (attribution developing)	Quarantined — Post-Compromise Triage Required
6	China-Nexus Covert Device Networks (AA26-113A)	HIGH	Telecoms, Government, Critical Infrastructure	Salt Typhoon / Multiple China MSS-linked actors	Ongoing — Persistent Campaign
7	APT37 BirdCall Android Backdoor (Supply Chain)	MEDIUM	Consumers, Game Platform Users	APT37 / Reaper (North Korea-linked)	Active Delivery
8	Qilin / Gentlemen Ransomware Escalation	MEDIUM	Cross-Sector (US Focus)	Financially motivated criminal groups	Elevated Activity

Campaign Deep-Dives

3.1 CVE-2026-41940 — cPanel & WHM Critical Authentication Bypass

Actor: Multiple threat actors. Attack efforts traced to IP 95.111.250[.]175, with operations targeting Philippine and Lao government/military domains alongside MSPs and hosting providers. Ransomware deployment indicates financially motivated criminal actors alongside possible nation-state-aligned operators.
Malware Family: Go-based Linux file encryptor (appends .sorry extension).
First Observed: Exploitation began approximately 2026-02-23 (zero-day period); formal patch released 2026-04-28; CISA KEV addition 2026-05-01.

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel & WHM with a CVSS score of 9.8. The root cause is a CRLF injection vulnerability in the cPanel session writer that, when chained with a malformed cookie, causes the session loader to skip encryption verification. By injecting a crafted \r\n sequence into the session file, an unauthenticated attacker can insert privileged key-value pairs (hasroot=1, user=root, tfa_verified=1) that the session parser interprets as legitimate elevated-privilege session attributes.

Approximately 1.5 million internet-exposed cPanel instances were vulnerable at the time of patch release. As of reporting, Censys has identified 8,859 hosts exposing open directories with filenames ending in .sorry, with 7,135 confirmed as cPanel/WHM instances — providing direct evidence of large-scale automated exploitation. Multiple threat actor clusters are now exploiting this vulnerability, lowering the barrier further as public PoC code is widely available. This vulnerability was a true zero-day for approximately two months before vendor patch release.

TTPs (MITRE ATT&CK): T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1486 (Data Encrypted for Impact), T1083 (File and Directory Discovery), T1005 (Data from Local System), T1070.006 (Indicator Removal: Timestomp).

Observed behaviours:

Pre-authentication access to /json-api/version returning privileged cPanel build data, confirming successful auth bypass
Creation of session files under /var/cpanel/sessions/raw/ with embedded \r\n bytes in pass= field
Subsequent hasroot=1 or user=root key-value pairs injected into session
Web defacement activity; deployment of Go-based .sorry ransomware encryptor
Outbound connections from cPanel host to attacker-controlled infrastructure

Technical mechanism:

Attacker crafts a malformed HTTP cookie containing a CRLF sequence (%0d%0a) in the session identifier field.
cPanel's HTTPS daemon (cpsrvd) writes the attacker-supplied session cookie value to /var/cpanel/sessions/raw/<session_id>.
The CRLF causes the session file to contain a line break, injecting a second key-value pair (e.g., hasroot=1) on a new line below the pass= field.
An encryption-skip quirk triggered by the malformed cookie causes cPanel to load the session without decryption verification.
The session cache "promotes" the injected parameters, granting an authenticated privileged session.
Attacker accesses /json-api/ endpoints with root-level privileges, enabling full server compromise.

3.2 CVE-2026-32202 — Windows Zero-Click NTLM Credential Coercion (APT28)

Actor: APT28 / Forest Blizzard / Fancy Bear / Sednit • Russia-linked, assessed with high confidence to be the Russian GRU's 85th GTsSS unit.
Malware Family: LNK-based weaponised shortcut files; Net-NTLMv2 hash capture infrastructure.
First Observed: APT28 exploitation of predecessor CVE-2026-21510 detected January 2026; CVE-2026-32202 (residual flaw) confirmed exploited from at least April 2026.

CVE-2026-32202 is a zero-click Windows Shell vulnerability arising from an incomplete Microsoft patch for CVE-2026-21510, an APT28-exploited zero-day patched in February 2026. While Microsoft's February fix blocked the original remote code execution component, it left behind a zero-click NTLM authentication coercion primitive. The flaw was patched again in April's Patch Tuesday (KB5083769) but was not marked as exploited at the time — resulting in over two weeks during which security teams had no formal signal to apply it with urgency.

APT28 has been confirmed targeting Ukrainian government networks and several EU member states. The attack chain requires no user interaction beyond opening a folder in Windows Explorer containing a malicious LNK file. The victim's NTLMv2 hash is captured by an attacker-controlled server and can subsequently be used for offline cracking or NTLM relay attacks against other internal systems.

CISA added CVE-2026-32202 to its KEV catalog on approximately April 29, 2026, with a federal agency remediation deadline of 2026-05-12.

TTPs (MITRE ATT&CK): T1187 (Forced Authentication), T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relay), T1550.002 (Pass the Hash), T1566.001 (Spearphishing Attachment), T1204.002 (Malicious File), T1083 (File and Directory Discovery).

Technical mechanism:

Victim receives a weaponised LNK file via email or file share.
When the containing folder is opened in Windows Explorer, Explorer automatically renders the LNK icon and resolves any embedded UNC path (e.g., \\185.x.x.x\share\icon.ico).
Windows initiates an outbound SMB (TCP/445) connection to the attacker-controlled IP.
Windows automatically sends the victim's NTLMv2 authentication challenge-response to the attacker's server.
The attacker captures the NTLMv2 hash without any further interaction from the victim.
The hash is cracked offline or relayed to internal Windows services (LDAP, SMB) for lateral movement.

3.3 CVE-2026-31431 "Copy Fail" — Linux Kernel Universal Local Privilege Escalation

Actor: Multiple — broad opportunistic exploitation by criminal threat actors and likely nation-state post-exploitation chains. First disclosed by Theori researchers.
Malware Family: No dedicated malware family — used as a privilege escalation step within existing attack chains. A public 732-byte Python PoC achieves root in a single execution.

CVE-2026-31431, nicknamed "Copy Fail," is a logic bug in the Linux kernel's authencesn cryptographic template. It is the intersection of three independent kernel changes: the addition of authencesn in 2011, the introduction of AF_ALG AEAD socket support in 2015, and an in-place processing optimisation in algif_aead.c in 2017. Together, these create a controlled 4-byte write primitive into the page cache of any readable file on the system.

Unlike previous Linux LPE vulnerabilities such as Dirty Cow or Dirty Pipe, Copy Fail is entirely deterministic — it does not require winning a race condition. The same 732-byte Python exploit executes reliably across virtually all major Linux distributions (Ubuntu, RHEL/AlmaLinux, SUSE, Debian, Amazon Linux 2023) running kernels compiled from 2017 onward. The attack modifies a setuid binary in memory to obtain root without leaving persistent filesystem artefacts. The threat is particularly severe in cloud, CI/CD, and Kubernetes environments where workloads routinely run as regular unprivileged users and share kernel space. CISA federal agency remediation deadline is 2026-05-15.

TTPs (MITRE ATT&CK): T1068 (Exploitation for Privilege Escalation), T1611 (Escape to Host), T1055 (Process Injection), T1548.001 (Setuid and Setgid).

3.4 Iranian-Affiliated APT PLC Campaign (CyberAv3ngers / Storm-0784)

Actor: CyberAv3ngers / Shahid Kaveh Group / Storm-0784 / Bauxite / UNC5691 • Assessed with high confidence to be affiliated with Iran's IRGC Cyber Electronic Command (IRGC-CEC).
Campaign active: March 2026 — present • Joint advisory AA26-097A issued by FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command.

Since at least March 2026, Iranian-affiliated actors have been conducting targeted intrusions against internet-exposed Rockwell Automation and Allen-Bradley PLCs across multiple U.S. critical infrastructure sectors. The campaign is notable for its operational simplicity: rather than exploiting novel CVEs, threat actors are directly accessing internet-exposed PLCs using legitimate vendor software (Rockwell Studio 5000 Logix Designer) and the EtherNet/IP protocol. This approach requires no zero-day knowledge, is difficult to distinguish from authorised engineering access, and causes immediate physical-process disruption.

Censys researchers identified 5,219 internet-exposed hosts globally responding to EtherNet/IP on TCP port 44818 that self-identify as Rockwell Automation/Allen-Bradley devices, with the United States accounting for 74.6% of global exposure (3,891 hosts). Confirmed incidents have resulted in operational disruption and financial loss. The campaign is assessed to be geopolitically motivated, likely in response to ongoing US-Iran and Israel-Iran hostilities.

TTPs (MITRE ATT&CK ICS): T0883 (Internet Accessible Device), T0856 (Spoof Reporting Message), T0836 (Modify Parameter), T0806 (Brute Force I/O), T0840 (Network Connection Enumeration), T0888 (Remote System Information Discovery).

C2 infrastructure: 185.82.73.0/24 subnet (multi-homed Windows engineering workstation running Rockwell toolchain); staging at 135.136.1.133 (AS9009 / M247 Romania). Active on ports 44818 (EtherNet/IP), 2222, 102 (S7comm), 22 (SSH), 502 (Modbus).

3.5 Mini Shai-Hulud Supply Chain Campaign — PyTorch Lightning (Team PCP)

Actor: Team PCP • Attribution developing; suspected financially motivated threat actor with escalating open-source supply chain history. Previously attributed attacks include LiteLLM (March 24), Telnyx (March 27), and Xinference.
Malware Family: Obfuscated JavaScript credential stealer delivered via Python package; targets GitHub tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes secrets, Vault tokens, and CI/CD environment variables.

On April 30, 2026, threat actors associated with the "Mini Shai-Hulud" supply chain campaign compromised the PyPI package lightning (PyTorch Lightning), publishing versions 2.6.2 and 2.6.3 containing a hidden _runtime directory with an 11 MB obfuscated JavaScript credential stealer. The malware executes automatically on module import, requiring no additional user interaction. The attack was detected by Socket's Research Team 18 minutes after publication, with quarantine applied 42 minutes post-publication. However, given that lightning receives hundreds of thousands of downloads per day, even a 42-minute exposure window represents substantial potential victim population. Simultaneously, the npm package intercom-client version 7.0.4 was compromised in a cross-ecosystem component of the same campaign.

TTPs (MITRE ATT&CK): T1195.001 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1552.004 (Private Keys), T1059.007 (JavaScript), T1020 (Automated Exfiltration), T1567 (Exfiltration Over Web Service).

Observed behaviours:

Hidden _runtime/ directory within PyPI package containing router_runtime.js
Automatic execution on import lightning — no user interaction required
Exfiltration of environment variables, cloud credential files, SSH keys, CI/CD tokens
GitHub repository poisoning: commits prefixed EveryBoiWeBuildIsAWormyBoi, repositories with description "A Mini Shai-Hulud has Appeared"
npm propagation vector via modified postinstall hook in package.json

3.6 China-Nexus Covert Device Networks (CISA AA26-113A / Salt Typhoon)

Actor: Salt Typhoon and affiliated China Ministry of State Security (MSS)-linked threat actors. Advisory AA26-113A jointly released by CISA, NCSC-UK, and international partners (April 23, 2026). Salt Typhoon has compromised 80+ countries across 200+ targets.

CISA and NCSC-UK's joint advisory documents a fundamental shift in China-nexus cyber actor tradecraft: the move from individually provisioned C2 infrastructure to large-scale "covert networks" of compromised edge devices (SOHO routers, IoT systems) to route cyber operations and obscure attribution. The majority of China-nexus threat actors are now assessed to be using these covert networks. Because the attacking IP addresses resolve to legitimate compromised devices belonging to other victims, traditional IP-based blocking and geolocation-based controls provide little defensive value. The campaign is ongoing and persistent; FBI has stated the Salt Typhoon threat remains "still very much ongoing" as of 2026.

TTPs (MITRE ATT&CK): T1584.008 (Compromise Infrastructure: Network Devices), T1090.003 (Multi-hop Proxy), T1071.001 (Web Protocols), T1040 (Network Sniffing), T1119 (Automated Collection), T1041 (Exfiltration Over C2 Channel).

3.7 APT37 BirdCall Android Backdoor — Game Platform Supply Chain

Actor: APT37 / Reaper / ScarCruft / Group123 • North Korea-linked, assessed with high confidence to be DPRK's Reconnaissance General Bureau.
Malware Family: BirdCall — Android backdoor delivered via trojanised application on a video game platform.

APT37 has been delivering an Android version of the BirdCall backdoor through a supply-chain attack targeting a video game platform. BirdCall provides full remote access capability on Android devices, enabling command execution, file exfiltration, microphone/camera access, and location tracking. The game platform vector is consistent with APT37's documented history of targeting South Korean and international users via consumer-facing software.

TTPs (MITRE ATT&CK Mobile): T1475 (Deliver Malicious App via Authorized App Store), T1430 (Location Tracking), T1433 (Access Call Log), T1432 (Access Contact List), T1513 (Screen Capture).

3.8 Qilin and Gentlemen Ransomware Groups — Elevated Activity

Actor: Qilin and Gentlemen — financially motivated cybercriminal ransomware-as-a-service operators. Gentlemen group emerged August 2025 and expanded from 35 victims in Q4 2025 to 182 in Q1 2026.

The ransomware threat landscape in early May 2026 continues at elevated "new normal" volumes with 53 groups claiming victims across the US in January–February 2026 alone. The Gentlemen group has surged to become the second most active ransomware group by victim count. A broader industry trend toward data-theft-only extortion (no encryption) is observable, reducing operational complexity for attackers while maintaining victim pressure. Tactics increasingly include DDoS, direct client harassment, and identity-first credential theft over active exploitation.

TTPs (MITRE ATT&CK): T1486 (Data Encrypted for Impact), T1537 (Transfer Data to Cloud Account), T1657 (Financial Theft), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application).

IOC Pack

IOCs sourced from public reporting. Recommended TTL: 7–14 days (retire by 2026-05-20). Validate before blocking.

File Hashes (SHA256)

No specific SHA256 hashes for the lightning PyPI malicious payload have been publicly confirmed in sourced reporting at time of writing. The PyPI registry quarantine removes the ability to independently verify hashes from the malicious versions. Refer to Socket.dev's advisory for any hashes released post-quarantine.

Hash	Malware Family	Description	Source
Pending Socket.dev release	Mini Shai-Hulud / lightning 2.6.2–2.6.3	PyPI package `_runtime/router_runtime.js`	Socket.dev advisory

Network IOCs

Type	Value	Campaign	Notes
IPv4	`95.111.250[.]175`	CVE-2026-41940 cPanel exploitation	Primary attack source targeting Philippine/Lao government, MSP networks
IPv4 subnet	`185.82.73[.]0/24`	Iranian APT PLC Campaign (CyberAv3ngers)	Multi-homed Windows engineering workstation running Rockwell toolchain; block entire /24
IPv4	`135.136.1[.]133`	Iranian APT PLC Campaign	Staging server; AS9009 M247 Romania; provisioned for March 2026 attack window
Port	TCP/44818	Iranian APT PLC Campaign	EtherNet/IP — primary attack vector for Rockwell PLC access
Port	TCP/502	Iranian APT PLC Campaign	Modbus — secondary OT protocol used in PLC reconnaissance
Port	TCP/102	Iranian APT PLC Campaign	S7comm — Siemens protocol observed in ICS scanning
Port	TCP/2083, 2087, 2095, 2096	CVE-2026-41940 cPanel	cPanel/WHM service ports — block inbound for unpatched instances

Package / Dependency IOCs

Package Manager	Package	Malicious Version(s)	Safe Version	Notes
PyPI	`lightning`	2.6.2, 2.6.3	>= 2.6.4 (or latest clean release)	PyTorch Lightning compromised; automatic credential theft on import
npm	`intercom-client`	7.0.4	>= 7.0.5 (verify with vendor)	Cross-ecosystem component of Mini Shai-Hulud campaign

CVEs — Actively Exploited in the Wild

CVE	CVSS	Product	Exploited By	CISA KEV	Patch Deadline
CVE-2026-41940	9.8	cPanel & WHM	Multiple criminal + nation-state actors	Yes	2026-05-15 (FCEB); immediate for all
CVE-2026-32202	HIGH (unscored)	Microsoft Windows Shell (Win 11 24H2, 25H2)	APT28 / Forest Blizzard	Yes	2026-05-12 (FCEB)
CVE-2026-31431	7.8	Linux Kernel (all distros, kernels ≥ 2017)	Multiple — broad exploitation	Yes	2026-05-15 (FCEB)

Behavioural IOCs / Suspicious Artefacts

Type	Value	Campaign	Notes
File path	`/var/cpanel/sessions/raw/*`	CVE-2026-41940 cPanel	Inspect for embedded `\r` or `\n` in `pass=` field; `hasroot=1` or `user=root` injection
File extension	`.sorry`	cPanel ransomware	Go-based Linux encryptor; appended to all encrypted files
Process behaviour	`cpsrvd` returning 200 after 401 on `/login/?login_only=1`	CVE-2026-41940	Sequence in access logs indicates successful auth bypass
UNC pattern	`\\<external-IP>\<share>\.ico` or `.cpl`	CVE-2026-32202 APT28	UNC path embedded in LNK file; triggers zero-click NTLM coercion
Outbound port	TCP/445 to external IP from Windows endpoint	CVE-2026-32202	SMB NTLM auth handshake to attacker server; should never traverse to internet
File path	`_runtime/router_runtime.js` within Python env or `.claude/` directory	Mini Shai-Hulud supply chain	Presence confirms compromise of the `lightning` package; treat entire environment as compromised
Git commit prefix	`EveryBoiWeBuildIsAWormyBoi`	Mini Shai-Hulud	Commit message prefix used by campaign malware in poisoned GitHub repositories
Inbound port	TCP/44818 (EtherNet/IP) from internet	Iranian APT PLC	Any internet-sourced connection to this port on PLC hardware is malicious
User-agent	Studio 5000 Logix Designer from non-engineering IPs	Iranian APT PLC	Legitimate engineering tool used as attack vector; alert on use from unexpected source IPs

KQL Hunting Queries

// HUNT-01: cPanel Session Injection Exploitation Attempts | Covers: CVE-2026-41940 | MITRE: T1190
// Hunt for outbound connections from potential cPanel servers to suspicious IPs after service exposure
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (2083, 2087, 2095, 2096)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ ("cpsrvd", "cpdavd", "bash", "sh", "python3")
| extend HostName = DeviceName
| project Timestamp, HostName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// HUNT-02: Zero-Click NTLM Coercion — Outbound SMB to External IPs | Covers: CVE-2026-32202 / APT28 | MITRE: T1187
// Windows endpoints should never initiate outbound SMB to public IPs
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where RemoteIPType == "Public"
| where Protocol == "Tcp"
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// HUNT-03: LNK File Execution in Suspicious Directories | Covers: CVE-2026-32202 / APT28 LNK delivery | MITRE: T1204.002
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where ProcessCommandLine has ".lnk"
| where FolderPath !startswith @"C:\Users\Public\Desktop"
    and FolderPath !startswith @"C:\ProgramData\Microsoft"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

// HUNT-04: Linux Kernel AF_ALG AEAD Socket Abuse (Copy Fail / CVE-2026-31431) | Covers: CVE-2026-31431 | MITRE: T1068
// Hunt for short-lived Python processes accessing /proc and setuid binaries — LPE pattern
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python3", "python")
| where ProcessCommandLine has_any ("AF_ALG", "SOCK_SEQPACKET", "algif_aead", "authencesn")
    or (ProcessCommandLine matches regex @"socket\.socket\(\d+, \d+\)" and ProcessCommandLine has "SOCK_SEQPACKET")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// HUNT-05: Suspicious setuid Binary Execution Post-LPE | Covers: CVE-2026-31431 | MITRE: T1548.001
// Detect non-root users spawning shells via setuid binaries immediately followed by root-context processes
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("passwd", "su", "sudo", "pkexec", "newgrp")
| where AccountName != "root"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where AccountName == "root"
    | where FileName in~ ("bash", "sh", "dash", "zsh")
) on DeviceName
| where $right.Timestamp between ((Timestamp - 30s) .. (Timestamp + 30s))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, $right.FileName, $right.ProcessCommandLine
| order by Timestamp desc

// HUNT-06: EtherNet/IP Connections from Non-Engineering Sources | Covers: Iranian APT PLC Campaign | MITRE: T0883
// Alert on inbound connections to OT-range devices on EtherNet/IP port from unexpected sources
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where LocalPort == 44818 or RemotePort == 44818
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName
| order by Timestamp desc

// HUNT-07: Mini Shai-Hulud — Malicious Python Package Import Indicators | Covers: PyTorch Lightning supply chain | MITRE: T1195.001
// Detect creation of _runtime directory or router_runtime.js in Python environments
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in~ ("router_runtime.js") or FolderPath has "_runtime"
| where FolderPath has_any ("site-packages", "dist-packages", "lightning", ".claude")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// HUNT-08: Cloud Credential File Exfiltration — Supply Chain Attack Pattern | Covers: PyTorch Lightning supply chain | MITRE: T1552.001
// Detect access to cloud credential files by Python or Node processes
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any (".aws/credentials", ".config/gcloud", ".azure", ".kube/config", ".npmrc")
| where InitiatingProcessFileName in~ ("python3", "python", "node", "npm")
| project Timestamp, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// HUNT-09: China-Nexus Covert Proxy — Unusual Multi-Hop Patterns | Covers: AA26-113A / Salt Typhoon | MITRE: T1090.003
// Detect unusual proxy chains — multiple hops through residential IP ranges
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where RemotePort in (1080, 8080, 3128, 8888, 9050, 4145)
| summarize HopCount = dcount(RemoteIP), Destinations = make_set(RemoteIP) by DeviceName, bin(Timestamp, 1h)
| where HopCount > 3
| project Timestamp, DeviceName, HopCount, Destinations
| order by HopCount desc

KQL Detection Rules (High Fidelity)

Direct outbound SMB (TCP/445) from Windows endpoints to public IPs has near-zero legitimate use cases in properly segmented networks. This is the precise network-level indicator of the CVE-2026-32202 zero-click NTLM coercion exploit in action. False positives would only arise in legacy environments routing SMB over the internet — which is itself a critical misconfiguration requiring remediation. Allowlist internal RFC1918 and APIPA ranges.

// DET-01: Zero-Click NTLM Hash Coercion — Outbound SMB to Public Internet | MITRE: T1187 | Severity: CRITICAL
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort == 445
| where RemoteIPType == "Public"
| where Protocol == "Tcp"
| where ActionType == "ConnectionSuccess"
| extend AlertTitle = "CRITICAL: Outbound SMB to Public IP — Possible NTLM Coercion (CVE-2026-32202 / APT28)"
| extend Severity = "Critical"
| extend MITRETechnique = "T1187 - Forced Authentication"
| extend RecommendedAction = "Isolate endpoint immediately. Block outbound TCP/445 to all public IPs at perimeter firewall. Capture NTLMv2 hashes from PCAP if available and reset affected account passwords. Apply KB5083769 if not already patched."
| project Timestamp, AlertTitle, Severity, MITRETechnique, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, RecommendedAction

Files matching the .sorry extension appearing in bulk on a Linux host after cpsrvd activity are a near-certain indicator of successful CVE-2026-41940 exploitation followed by ransomware deployment. The combination of cPanel process ancestry and mass file extension change is extremely high fidelity.

// DET-02: cPanel Ransomware — Mass .sorry Extension File Creation | MITRE: T1486 | Severity: CRITICAL
DeviceFileEvents
| where Timestamp > ago(1h)
| where FileName endswith ".sorry"
| summarize FileCount = count(), AffectedPaths = make_set(FolderPath, 20) by DeviceName, bin(Timestamp, 5m), InitiatingProcessFileName
| where FileCount > 10
| extend AlertTitle = "CRITICAL: Mass .sorry File Extension Creation — cPanel Ransomware Indicator (CVE-2026-41940)"
| extend Severity = "Critical"
| extend MITRETechnique = "T1486 - Data Encrypted for Impact"
| extend RecommendedAction = "Immediately isolate host from network. Snapshot disk before any recovery action. Contact incident response team. Verify cPanel version and apply patch to 11.118.0.22+. Review /var/cpanel/sessions/raw/ for injected session files. Block outbound connections to 95.111.250[.]175."
| project Timestamp, AlertTitle, Severity, MITRETechnique, DeviceName, FileCount, AffectedPaths, InitiatingProcessFileName, RecommendedAction

Python processes accessing AF_ALG socket interfaces in rapid succession is a strong indicator of Copy Fail (CVE-2026-31431) exploitation. The specific combination of AF_ALG socket creation and subsequent access by a non-root process is not present in normal application behaviour. Allowlist known kernel security testing tools in dedicated pentest environments only.

// DET-03: Copy Fail LPE — AF_ALG Socket Use by Non-Root Process | MITRE: T1068 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(1h)
| where AccountName != "root"
| where FileName in~ ("python3", "python")
| where ProcessCommandLine has_any ("AF_ALG", "SOCK_SEQPACKET", "algif_aead", "SOL_ALG")
| extend AlertTitle = "HIGH: Possible Copy Fail (CVE-2026-31431) LPE Attempt — AF_ALG Socket Abuse by Non-Root"
| extend Severity = "High"
| extend MITRETechnique = "T1068 - Exploitation for Privilege Escalation"
| extend RecommendedAction = "Investigate process ancestry. Capture memory dump if root shell is spawned subsequently. Apply Linux kernel patch for CVE-2026-31431 immediately. Check if setuid binaries have been modified in page cache (compare running hash vs on-disk hash)."
| project Timestamp, AlertTitle, Severity, MITRETechnique, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RecommendedAction

The file router_runtime.js within any Python environment _runtime directory or .claude/ path is a direct artefact of the Mini Shai-Hulud supply chain malware. This filename is unique to the campaign and has no legitimate use. Detection is high fidelity with no expected false positives in production environments.

// DET-04: Mini Shai-Hulud Supply Chain — router_runtime.js Artefact Detection | MITRE: T1195.001 | Severity: HIGH
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "router_runtime.js"
| extend AlertTitle = "HIGH: Mini Shai-Hulud Supply Chain Malware — router_runtime.js Detected (PyTorch Lightning)"
| extend Severity = "High"
| extend MITRETechnique = "T1195.001 - Supply Chain Compromise: Software Dependencies"
| extend RecommendedAction = "Treat host as fully compromised. Immediately rotate ALL cloud credentials (AWS, GCP, Azure), GitHub tokens, npm tokens, Kubernetes secrets, Vault tokens, and CI/CD environment secrets. Audit git repositories for commits prefixed EveryBoiWeBuildIsAWormyBoi. Uninstall lightning 2.6.2/2.6.3 and reinstall from clean version (>= 2.6.4). Wipe and rebuild CI/CD runner if affected."
| project Timestamp, AlertTitle, Severity, MITRETechnique, DeviceName, AccountName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RecommendedAction

Inbound TCP connections to port 44818 (EtherNet/IP) from public internet IP addresses represents active Iranian APT campaign activity. No legitimate remote engineering access should originate from public internet IPs to OT devices. Tune this rule against known engineering VPN egress IPs.

// DET-05: Iranian APT PLC Campaign — EtherNet/IP from Public Internet | MITRE: T0883 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where LocalPort == 44818
| where RemoteIPType == "Public"
| where ActionType == "InboundConnectionAccepted"
| extend AlertTitle = "HIGH: EtherNet/IP Connection from Public Internet — Iranian APT PLC Campaign Indicator"
| extend Severity = "High"
| extend MITRETechnique = "T0883 - Internet Accessible Device"
| extend RecommendedAction = "Immediately disconnect PLC from internet-facing interface. Block all inbound connections to ports 44818, 502, 102, 2222 from public IPs at perimeter. Inspect PLC project files for unauthorised modification via Rockwell Studio 5000. Engage ICS incident response if HMI values appear manipulated. Cross-reference source IP against 185.82.73.0/24 and 135.136.1.133."
| project Timestamp, AlertTitle, Severity, MITRETechnique, DeviceName, LocalIP, LocalPort, RemoteIP, RemotePort, RecommendedAction

Mitigation Priorities

Patch — Actively Exploited (Act Now)

cPanel & WHM — CVE-2026-41940 (CVSS 9.8): Upgrade to cPanel version 11.118.0.22 or later immediately. If patching cannot occur within 24 hours, block all inbound traffic on TCP ports 2083, 2087, 2095, and 2096 at the perimeter firewall. Run the cPanel-provided vendor detection script to check for pre-existing session file compromise. Treat any cPanel instance internet-accessible since February 23, 2026 as potentially compromised regardless of current patch status.
Microsoft Windows — CVE-2026-32202 (NTLM Coercion): Apply the April 2026 cumulative update KB5083769 for Windows 11 24H2 and 25H2. Verify equivalent patches for Windows Server variants. FCEB federal deadline: 2026-05-12. Do not defer — Microsoft's initial advisory did not flag active exploitation, meaning many teams have not yet prioritised it.
Linux Kernel — CVE-2026-31431 "Copy Fail" (CVSS 7.8): Apply vendor-specific kernel updates immediately. Patches are available for Ubuntu, Debian, SUSE, Fedora, AlmaLinux, and CloudLinux. RHEL users should monitor Red Hat's RHSB-2026-02 page. FCEB deadline: 2026-05-15. Prioritise cloud instances, Kubernetes nodes, shared CI/CD runners, and any Linux system with untrusted or multi-tenant user access.

Network Hardening

Block all outbound TCP/445 (SMB) to public internet IPs at the perimeter firewall. This prevents NTLM coercion attacks (CVE-2026-32202) at the network layer even on unpatched endpoints and has no legitimate business use.
Enable NTLM blocking or require Kerberos for all internal authentication where feasible. As an interim measure, enable Extended Protection for Authentication (EPA) on all Windows servers.
Block inbound connections to EtherNet/IP (TCP/44818), Modbus (TCP/502), S7comm (TCP/102), and SSH (TCP/22) on all OT/PLC devices from any internet-facing interface. These devices should only be reachable via dedicated OT VPN with MFA.
Block inbound traffic to cPanel ports (TCP/2083, 2087, 2095, 2096) from any IPs not explicitly allowlisted. Implement IP allowlisting for cPanel/WHM administrative access.
Block outbound connections to Iranian APT infrastructure: 185.82.73.0/24 and 135.136.1.133.
Block outbound connections to 95.111.250[.]175 (cPanel attack source).

OT / ICS Platform-Specific Steps

Immediately conduct a Censys or Shodan search for your organisation's IP ranges on TCP/44818 and TCP/502 to identify any inadvertently internet-exposed PLCs. Remove all findings from public exposure immediately.
Implement strict network segmentation between the OT network and IT/internet-connected networks using a dedicated DMZ or data diode.
Enable and review logs from Rockwell Studio 5000 Logix Designer for any project file modifications originating from unexpected engineering workstation IPs.
Verify the integrity of PLC project files and HMI display configurations against known-good baselines. Restore from a pre-March 2026 backup if anomalies are detected.
Apply firmware updates for all internet-exposed SOHO routers and IoT devices to reduce their utility as China-nexus covert network relay nodes.

Developer / Supply Chain

Immediately audit all Python environments for the presence of lightning versions 2.6.2 or 2.6.3 and intercom-client version 7.0.4. Run pip show lightning and npm list intercom-client across all developer workstations and CI/CD runners.
If either malicious version is found, treat the host as fully compromised: rotate all cloud provider credentials, GitHub personal access tokens, npm tokens, Kubernetes service account tokens, HashiCorp Vault tokens, and all CI/CD environment secrets.
Audit all git repositories accessible from affected machines for commits with the message prefix EveryBoiWeBuildIsAWormyBoi or repository description "A Mini Shai-Hulud has Appeared."
Check for the presence of router_runtime.js in any .claude/ directory or Python site-packages directory on affected hosts.
Implement PyPI and npm package pinning with hash verification in all requirements.txt, Pipfile.lock, and package-lock.json files. Evaluate Socket.dev integration into CI/CD pipelines for real-time supply chain threat detection.
Enable pip-audit and npm audit as mandatory CI gates.

Awareness / Process

Distribute this report to all SOC analysts, incident responders, and platform engineering teams. Flag the cPanel and Linux kernel patches as P1 with SLA of 24–48 hours for all production systems.
Notify any third-party MSPs or hosting providers in your supply chain of CVE-2026-41940 and request confirmation of their patching status.
For organisations with Ukrainian or EU government relationships: treat any LNK file delivered via email or file share as high-risk. Enforce .lnk file blocking at the email gateway and disable LNK execution for standard users via AppLocker or WDAC policy.
Security awareness for developers: remind teams never to install PyPI or npm packages without verifying version hashes, and to treat any unexpected credential access from a Python script as a potential supply chain indicator.