Executive Summary

The May 10–11 coverage window saw elevated ransomware operator activity, with Leak Bazaar and Lynx accounting for more than 70% of all disclosed victims across 13+ countries. Concurrently, a sophisticated Iranian-affiliated false-flag operation attributed to MuddyWater continues to leverage Microsoft Teams for credential theft and MFA manipulation while deploying Chaos ransomware artefacts as misdirection. Several high-severity exploitation chains remain active against Palo Alto PAN-OS firewalls and Ivanti EPMM mobile device management platforms, with CISA federal remediation deadlines in or expiring within this window.

Threat Landscape Overview

#Threat ClusterSeverityTarget SectorsAttributionStatusTimestamp
1Leak Bazaar / Lynx Ransomware — May 10 WaveCRITICALFinancial Services, Education, Technology, ConstructionCybercriminal (unattributed)NEW2026-05-10 00:00 UTC
2MuddyWater Teams False-Flag / Chaos RansomwareCRITICALConstruction, Manufacturing, Business Services (US-focused)Iran-affiliated (MuddyWater / MANGO SANDSTORM)NEW2026-05-10 (THN publication)
3CVE-2026-0300 — PAN-OS User-ID Portal RCECRITICALNetwork Security / All Sectors (Palo Alto customers)Unattributed (opportunistic & targeted)UPDATED2026-05-06 CISA KEV; ongoing exploitation
4CVE-2026-6973 — Ivanti EPMM Authenticated RCEHIGHEnterprise MDM customersUnattributed; assessed state-adjacentUPDATED2026-05-10 CISA KEV deadline
5DAEMON Tools Supply Chain BackdoorHIGHManufacturing, Government, Retail, Scientific (RU/BY/TH)Assessed China-affiliated (moderate confidence)UPDATED2026-05-05/06 first reported; ongoing
6CVE-2026-22679 — Weaver E-cology OA RCEHIGHEnterprise OA users (APAC, government, healthcare)UnattributedUPDATED2026-05-04/05 first reported; exploitation ongoing

Campaign Deep-Dives

New Intelligence

1. Leak Bazaar / Lynx Ransomware — May 10–11 Victim Wave

Actor: Leak Bazaar (emerging criminal data-monetisation service); Lynx Ransomware-as-a-Service group.
Malware Family: Lynx ransomware encryptor; Leak Bazaar data extortion platform (no file encryption — pure exfiltration and publication threat).
First Observed: Leak Bazaar publicly active since April 2026; Lynx active since late 2025.
Source Timestamp: 2026-05-10 00:00 UTC (PurpleOps Ransomware Tracker daily update).

On May 10, 2026, threat intelligence aggregator PurpleOps recorded 24 new ransomware-linked victim disclosures across all active groups in a single 24-hour period. Leak Bazaar claimed 9 victims and Lynx claimed 8, together representing more than 70% of total daily activity. The United States recorded 13 victims, the United Kingdom 4, with Spain, Germany, UAE, Taiwan, Singapore, and India each contributing 1–2 incidents.

Leak Bazaar operates as a criminal marketplace designed to monetise stolen data independently of whether a ransom is paid — including data stolen by other ransomware groups. This significantly expands the blast radius of any breach touching Leak Bazaar's ecosystem. Named sectors in the May 10 wave include Financial Services and Construction & Engineering firms in India and the United Kingdom. Lynx's May 10 activity focused on Education and Technology firms primarily in Germany and the United States.

Two specifically identified victims disclosed on May 10 include St Anne's Catholic School & Sixth Form College in the United Kingdom (Education; Lynx) and Bay Area Herbs & Specialties (bayareaherbs.com) in the US (Food & Agriculture; Lynx). Both are consistent with Lynx's pattern of targeting under-resourced organisations unlikely to have mature incident response capabilities.

The average volume of data exfiltrated per incident in Q1 2026 reached 743 GB, with victims given an average of 7.7 days to meet ransom demands before data publication. Q1 exfiltration rates remained at 96% across tracked incidents, indicating that encryption is increasingly secondary to the theft-and-leak model.

Vulnerabilities Exploited: No single CVE confirmed; access vectors assessed as exposed RDP, credential stuffing against VPN portals, and phishing.

TTPs (MITRE ATT&CK):

Observed Behaviours: Credential theft via phishing or brute force → VPN/RDP access → rapid lateral movement → mass data staging → exfiltration to attacker-controlled cloud storage → ransom demand or direct data publication via Leak Bazaar marketplace.

2. MuddyWater (MANGO SANDSTORM) — Microsoft Teams False-Flag Chaos Ransomware Operation

Actor: MuddyWater (also tracked as MANGO SANDSTORM, Cobalt Ulster, TA450); assessed Iran-affiliated, likely operating under MOIS (Ministry of Intelligence and Security) direction.
Malware Family: Chaos ransomware builder artefacts (deployed as false flags, not file-encryption end goal); custom credential-harvesting tooling.
First Observed: Early 2026 (Rapid7 intrusion observation); campaign claimed 36 victims as of late March 2026.
Source Timestamp: 2026-05-10 (The Hacker News article published within coverage window); Rapid7 technical blog corroborating research published 2026-05.

A campaign attributed with moderate-to-high confidence to MuddyWater was described in detail by Rapid7 and covered by The Hacker News during the coverage window. The intrusion set is notable for weaponising Microsoft Teams as the primary social engineering vector rather than email, blending state-sponsored intelligence-collection objectives with ransomware misdirection to complicate attribution and incident response.

Attackers initiate contact via Microsoft Teams messages impersonating IT support or vendor personnel from external tenant accounts. Once the target engages, the actor requests or initiates an interactive screen-sharing session. During the session, victims are instructed to type credentials into locally created text files — captured by the actor observing the screen — and to add attacker-controlled devices to their MFA configuration, effectively registering an attacker-owned authenticator. This process bypasses MFA entirely without requiring any exploit or malware execution in the initial phase.

Post-credential-harvest, the actor performs discovery (net user, ipconfig, whoami, nltest), moves laterally using the stolen credentials, and exfiltrates data before deploying Chaos ransomware builder artefacts to selected endpoints. Critically, Rapid7 confirmed that file-encrypting ransomware was never actually executed on compromised machines: Chaos artefacts were planted solely to create the appearance of a financially motivated ransomware intrusion, obscuring the espionage-focused true objective.

As of late March 2026, the campaign has claimed 36 confirmed victims concentrated in US construction, manufacturing, and business services sectors.

Vulnerabilities Exploited: No CVEs exploited; attack chain relies exclusively on social engineering and valid credentials.

TTPs (MITRE ATT&CK):

Observed Behaviours: Teams contact from external tenant impersonating IT → screen-share session requested → credentials typed in plaintext file visible to actor → attacker-controlled MFA device registered → lateral movement with valid credentials → exfiltration → Chaos artefacts dropped without execution → no encryption event.

Malware Toolkit: Chaos ransomware builder (open-source, used as artefact only); no confirmed bespoke implant; attacker leverages legitimate remote access tooling (Teams screen share) and built-in Windows utilities (net.exe, nltest.exe, ipconfig.exe, whoami.exe) for discovery.

Updated Intelligence

This subsection contains intelligence first reported before the coverage window but materially updated within it.

3. CVE-2026-0300 — Palo Alto PAN-OS User-ID Portal Unauthenticated RCE

[UPDATED — first reported 2026-05-05, updated 2026-05-06 UTC (CISA KEV addition); active exploitation confirmed ongoing within coverage window]

What Changed: CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog on 2026-05-06, mandating remediation for federal civilian executive branch agencies. Active exploitation against internet-exposed instances confirmed in the wild by Wiz and SOCRadar during the coverage window, with Shodan identifying approximately 67 exposed PAN-OS instances on port 6081 as of May 6. Exploitation activity continues against unpatched instances.

Actor: Multiple unattributed threat clusters; opportunistic and targeted.
Malware Family: Reverse shell implants; unknown second-stage payloads.
Source Timestamp: 2026-05-06 (CISA KEV addition); Help Net Security 2026-05-06; Wiz Blog and SOCRadar ongoing coverage within coverage window.

CVE-2026-0300 is a buffer overflow vulnerability (CVSS 9.3 — CRITICAL) in the User-ID Authentication Portal (also referred to as Captive Portal) of Palo Alto Networks PAN-OS. An unauthenticated remote attacker can achieve arbitrary code execution with root privileges by sending specially crafted packets to the portal service on ports 6081/6082. PA-Series and VM-Series firewalls are affected; Prisma Access, Cloud NGFW, and Panorama are not impacted.

Vulnerabilities Exploited: CVE-2026-0300 — PAN-OS User-ID Authentication Portal buffer overflow (CVSS 9.3).

TTPs (MITRE ATT&CK):

Technical Mechanism:

  1. Attacker identifies externally exposed User-ID Authentication Portal (ports 6081/6082) via Shodan or mass scanning.
  2. Specially crafted HTTP packets with oversized parameter values sent to the portal login handler.
  3. Stack buffer overflow overwrites control-flow data in the PAN-OS authentication process.
  4. Arbitrary code executes with root privileges on the firewall OS.
  5. Attacker establishes reverse shell or drops persistent implant on the network security device.

4. CVE-2026-6973 — Ivanti EPMM Authenticated Remote Code Execution

[UPDATED — first reported 2026-05-07/08, updated 2026-05-10 UTC (CISA KEV federal remediation deadline reached within coverage window)]

What Changed: The CISA KEV-mandated remediation deadline for federal civilian executive branch agencies was 2026-05-10 — within this coverage window. As of the deadline date, exploitation of CVE-2026-6973 has been confirmed against a "very limited" number of on-premises EPMM customers, per Ivanti's disclosure. The CISA deadline expiry elevates urgency across all organisations running on-premises EPMM. Ivanti additionally noted that AI-assisted exploit development has dramatically reduced time-to-exploit windows following public disclosure.

Actor: Unattributed; assessed state-adjacent based on targeted victim profile.
First Observed: 2026-05-07/08 (Ivanti initial disclosure).
Source Timestamp: 2026-05-08 (Help Net Security); 2026-05-10 (CISA KEV federal deadline within coverage window).

CVE-2026-6973 is an improper input validation vulnerability (CVSS 7.2 — HIGH) in Ivanti Endpoint Manager Mobile (EPMM) that allows an authenticated attacker with administrative privileges to achieve remote code execution. Affected versions: EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0.1. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud) is not impacted. Companion vulnerabilities CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821 were patched in the same release window, addressing privilege escalation, client certificate theft, arbitrary method invocation, and information disclosure respectively.

Vulnerabilities Exploited: CVE-2026-6973 (CVSS 7.2); companion CVEs 2026-5786, 5787, 5788, 7821.

TTPs (MITRE ATT&CK):

5. DAEMON Tools Supply Chain Backdoor — Ongoing Infections

[UPDATED — first reported 2026-05-05/06, updated 2026-05-10/11 UTC (active infections ongoing; Kaspersky intelligence confirmed within coverage window)]

What Changed: Kaspersky published updated intelligence confirming second-stage payload delivery to a targeted subset of victims, including retail, scientific, government, and manufacturing organisations in Russia, Belarus, and Thailand. Infections from trojanised installs downloaded between April 8 and May 5, 2026 remain active across thousands of systems in 100+ countries during the coverage window. DAEMON Tools clean version 12.6 was released May 5, 2026.

Actor: Assessed China-affiliated threat actor (moderate confidence, based on Chinese-language artefacts in implants); no formal public attribution.
Malware Family: Custom HTTP-based backdoor (via trojanised DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe); unspecified secondary-stage payloads.
Source Timestamp: 2026-05-06 (Kaspersky Securelist, BleepingComputer, Help Net Security); confirmed ongoing within coverage window.

Threat actors compromised the official DAEMON Tools software distribution infrastructure and trojanised Windows installer versions 12.5.0.2421 through 12.5.0.2434. The malicious versions embedded a backdoor in three binaries that sends an HTTP GET request to a threat-actor-controlled domain (env-check.daemontools[.]cc — registered March 27, 2026) to retrieve and execute shell commands via cmd.exe. Only Windows installers were affected; macOS and Linux versions were not compromised.

While thousands of systems received the first-stage backdoor globally, second-stage payloads were delivered selectively to approximately a dozen high-value targets, indicating a highly targeted operation using mass infection as a delivery pipeline for precision follow-on compromise — mirroring the SolarWinds and 3CX supply chain attack model.

TTPs (MITRE ATT&CK):

6. CVE-2026-22679 — Weaver E-cology OA Platform RCE via Debug API

[UPDATED — first reported 2026-05-04/05, updated within coverage window (exploitation confirmed ongoing; attacker infrastructure active)]

What Changed: Exploitation activity observed by the Vega Research Team continued within the coverage window with new POST requests to the vulnerable debug endpoint detected from attacker infrastructure. Vendor fix (build 20260312) is available but patch adoption remains incomplete in target regions, particularly APAC enterprise environments. Attacker PowerShell payload infrastructure observed still active.

Actor: Unattributed; opportunistic threat actors, China-nexus targeting pattern assessed.
Source Timestamp: 2026-05-04/05 (The Hacker News, BleepingComputer); exploitation confirmed ongoing within coverage window.

CVE-2026-22679 (CVSS 9.8 — CRITICAL) is an unauthenticated remote code execution vulnerability in Weaver E-cology, an enterprise office automation and collaboration platform widely deployed in Chinese government, healthcare, and APAC enterprise environments. The vulnerability resides in the debug API endpoint /papi/esearch/data/devops/dubboApi/debug/method, which exposes internal Dubbo RPC functionality without authentication. The vendor fix removes the debug endpoint entirely.

Vulnerabilities Exploited: CVE-2026-22679 — Weaver E-cology debug API RCE (CVSS 9.8); affects versions prior to build 20260312.

TTPs (MITRE ATT&CK):

Technical Mechanism:

  1. Attacker identifies externally accessible Weaver E-cology instance via mass scanning.
  2. Unauthenticated HTTP POST sent to /papi/esearch/data/devops/dubboApi/debug/method.
  3. Attacker-controlled interfaceName and methodName parameters invoke internal command-execution helpers via exposed Dubbo reflection.
  4. Arbitrary OS commands execute in the context of the application server process.
  5. Attacker drops PowerShell download cradle or MSI installer for persistent access.

IOC Pack

IOC validity note: IOCs in this pack are sourced from content published or updated within the coverage window (2026-05-10 00:00 UTC to 2026-05-11 23:59 UTC). Operational TTL is 7–14 days from first observation.

Network IOCs

TypeValueCampaignNotes
Domainenv-check.daemontools[.]ccDAEMON Tools Supply ChainC2 beacon domain; registered 2026-03-27; block at DNS layer

CVEs — Actively Exploited (updated this window)

CVECVSSProductCISA KEVStatus
CVE-2026-69737.2Ivanti EPMM (≤12.8.0.0)Yes — deadline reached 2026-05-10Limited targeted exploitation confirmed
CVE-2026-03009.3Palo Alto PAN-OS (PA-Series, VM-Series)Yes — added 2026-05-06Active in-the-wild exploitation ongoing

Behavioural IOCs

TypeValueCampaignNotes
Processcmd.exe spawned by DTHelper.exeDAEMON Tools Supply ChainLegitimate DTHelper.exe never invokes cmd.exe
Outbound portTCP 6081/6082 anomalous outbound from firewallPAN-OS CVE-2026-0300Unexpected outbound from firewall = post-exploitation indicator
File path*.txt containing plaintext credentials in Temp/Desktop/DownloadsMuddyWater TeamsVictim instructed to type credentials during Teams screen share
DNS queryenv-check.daemontools[.]ccDAEMON Tools Supply ChainAny resolution indicates infected DAEMON Tools install
Process chainnet.exe, nltest.exe, ipconfig.exe, whoami.exe in rapid succession post-TeamsMuddyWater Teams3+ of these within 5 minutes = high-confidence post-harvest discovery
URL patternPOST /papi/esearch/data/devops/dubboApi/debug/methodWeaver E-cology CVE-2026-22679Any POST to this endpoint is an exploitation attempt

KQL Hunting Queries

// HUNT-01: MuddyWater Teams False-Flag — Credential Typed in Plaintext File During Screen Share
// Covers: MuddyWater MANGO SANDSTORM | MITRE: T1056.001, T1566.004
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".txt"
| where FolderPath has_any ("Temp", "Desktop", "Downloads", "Documents")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteUrl has "teams.microsoft.com"
    | project DeviceId, TeamsEventTime = Timestamp
) on DeviceId
| where abs(datetime_diff('minute', Timestamp, TeamsEventTime)) <= 15
| project Timestamp, DeviceName, DeviceId, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc
// HUNT-02: MuddyWater Teams False-Flag — Rapid Discovery Chain Post-Teams Session
// Covers: MuddyWater MANGO SANDSTORM | MITRE: T1087, T1016, T1078
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "nltest.exe", "ipconfig.exe", "whoami.exe", "net1.exe")
| summarize CmdCount = count(), Commands = make_set(FileName), EarliestTime = min(Timestamp) by DeviceId, DeviceName, bin(Timestamp, 5m)
| where CmdCount >= 3
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteUrl has "teams.microsoft.com"
    | summarize LastTeamsTime = max(Timestamp) by DeviceId
) on DeviceId
| where abs(datetime_diff('minute', EarliestTime, LastTeamsTime)) <= 30
| project EarliestTime, DeviceName, DeviceId, CmdCount, Commands, LastTeamsTime
| order by EarliestTime desc
// HUNT-03: MuddyWater Teams False-Flag — Attacker-Controlled MFA Device Registration
// Covers: MuddyWater MANGO SANDSTORM | MITRE: T1621
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Teams.exe"
| where FileName in~ ("reg.exe", "powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("authenticator", "mfa", "device", "register", "add")
| project Timestamp, DeviceName, DeviceId, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc
// HUNT-04: DAEMON Tools Supply Chain — cmd.exe Spawned by DTHelper.exe
// Covers: DAEMON Tools backdoor | MITRE: T1195.002, T1059.003
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "DTHelper.exe"
| where FileName =~ "cmd.exe"
| project Timestamp, DeviceName, DeviceId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, AccountName
| order by Timestamp desc
// HUNT-05: DAEMON Tools Supply Chain — C2 Beacon to daemontools[.]cc Domain
// Covers: DAEMON Tools backdoor | MITRE: T1071.001
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "daemontools.cc" or RemoteUrl has "env-check"
| project Timestamp, DeviceName, DeviceId, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc
// HUNT-06: PAN-OS CVE-2026-0300 — Anomalous Outbound from Firewall-Named Devices
// Covers: CVE-2026-0300 post-exploitation | MITRE: T1190, T1059
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (4444, 1337, 8080, 9001, 443)
| join kind=inner (
    DeviceInfo
    | where DeviceName has_any ("fw", "firewall", "palo", "panos", "ngfw")
    | project DeviceId, DeviceName
) on DeviceId
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe")
| project Timestamp, DeviceName, DeviceId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc
// HUNT-07: Weaver E-cology CVE-2026-22679 — Internal Hosts Querying Debug API Endpoint
// Covers: CVE-2026-22679 RCE exploitation | MITRE: T1190
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "dubboApi" or RemoteUrl has "devops/debug" or RemoteUrl has "esearch/data/devops"
| project Timestamp, DeviceName, DeviceId, RemoteUrl, RemoteIP, InitiatingProcessFileName, LocalPort
| order by Timestamp desc
// HUNT-08: Ransomware Pre-Stage — Volume Shadow Copy Deletion
// Covers: Lynx Ransomware / Generic Ransomware Pre-Encryption | MITRE: T1490
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "vssadmin.exe" and ProcessCommandLine has "delete")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("shadowcopy delete", "resize shadowstorage"))
| project Timestamp, DeviceName, DeviceId, ProcessCommandLine, InitiatingProcessFileName, AccountName, AccountDomain
| order by Timestamp desc
// HUNT-09: Ivanti EPMM Post-Exploitation — Shell Spawned by Java Application Server
// Covers: CVE-2026-6973 post-exploitation web shell activity | MITRE: T1505.003
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash")
| project Timestamp, DeviceName, DeviceId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath
| order by Timestamp desc

KQL Detection Rules (High Fidelity)

Rationale for DET-01: Legitimate DAEMON Tools DTHelper.exe (the device helper service) has no business reason to spawn cmd.exe or any interactive shell. This parent-child relationship does not occur in any known legitimate DTHelper use case.

// DET-01: cmd.exe Child of DTHelper.exe — DAEMON Tools Backdoor Execution
// MITRE: T1195.002, T1059.003 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "DTHelper.exe"
| where FileName in~ ("cmd.exe", "powershell.exe")
| extend AlertTitle = "DAEMON Tools Backdoor — Suspicious Shell Spawned by DTHelper.exe"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1195.002 / T1059.003"
| extend RecommendedAction = "Isolate the endpoint immediately. Determine DAEMON Tools version: if 12.5.0.2421-12.5.0.2434, confirm supply chain compromise. Collect DTHelper.exe hash and compare against Kaspersky Securelist IOC list. Escalate to Tier 2 IR and preserve memory."
| project Timestamp, DeviceName, DeviceId, AlertTitle, Severity, MITRETechnique, RecommendedAction, ProcessCommandLine, InitiatingProcessFileName, AccountName

Rationale for DET-02: The domain env-check.daemontools[.]cc was registered by threat actors on 2026-03-27 and has no legitimate use. Any DNS query to this domain is a confirmed indicator of a compromised DAEMON Tools installation.

// DET-02: DNS Query to DAEMON Tools C2 Domain
// MITRE: T1071.001, T1195.002 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "daemontools.cc"
| extend AlertTitle = "DAEMON Tools C2 Beacon Detected — env-check.daemontools.cc"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1071.001 / T1195.002"
| extend RecommendedAction = "Isolate endpoint. Verify and remove DAEMON Tools versions 12.5.0.2421-12.5.0.2434. Assume first-stage backdoor executed. Hunt for second-stage payload indicators, lateral movement from affected credentials, and outbound data staging."
| project Timestamp, DeviceName, DeviceId, AlertTitle, Severity, MITRETechnique, RecommendedAction, RemoteUrl, RemoteIP, InitiatingProcessFileName

Rationale for DET-03: Deleting volume shadow copies is a near-universal ransomware pre-stage behaviour. vssadmin delete shadows has extremely limited legitimate enterprise use. Allowlist known backup software processes by InitiatingProcessFileName where documented backup jobs perform shadow copy management.

// DET-03: Shadow Copy Deletion — Ransomware Pre-Encryption Stage
// MITRE: T1490 | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "vssadmin.exe" and ProcessCommandLine has "delete")
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("shadowcopy delete", "shadowstorage"))
| extend AlertTitle = "Volume Shadow Copy Deletion — Likely Ransomware Pre-Stage"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1490"
| extend RecommendedAction = "IMMEDIATE: Isolate endpoint from network. Do not attempt to save or access files on affected system. Initiate ransomware IR playbook. Determine if exfiltration preceded encryption. Identify patient zero and lateral movement paths before bringing recovery systems online."
| project Timestamp, DeviceName, DeviceId, AlertTitle, Severity, MITRETechnique, RecommendedAction, ProcessCommandLine, InitiatingProcessFileName, AccountName

Rationale for DET-04: Registration of a new MFA authenticator device within minutes of a Microsoft Teams screen-sharing session with an external tenant is a high-confidence indicator of MuddyWater's social engineering TTP. Allowlist by AccountName for known helpdesk staff performing documented re-enrolment workflows with prior change-request tickets.

// DET-04: New MFA Device Registration Immediately Following External Teams Session
// MITRE: T1621, T1566.004 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Teams.exe"
| where ProcessCommandLine has_any ("authenticator", "mfa", "enroll", "register", "add device", "verify")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteUrl has "teams.microsoft.com"
    | project DeviceId, ExternalTeamsTime = Timestamp
) on DeviceId
| where abs(datetime_diff('minute', Timestamp, ExternalTeamsTime)) <= 20
| extend AlertTitle = "Suspected MFA Device Registration via Teams Social Engineering — MuddyWater TTP"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1621 / T1566.004"
| extend RecommendedAction = "Contact user via out-of-band channel (phone) to confirm legitimacy. If unconfirmed: revoke newly registered MFA device in Entra ID immediately, reset account password, revoke all sessions, audit login history for past 7 days, and hunt for concurrent discovery commands from this device."
| project Timestamp, DeviceName, DeviceId, AlertTitle, Severity, MITRETechnique, RecommendedAction, ProcessCommandLine, AccountName

Rationale for DET-05: MuddyWater instructs victims to type credentials into visible text files during screen-share sessions. The creation of a .txt file in user-accessible directories during an active Teams network session is anomalous and correlates strongly with this specific TTP.

// DET-05: Plaintext Credential File Created in User Directory During Active Teams Session
// MITRE: T1056.001 | Severity: HIGH
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".txt"
| where FolderPath has_any ("Temp", "Desktop", "Downloads", "Documents")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteUrl has "teams.microsoft.com"
    | project DeviceId, TeamsEventTime = Timestamp
) on DeviceId
| where abs(datetime_diff('minute', Timestamp, TeamsEventTime)) <= 10
| extend AlertTitle = "Potential Credential Capture — Text File Created During Active Teams Session"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1056.001"
| extend RecommendedAction = "Review file content for credential strings. If credentials found: treat account as compromised, reset password, revoke all active sessions in Entra ID, check for new MFA device registrations, and audit login history for past 7 days. Preserve file for forensics."
| project Timestamp, DeviceName, DeviceId, AlertTitle, Severity, MITRETechnique, RecommendedAction, FileName, FolderPath, InitiatingProcessFileName, AccountName

Mitigation Priorities

Patch (actively exploited — act now):

  1. Palo Alto PAN-OS hotfix — CVE-2026-0300 — PA-Series and VM-Series firewalls (all sectors): Apply vendor-supplied hotfix immediately per the Palo Alto Networks security advisory. Immediate workaround: restrict or disable the User-ID Authentication Portal (ports 6081/6082) from untrusted and internet-facing zones. Confirm no instances are exposed on Shodan. CISA KEV listed — treat as urgent.
  2. Ivanti EPMM — CVE-2026-6973 + CVE-2026-5786/5787/5788/7821 — on-premises EPMM all versions: Upgrade to 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately. CISA KEV federal deadline was 2026-05-10. Any unpatched on-premises EPMM instance accessible from the internet should be treated as potentially compromised pending forensic review.
  3. Weaver E-cology — CVE-2026-22679 — all versions prior to build 20260312: Apply vendor build 20260312 which removes the debug API endpoint. No partial mitigation exists. Exploitation has been ongoing since March 17, 2026 — assume any unpatched externally accessible instance has been probed or compromised.

Network hardening:

Endpoint and Software Supply Chain:

Microsoft Teams and Identity:

Ransomware and Operational Resilience:

Awareness and Process:

Sources