Daily Threat Intelligence Brief: 01 Jun 2026
Executive Summary
The 31 May–1 June window opens the month with three significant developments: the CISA KEV deadline for Palo Alto GlobalProtect CVE-2026-0257 expires today, and Rapid7 MDR telemetry shows 8 of 10 customers with accepted forged authentication cookies in the past 48 hours. Interlock ransomware has been confirmed exploiting Cisco Firepower Management Center CVE-2026-20131 (CVSS 10.0), deploying a memory-resident Java web shell after unauthenticated Java deserialization. The FBI has issued a warning on FIFA World Cup 2026 phishing ahead of the tournament. CISA and NSA jointly updated ICS guidance covering the ongoing CyberAv3ngers/IRGC-CEC Rockwell PLC campaign.
Top priorities for today:
- PAN-OS GlobalProtect CVE-2026-0257 — CISA federal deadline is today. Rapid7 MDR confirms active exploitation in 8 of 10 monitored environments. The forged MAC
aa:bb:cc:dd:ee:ffand machine namesGP-CLIENT/DESKTOP-GP01are reliable indicators. Apply PAN-OS patch or restrict GlobalProtect to known-good client certificates immediately. - Cisco FMC CVE-2026-20131 — CVSS 10.0, actively exploited by Interlock ransomware. The Java deserialization payload drops a memory-resident web shell with no disk presence. Any FMC deployment not yet patched must be treated as potentially compromised. Apply the Cisco Security Advisory patch immediately.
- Microsoft Defender CVE-2026-41091 / CVE-2026-45498 — CISA federal deadline in two days (3 June). Apply the June 2026 Defender update immediately.
- Iranian ICS PLC Campaign — CISA/NSA AA26-097A update confirms secondary groups (Dark Engine, Sector 16, NoName057(16)) are now participating alongside CyberAv3ngers. OT environments running Rockwell PLCs must apply Dropbear SSH indicators and review all PLC access logs.
Threat Landscape Overview
| # | Threat Cluster | Severity | Status | Timestamp |
|---|---|---|---|---|
| 1 | PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.1) — CISA deadline TODAY | CRITICAL | [UPDATED] Deadline 2026-06-01 | 2026-05-31 |
| 2 | TrapDoor supply chain — LangChain/LlamaIndex/LangFlow/MetaGPT/OpenHands | HIGH | [UPDATED] Ongoing | 2026-05-31 |
| 3 | FIFA World Cup 2026 phishing — FBI warning June 1 | MEDIUM | NEW — FBI warning | 2026-06-01 |
| 4 | NGINX CVE-2026-42945 — Ingress-NGINX Kubernetes confirmed affected | CRITICAL | [UPDATED] Ongoing | 2026-05-31 |
| 5 | Iranian ICS PLC Campaign CISA AA26-097A — CyberAv3ngers/IRGC-CEC | HIGH | [UPDATED] Secondary groups confirmed | 2026-05-31 |
| 6 | MS Defender CVE-2026-41091/45498 — CISA deadline 2026-06-03 | HIGH | [UPDATED] Deadline 2 days | 2026-05-31 |
| 7 | Exchange CVE-2026-42897 — deadline passed, exploitation ongoing | CRITICAL | [UPDATED] Past deadline, active | 2026-06-01 |
| 8 | Interlock Ransomware — Cisco FMC CVE-2026-20131 (CVSS 10.0) | CRITICAL | [UPDATED] Active exploitation | 2026-06-01 |
New Intelligence
1. FIFA World Cup 2026 Phishing — FBI Warning MEDIUM
Source: FBI Public Service Announcement, 2026-06-01 • Tournament dates: June 11 – July 19, 2026
The FBI issued a public service announcement on 1 June warning of phishing campaigns targeting World Cup ticket buyers, travel bookers, and football fans ahead of the 2026 FIFA World Cup (hosted across US, Canada, and Mexico). The warning highlights three primary fraud vectors: fake ticketing sites impersonating FIFA and national football associations; fraudulent official merchandise stores offering deeply discounted replica shirts and souvenirs; and fake hospitality packages claiming luxury packages near host venues.
The FBI warning complements Group-IB’s ongoing GHOST STADIUM reporting (see 28 May brief). The FBI notes that victims have lost between $500 and $15,000 per incident in card fraud and non-delivery scams. The warning specifically advises purchasing tickets only through fifa.com/tickets and to be highly suspicious of any resale platform offering tickets below face value.
Action required: Brief end users and customers about World Cup fraud. For organisations processing World Cup ticket or merchandise purchases, ensure fraud detection rules are configured for high-value transactions originating from recently registered domains.
Updated Intelligence
2. PAN-OS GlobalProtect CVE-2026-0257 — CISA Federal Deadline TODAY CRITICAL [UPDATED]
CVE: CVE-2026-0257 • CVSS: 9.1 • CISA KEV deadline: 2026-06-01 (TODAY) • Source: Rapid7 MDR, Palo Alto Networks
The CISA federal remediation deadline for PAN-OS GlobalProtect CVE-2026-0257 expires today. CVE-2026-0257 is an authentication bypass in the GlobalProtect portal that allows an unauthenticated attacker to forge authentication by presenting a spoofed MAC address and machine name, generating a valid auth cookie that bypasses MFA entirely. The forged cookie is accepted by all GlobalProtect versions prior to the patched release.
Rapid7 MDR telemetry published on 31 May is highly alarming: 8 of 10 monitored customer environments with GlobalProtect deployments had accepted forged authentication cookies in the preceding 48 hours. The exploitation indicators are consistent: MAC address aa:bb:cc:dd:ee:ff and machine names GP-CLIENT or DESKTOP-GP01 appearing in GlobalProtect session logs.
Exploitation timeline: Wave 1 exploitation began on approximately 17 May (Vultr-hosted infrastructure) and Wave 2 on approximately 21 May (Dromatics infrastructure). Active post-exploitation activity has been confirmed in multiple environments, including credential harvesting from VPN session tokens.
IOCs: MAC aa:bb:cc:dd:ee:ff (forged) • Machine names GP-CLIENT, DESKTOP-GP01 (forged) • Auth override cookie pattern in GlobalProtect logs
Action required: Apply PAN-OS patch immediately. Retroactively audit GlobalProtect authentication logs for the MAC and machine name indicators from 17 May onwards. Treat any session originating from these indicators as compromised and revoke associated credentials.
TTPs: T1078 Valid Accounts (forged auth bypass) • T1550.004 Web Session Cookie • T1133 External Remote Services
3. TrapDoor Supply Chain — AI Framework Targeting Ongoing HIGH [UPDATED]
First reported: 2026-05-18 • Updated: 2026-05-31 (SlowMist, GitHub Security)
SlowMist published an updated analysis on 31 May characterising TrapDoor as “one of 2026’s largest supply chain attacks” by downstream impact. The threat actor, operating through the GitHub account ddjidd564, is continuing to submit pull requests containing trojanised dependency updates to major AI/ML framework repositories: LangChain, LlamaIndex, LangFlow, MetaGPT, and OpenHands.
The PR injection technique is sophisticated: the malicious commits are structured to appear as legitimate bug fixes or dependency version bumps, with plausible commit messages and small code diffs that obscure the malicious payload in a transitive dependency. The payload steals API keys for OpenAI, Anthropic, Cohere, and HuggingFace, along with any secrets accessible from the development environment. SlowMist estimates the campaign has affected approximately 12,000 downstream projects through transitive dependency inclusion.
Action required: Review all AI/ML Python projects for any recent dependency updates to LangChain, LlamaIndex, LangFlow, MetaGPT, or OpenHands. Audit requirements.txt and pyproject.toml lockfiles for unexpected version bumps. Monitor for outbound connections to unknown endpoints from Python processes in ML/AI development environments.
TTPs: T1195.001 Supply Chain Compromise: Develop Toolchain • T1552.001 Credentials In Files • T1041 Exfiltration Over C2
4. NGINX CVE-2026-42945 — Ingress-NGINX Kubernetes Confirmed Affected CRITICAL [UPDATED]
Updated: 2026-05-31 • Kubernetes Ingress-NGINX maintainers confirmed CVE-2026-42945 affects Ingress-NGINX when running NGINX Plus R33 or earlier as the proxy backend. Kubernetes clusters using Ingress-NGINX as their ingress controller are at risk of unauthenticated HTTP/2 memory corruption leading to worker process crash or code execution. The Ingress-NGINX Helm chart version 4.12.1 updates to NGINX Plus R34.
Action required: Update Ingress-NGINX Helm chart to 4.12.1. For clusters where immediate update is not possible, configure the ingress controller to disable HTTP/2 as an interim control (nginx.ingress.kubernetes.io/use-http2: "false" annotation on affected ingresses).
5. Iranian ICS PLC Campaign — CISA/NSA AA26-097A Updated HIGH [UPDATED]
Advisory: CISA AA26-097A • Updated: 2026-05-31 • Actors: CyberAv3ngers (IRGC-CEC), Dark Engine, Sector 16, NoName057(16)
CISA and NSA published an update to advisory AA26-097A confirming that the Iranian ICS PLC campaign — previously attributed solely to CyberAv3ngers (IRGC Cyber Electronic Command) — now involves three additional threat actors: Dark Engine, Sector 16, and NoName057(16), operating as loosely coordinated secondary groups. The primary targets remain Rockwell Automation Allen-Bradley PLCs in water/wastewater, energy, and manufacturing sectors.
The updated advisory confirms the persistence mechanism: Dropbear SSH is installed on compromised Linux-based HMIs and engineering workstations at non-standard port 22 (blending with expected SSH traffic), providing persistent remote access after initial PLC compromise. The advisory notes that secondary groups are less disciplined than CyberAv3ngers and in some cases are causing unintended disruption beyond their apparent mandate.
Behavioural IOCs: Dropbear SSH on port 22 of OT hosts (unexpected SSH daemon) • Rockwell Studio 5000 executing from non-engineering workstation accounts • PLC firmware modification events outside maintenance windows
TTPs: T1505.003 Web Shell (ICS context) • T1021.004 Remote Services: SSH • T1059 Command and Scripting Interpreter
6. Microsoft Defender CVE-2026-41091 / CVE-2026-45498 — CISA Deadline 3 June HIGH [UPDATED]
CVEs: CVE-2026-41091, CVE-2026-45498 • CISA federal deadline: 2026-06-03
Two Microsoft Defender vulnerabilities added to CISA KEV have a federal deadline of 3 June (two days from now). CVE-2026-41091 is a privilege escalation in the Microsoft Defender antimalware platform service allowing a local user to escalate to SYSTEM via a race condition in the platform’s update handler. CVE-2026-45498 is a separate bypass of Defender’s real-time protection that allows a local user to write arbitrary files to Defender’s quarantine directory, enabling a logic-bomb-style evasion.
Both vulnerabilities are addressed in the June 2026 Microsoft Defender platform update (version 4.18.26050.x). Defender updates automatically in most enterprise configurations; verify that all endpoints have received the update before the 3 June deadline.
7. Exchange CVE-2026-42897 — Past Deadline, Exploitation Continues CRITICAL [UPDATED]
CISA deadline passed: 2026-05-29 • Updated: 2026-06-01
The CISA federal deadline for Exchange CVE-2026-42897 passed on 29 May, but exploitation continues actively. Microsoft’s June 2026 Patch Tuesday preview indicates a permanent patch is targeted for 9 June. Organisations running on-premises Exchange must continue applying the interim mitigation and monitoring OWA logs for session hijacking indicators. Exchange 2016 ESU customers remain without a patch path; the recommended mitigation is disabling OWA for external access.
8. Interlock Ransomware — Cisco FMC CVE-2026-20131 (CVSS 10.0) CRITICAL [UPDATED]
CVE: CVE-2026-20131 • CVSS: 10.0 • Actor: Interlock Ransomware Group • Updated: 2026-06-01 (Cisco Talos, Unit 42)
Cisco Talos and Unit 42 published technical analysis confirming Interlock ransomware is actively exploiting CVE-2026-20131, a critical unauthenticated Java deserialization vulnerability in Cisco Firepower Management Center (FMC). The vulnerability is remotely exploitable with no authentication required and results in arbitrary code execution in the context of the FMC application server.
Post-exploitation is sophisticated: the initial deserialization payload drops a memory-resident Java web shell that survives without any on-disk presence — the web shell exists only in the JVM heap. The web shell accepts commands over an RC4-encrypted WebSocket connection, making C2 traffic difficult to distinguish from legitimate FMC websocket communications. Post-exploitation activity includes deployment of ConnectWise ScreenConnect for persistent remote access, use of Certify for Active Directory certificate abuse, and memory forensics tools (Volatility-based) to harvest credentials from lsass.exe on connected Windows management hosts.
Interlock then moves laterally to Windows infrastructure using the harvested credentials before deploying the Interlock ransomware encryptor. The average time from initial FMC compromise to ransomware deployment has been 72–96 hours.
Action required: Apply the Cisco FMC patch from the May 2026 advisory immediately. Any FMC deployment that has not been patched should be treated as potentially compromised and a thorough memory forensics investigation initiated before patching. Check FMC application logs for unexpected WebSocket connections and anomalous serialized Java object submissions to the FMC REST API.
TTPs: T1190 Exploit Public-Facing Application • T1505.003 Web Shell (memory-resident) • T1071.001 Application Layer Protocol: Web Protocols (RC4 WebSocket C2) • T1486 Data Encrypted for Impact • T1003.001 OS Credential Dumping: LSASS Memory • T1649 Steal or Forge Authentication Certificates
IOC Summary
| Type | Value | Campaign |
|---|---|---|
| MAC address | aa:bb:cc:dd:ee:ff | PAN-OS GlobalProtect CVE-2026-0257 (forged auth) |
| Machine name | GP-CLIENT, DESKTOP-GP01 | PAN-OS GlobalProtect CVE-2026-0257 (forged auth) |
| GitHub account | ddjidd564 | TrapDoor supply chain (AI framework PRs) |
| Behaviour | Dropbear SSH on port 22 of OT Linux hosts | Iranian ICS PLC Campaign (CyberAv3ngers/AA26-097A) |
| Behaviour | Memory-resident Java web shell over RC4 WebSocket | Interlock / Cisco FMC CVE-2026-20131 |
KQL Hunting Queries
HUNT-01: GlobalProtect CVE-2026-0257 — Forged MAC / Machine Name in VPN Logs
Covers PAN-OS GlobalProtect authentication bypass using forged client identifiers. MITRE: T1078, T1550.004.
// HUNT-01: GlobalProtect CVE-2026-0257 — forged MAC and machine name indicators
// Covers: PAN-OS GlobalProtect auth bypass
// MITRE: T1078, T1550.004
CommonSecurityLog
| where TimeGenerated > ago(72h)
| where DeviceVendor == "Palo Alto Networks"
| where Activity has_any ("GlobalProtect", "GP-AUTH", "SSL-VPN")
| where Message has_any ("aa:bb:cc:dd:ee:ff", "GP-CLIENT", "DESKTOP-GP01")
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, Activity, Message, AdditionalExtensions
| order by TimeGenerated descHUNT-02: TrapDoor Supply Chain — Python Process Exfiltrating AI API Keys
Covers TrapDoor payload exfiltrating LLM API keys from developer environments. MITRE: T1552.001, T1041.
// HUNT-02: TrapDoor supply chain — Python exfiltrating AI API keys
// Covers: TrapDoor AI framework supply chain
// MITRE: T1552.001, T1041
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python", "python3")
| where ProcessCommandLine has_any ("OPENAI_API_KEY", "ANTHROPIC_API_KEY", "COHERE_API_KEY", "HF_TOKEN", "HUGGINGFACE_HUB_TOKEN")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descHUNT-03: Cisco FMC Exploitation — Java Deserialization Anomalous Process Spawn
Covers CVE-2026-20131 Java deserialization triggering unexpected process from FMC application server. MITRE: T1190.
// HUNT-03: Cisco FMC CVE-2026-20131 — Java deserialization spawning unexpected process
// Covers: Interlock ransomware FMC exploitation
// MITRE: T1190
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("java", "java.exe")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe", "wget", "curl")
| where InitiatingProcessCommandLine has_any ("fmc", "firepower", "sf-", "CSM")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descHUNT-04: Interlock Ransomware — ConnectWise ScreenConnect Deployment Post-FMC
Covers Interlock post-exploitation ConnectWise ScreenConnect deployment from compromised FMC-adjacent hosts. MITRE: T1219.
// HUNT-04: Interlock ransomware — ConnectWise ScreenConnect deployment
// Covers: Interlock post-exploitation remote access tool
// MITRE: T1219
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ScreenConnect.WindowsClient.exe" or ProcessCommandLine has "screenconnect"
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descHUNT-05: Dropbear SSH on OT Host (Iranian ICS Campaign)
Covers CyberAv3ngers Dropbear SSH persistence on OT Linux hosts. MITRE: T1021.004.
// HUNT-05: Iranian ICS campaign — Dropbear SSH on OT host
// Covers: CyberAv3ngers/IRGC-CEC Rockwell PLC campaign
// MITRE: T1021.004
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "dropbear" or ProcessCommandLine has "dropbear"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descHUNT-06: Certify AD CS Abuse (Interlock Post-Exploitation)
Covers Interlock use of Certify for Active Directory certificate service abuse. MITRE: T1649.
// HUNT-06: Interlock — Certify AD CS certificate abuse
// Covers: Interlock ransomware post-exploitation credential theft
// MITRE: T1649
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "Certify.exe" or ProcessCommandLine has_any ("Certify.exe", "find /vulnerable", "request /ca:", "download /ca:")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descHUNT-07: GlobalProtect Session from Forged Client After Auth Override
Covers GlobalProtect CVE-2026-0257 post-authentication activity from forged client sessions. MITRE: T1133.
// HUNT-07: GlobalProtect CVE-2026-0257 — post-auth activity from forged session
// Covers: PAN-OS GlobalProtect exploitation follow-on activity
// MITRE: T1133
CommonSecurityLog
| where TimeGenerated > ago(72h)
| where DeviceVendor == "Palo Alto Networks"
| where Activity has "TRAFFIC" or Activity has "THREAT"
| join kind=inner (
CommonSecurityLog
| where TimeGenerated > ago(72h)
| where DeviceVendor == "Palo Alto Networks"
| where Message has_any ("GP-CLIENT", "DESKTOP-GP01", "aa:bb:cc:dd:ee:ff")
| project SuspectIP = SourceIP, AuthTime = TimeGenerated
) on $left.SourceIP == $right.SuspectIP
| where TimeGenerated > AuthTime
| project TimeGenerated, SourceIP, DestinationIP, Activity, Message
| order by TimeGenerated descHUNT-08: TrapDoor GitHub PR — ddjidd564 Account Reference in Dependency Files
Covers TrapDoor malicious dependency references introduced via PRs from the ddjidd564 account. MITRE: T1195.001.
// HUNT-08: TrapDoor — ddjidd564 GitHub account reference in dependencies
// Covers: TrapDoor AI framework supply chain PRs
// MITRE: T1195.001
DeviceFileEvents
| where Timestamp > ago(72h)
| where FileName in ("requirements.txt", "pyproject.toml", "setup.cfg", "poetry.lock")
| where ActionType in ("FileModified", "FileCreated")
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(72h)
| where FileName in~ ("git.exe", "git")
| where ProcessCommandLine has "ddjidd564"
| project GitTime = Timestamp, DeviceName, GitCommand = ProcessCommandLine
) on DeviceName
| where Timestamp between (GitTime .. (GitTime + 10m))
| project Timestamp, DeviceName, FileName, FolderPath, GitCommand
| order by Timestamp descKQL Detection Rules (High Fidelity)
DET-01: GlobalProtect Forged Authentication Cookie CRITICAL
Rationale: The specific MAC address aa:bb:cc:dd:ee:ff and machine names GP-CLIENT/DESKTOP-GP01 have no legitimate use and are the documented exploitation identifiers for CVE-2026-0257. Any match in GlobalProtect logs is a confirmed exploitation attempt. Zero false positives expected from this specific pattern.
// DET-01: GlobalProtect CVE-2026-0257 — forged authentication identifier
// MITRE: T1078 | Severity: CRITICAL
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor == "Palo Alto Networks"
| where Message has_any ("aa:bb:cc:dd:ee:ff", "GP-CLIENT", "DESKTOP-GP01")
| extend AlertTitle = "GlobalProtect CVE-2026-0257 — Forged Client Authentication Identifier Detected"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1078 — Valid Accounts (Authentication Bypass)"
| extend RecommendedAction = "Immediately revoke the associated session. Apply PAN-OS patch. Audit all GlobalProtect logs from 2026-05-17 onwards for this MAC/machine pattern. Treat all sessions from matching identifiers as adversary-controlled."
| project TimeGenerated, AlertTitle, Severity, MITRETechnique, RecommendedAction, SourceIP, Message, AdditionalExtensions
| order by TimeGenerated descDET-02: Cisco FMC — Java Process Spawning Shell Post-Deserialization CRITICAL
Rationale: Legitimate Cisco FMC Java processes never spawn shell interpreters. This is a definitive indicator of CVE-2026-20131 Java deserialization exploitation leading to Interlock ransomware deployment. Zero legitimate exceptions.
// DET-02: Cisco FMC CVE-2026-20131 — Java deserialization shell spawn
// MITRE: T1190 | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("java", "java.exe")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe")
| where InitiatingProcessCommandLine has_any ("fmc", "firepower", "sf_logger", "SFDataCorrelator")
| extend AlertTitle = "Cisco FMC Java Deserialization RCE — Shell Spawned from FMC JVM (CVE-2026-20131)"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1190 — Exploit Public-Facing Application"
| extend RecommendedAction = "Immediately isolate the FMC appliance from the network. Do NOT patch before conducting memory forensics — the web shell is memory-resident only and will be destroyed. Take full memory dump. Engage IR. Audit all connected Firepower sensors for lateral movement."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descDET-03: Dropbear SSH on OT Linux Host HIGH
Rationale: Dropbear SSH is not a standard component of OT/ICS Linux deployments and has been specifically identified as the persistence mechanism used in the CyberAv3ngers IRGC PLC campaign. Any Dropbear process on an OT-segment Linux host warrants immediate investigation.
// DET-03: Iranian ICS campaign — Dropbear SSH on OT host
// MITRE: T1021.004 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "dropbear"
| extend AlertTitle = "Dropbear SSH Detected on OT Host — Possible Iranian ICS Campaign Persistence"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1021.004 — Remote Services: SSH"
| extend RecommendedAction = "Immediately isolate the OT host from the network. Engage ICS security team. Review connected PLC and HMI access logs for unauthorised programming commands. Reference CISA AA26-097A indicators. Alert OT vendor."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp descDET-04: TrapDoor — Python Accessing LLM API Key Environment Variables HIGH
Rationale: The TrapDoor payload specifically targets LLM API keys stored as environment variables. A Python process reading known LLM API key variable names outside a sanctioned AI development pipeline is anomalous. Allowlist known ML pipeline orchestrators by process path.
// DET-04: TrapDoor supply chain — Python reading LLM API key environment variables
// MITRE: T1552.001 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python", "python3")
| where ProcessCommandLine has_any ("OPENAI_API_KEY", "ANTHROPIC_API_KEY", "COHERE_API_KEY", "HF_TOKEN")
| where FolderPath !has "\\venv\\" and FolderPath !has "/.venv/"
| extend AlertTitle = "Python Process Accessing LLM API Key Variables — Possible TrapDoor Supply Chain"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1552.001 — Unsecured Credentials: Credentials In Files"
| extend RecommendedAction = "Audit Python package dependencies for TrapDoor-related packages in LangChain/LlamaIndex/LangFlow/MetaGPT/OpenHands. Review outbound connections from this Python process. Rotate all LLM API keys accessible from this environment."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descDET-05: Interlock Ransomware — AD CS Certificate Abuse Pattern CRITICAL
Rationale: Interlock uses Certify to enumerate and request vulnerable Active Directory Certificate Services templates as part of its lateral movement before deploying ransomware. Certify execution is rarely legitimate outside red-team exercises; the specific command patterns it uses are definitive indicators.
// DET-05: Interlock ransomware — AD CS certificate abuse via Certify
// MITRE: T1649 | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("Certify.exe find /vulnerable", "Certify.exe request /ca:", "Certify.exe download")
| extend AlertTitle = "Active Directory CS Certificate Abuse Detected (Certify) — Possible Interlock Pre-Ransomware"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1649 — Steal or Forge Authentication Certificates"
| extend RecommendedAction = "CRITICAL: This pattern precedes Interlock ransomware deployment by hours. Immediately isolate affected host. Alert all privileged accounts as potentially compromised. Check FMC and network perimeter for prior CVE-2026-20131 exploitation. Engage IR immediately."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descMitigation Priorities
Patch (act TODAY — deadline 2026-06-01)
- PAN-OS GlobalProtect — CVE-2026-0257 — Federal deadline today. Apply PAN-OS patch immediately. Retroactively audit GlobalProtect logs for forged MAC/machine name indicators from 17 May onwards.
Patch (act before 2026-06-03)
- Microsoft Defender — CVE-2026-41091 / CVE-2026-45498 — Federal deadline 3 June. Verify all endpoints have received the June 2026 Defender platform update (4.18.26050.x).
Emergency response
- Any unpatched Cisco FMC should be treated as potentially compromised — take memory dump before patching. The Interlock memory-resident web shell is destroyed by reboot or patching.
- Audit all GlobalProtect logs from 17 May for the forged MAC/machine name indicators. Treat matching sessions as compromised.
AI / ML development environments
- Audit all LangChain, LlamaIndex, LangFlow, MetaGPT, and OpenHands dependencies. Review recent PR merges from the
ddjidd564GitHub account against these repositories. - Rotate all LLM API keys (OpenAI, Anthropic, Cohere, HuggingFace) on machines where these frameworks are installed pending investigation.
ICS / OT
- Scan all OT Linux hosts for Dropbear SSH processes. Reference CISA AA26-097A for the full indicator list.
- Audit Rockwell Allen-Bradley PLC programming access logs for unauthorised changes since March 2026.
- Brief OT operations staff: Dark Engine, Sector 16, and NoName057(16) are now participating in the Iranian ICS campaign. Disruption may be less controlled than CyberAv3ngers operations.
Sources
- Rapid7 MDR Threat Bulletin: GlobalProtect CVE-2026-0257 Active Exploitation — 8 of 10 Environments Affected — Rapid7, 2026-05-31
- TrapDoor: One of 2026’s Largest Supply Chain Attacks — SlowMist Analysis — SlowMist, 2026-05-31
- FBI PSA: FIFA World Cup 2026 Phishing Surge — FBI, 2026-06-01
- Ingress-NGINX CVE-2026-42945 Confirmation and Helm Chart 4.12.1 Release — Kubernetes/Ingress-NGINX maintainers, 2026-05-31
- CISA/NSA Advisory AA26-097A Update: Dark Engine and Sector 16 Confirmed in Iranian ICS PLC Campaign — CISA/NSA, 2026-05-31
- Microsoft Defender CVE-2026-41091 and CVE-2026-45498 — CISA KEV, 2026-05-31
- Interlock Ransomware Technical Analysis: FMC CVE-2026-20131, Memory Web Shell, AD CS Abuse — Cisco Talos, 2026-06-01
- Interlock Ransomware Exploiting Cisco FMC CVSS 10.0 Flaw — Unit 42 / Palo Alto Networks, 2026-06-01
- Exchange CVE-2026-42897 Update: Past CISA Deadline, Permanent Patch Targeted for June 9 — MSRC, 2026-06-01