Threat Intel

Cyber Threat Intelligence — Analysis, Research & Detection

Filter:
KQL Daily Supply Chain Ransomware

Daily Threat Intelligence Brief: 13 May 2026

May 13, 2026 24 min read

Mini Shai-Hulud npm/PyPI worm (TeamPCP) compromises 172 packages including @tanstack and @mistralai via GitHub Actions OIDC token theft, deploying a self-propagating credential harvester and destructive home-directory daemon across the npm ecosystem. Dirty Frag Linux kernel privilege escalation (CVE-2026-43284 / CVE-2026-43500) is now confirmed in-the-wild by Microsoft Defender — deterministic, not a race condition, affecting all Linux infrastructure. Microsoft May Patch Tuesday covers 120 CVEs including a CVSS 9.8 unauthenticated Netlogon RCE against domain controllers (emergency patching required). RubyGems suspends new user registrations after the BufferZoneCorp mass malicious package upload campaign targeting CI/CD credentials. Google GTIG discloses the first confirmed AI-generated zero-day exploit — a 2FA bypass built by a criminal actor using LLM tooling. Includes 8 KQL hunting queries and 5 high-fidelity detection rules.

Read more →
APT KQL Daily Ransomware Iran

Daily Threat Intelligence Brief: 11 May 2026

May 11, 2026 22 min read

Leak Bazaar and Lynx ransomware operators claimed 24 victims in a single 24-hour period across 13+ countries (US 13, UK 4), together representing 70%+ of daily threat activity. MuddyWater (Iran/MOIS) is actively conducting Microsoft Teams false-flag operations against US construction and manufacturing, deploying Chaos ransomware as misdirection while the real objective is credential theft and long-term persistence (36 confirmed victims). CVE-2026-0300 PAN-OS RCE exploitation continues; CVE-2026-6973 Ivanti EPMM hit its CISA KEV federal deadline on May 10. Includes 9 KQL hunting queries and 5 high-fidelity detection rules.

Read more →
APT KQL Daily Ransomware

Daily Threat Intelligence Brief: 6 May 2026

May 6, 2026 24 min read

Two CRITICAL threats under mass multi-actor exploitation: CVE-2026-41940 cPanel auth bypass confirmed against government and MSP networks (8,859 .sorry-encrypted hosts) and CVE-2026-32202 Windows zero-click NTLM coercion by APT28 against Ukrainian and EU targets (CISA KEV deadline May 12). Also: CVE-2026-31431 Copy Fail Linux LPE (KEV May 15), Iranian CyberAv3ngers disrupting US PLCs, Mini Shai-Hulud PyTorch Lightning supply chain, Salt Typhoon covert networks, APT37 BirdCall Android backdoor, and Qilin/Gentlemen ransomware escalation. Includes 9 KQL hunting queries and 5 high-fidelity detection rules.

Read more →