CW's CTI

Daily Threat Intelligence Brief: 4 May 2026

May 4, 2026 20 min read

Seven active threat clusters: Storm-1175/Medusa ransomware operating at critical tempo against healthcare and finance; APT28 exploiting CVE-2026-32202 Windows NTLM coercion (KEV, deadline May 12); FIRESTARTER Cisco backdoor with active C2; DPRK HexagonalRodent stealing $12M in crypto; Mini Shai-Hulud worm in PyTorch Lightning PyPI package; Iranian IRGC attacking OT/ICS PLCs; and cPanel mass exploitation. Includes 7 KQL hunting queries and 7 high-fidelity detection rules.

Daily Threat Intelligence Brief: 3 May 2026

May 3, 2026 18 min read

Nation-state actors APT28 (PRISMEX + SLIMAGENT), Mustang Panda (LOTUSLITE v2), and BRICKSTORM remain active. New APT group TGR-STA-1030 has breached government organisations in 37 countries. Six ransomware groups active. Includes 12 KQL hunting queries, 10 detection rules, and full MITRE ATT&CK mapping.

Daily Threat Intelligence Brief: 1 May 2026

May 1, 2026 15 min read

cPanel CVE-2026-41940 (CVSS 9.8) was exploited for months before the patch. DPRK PromptMink npm supply chain operation targets crypto developers. Chrome WebGPU zero-day CVE-2026-5281 confirmed in the wild. Qilin ransomware claims 11 victims in a single 24-hour window.

Daily Threat Intelligence Brief: 30 April 2026

April 30, 2026 18 min read

Two CISA KEV zero-days in a single day: CVE-2026-32202 Windows Shell NTLM coercion linked to APT28, and CVE-2026-33825 Defender LPE (BlueHammer/RedSun exploits). APT28 FrostArmada disrupted by US/UK agencies. Fake Claude PlugX installer active. NightSpire ransomware scaling with RaaS model.