Cyber Threat Intelligence Digest: Week 19

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Elastic Patches Improper Verification of Cryptographic Signature Vulnerability CVE-2026-33467 Affecting Elastic Package Registry - On 28 April 2026, Elastic patched a cryptographic signature verification vulnerability, tracked as CVE-2026-33467, affecting Elastic Package Registry versions 1.37.0 and earlier. The flaw could allow a threat actor positioned to intercept network traffic to substitute a tampered package without triggering an integrity check failure, effectively bypassing a key supply chain security control. At the time of writing, there are no confirmed reports of exploitation in the wild.

To mitigate the risk posed by CVE-2026-33467, organisations running affected versions of Elastic Package Registry should update to version 1.38.0 as a priority. Given the nature of the vulnerability, environments where network traffic may be subject to interception, such as those lacking robust network segmentation or encrypted communications, should treat this update with particular urgency.

Fortinet Patches CVE-2026-44277 and CVE-2026-26083 Affecting FortiSandbox and FortiAuthenticator - On 12 May 2026, Fortinet patched two critical vulnerabilities, CVE-2026-44277 and CVE-2026-26083, both scoring 9.1 in severity, affecting FortiAuthenticator and FortiSandbox respectively. CVE-2026-44277 is an improper access control flaw allowing an unauthenticated actor to execute unauthorised code via crafted API requests, whilst CVE-2026-26083 is a missing authorisation vulnerability in the FortiSandbox PaaS web UI, exploitable through crafted HTTP requests. Fortinet reported no known exploitation of either vulnerability at the time of publication.

Organisations should prioritise patching given the unauthenticated nature and critical severity of both flaws. FortiAuthenticator users should update to versions 8.0.3, 6.6.9, or 6.5.7 or later, and FortiSandbox administrators should consult Fortinet's advisory to identify the appropriate patched release for their environment.

Zoom Communications Discloses Three Vulnerabilities in Zoom Workplace and Zoom Rooms - On 12 May 2026, Zoom disclosed three vulnerabilities affecting Zoom Workplace and Zoom Rooms, with no active exploitation reported at the time of writing. CVE-2026-30904 is a low-severity protection mechanism failure in Zoom Workplace for iOS (prior to version 7.0.0) enabling an authenticated actor with physical access to disclose information. CVE-2026-30905 is a high-severity file path control vulnerability in the Zoom Workplace VDI Plugin for Windows (prior to 6.6.11), and CVE-2026-30906 is a high-severity untrusted search path vulnerability in Zoom Rooms for Windows (prior to 7.0.0), both allowing an authenticated local actor to escalate privileges.

Organisations should apply the latest available updates via zoom.us/download to remediate all three vulnerabilities. Whilst the privilege escalation flaws require local authenticated access and the information disclosure vulnerability requires physical access, both conditions are realistic in shared or unmanaged device environments, and patching remains the recommended course of action.

Potential Threats

Threat Actors Use Fake Claude AI Install Pages to Deliver Multi-Stage Fileless Malware via InstallFix Campaign - On 5 May 2026, Trend Micro published analysis of the InstallFix campaign, in which threat actors use malicious Google Ads to redirect users searching for Claude Code to fraudulent installer pages. These pages instruct victims to run a PowerShell command that downloads and executes a file named claude.msixbundle, disguised as a legitimate installer but containing a ZIP/HTA polyglot to evade validation. The payload executes through a chain involving mshta.exe, obfuscated VBScript, and a PowerShell stager that bypasses AMSI controls before retrieving and executing a next-stage payload entirely in memory.

Once active, the malware establishes persistence via scheduled tasks, harvests browser credentials and e-wallet data, and beacons to threat actor-controlled infrastructure across several IP addresses. Trend Micro links the final payload to RedLine Stealer, which employs fileless execution and multiple obfuscation layers to evade detection. Organisations should block the associated indicators of compromise, apply controls to restrict unauthorised PowerShell and mshta.exe execution, and educate users to download software only from verified, official sources rather than via sponsored search results.

Malicious OpenClaw skill named DeepSeek-Claw Delivers Remcos RAT and GhostLoader - On 5 May 2026, Zscaler ThreatLabz reported a campaign distributing a malicious OpenClaw skill named DeepSeek-Claw, designed to deliver either Remcos RAT or GhostLoader depending on the victim's operating system. On Windows, following the automated installation path causes a PowerShell command to silently retrieve a remote MSI package that sideloads a malicious DLL alongside a legitimate GoToMeeting executable. The DLL employs extensive anti-analysis techniques before decrypting and executing Remcos RAT, which establishes an encrypted C2 connection, logs keystrokes, captures clipboard data, steals browser session cookies, and supports session theft capable of bypassing MFA controls.

On macOS and Linux, an alternative installation path triggers obfuscated Node.js lifecycle scripts that deliver GhostLoader, which uses spoofed sudo prompts to harvest credentials before exfiltrating macOS keychain contents, SSH keys, cryptocurrency wallets, and cloud API tokens to threat actor-controlled infrastructure. This campaign is notable for targeting developers directly through a supply chain vector, exploiting trust in open-source AI agent tooling. Organisations should restrict the use of unvetted third-party AI skills and repositories, enforce controls around msiexec and npm lifecycle script execution, and block the associated indicators of compromise.

New Linux PAM-Based Backdoor PamDOORa Steals SSH Credentials - On 7 May 2026, Flare published research on PamDOORa, a Linux PAM-based backdoor advertised for sale by a threat actor operating under the alias darkworm on the Russian-speaking cybercrime forum Rehub, initially listed at $1,600 before being reduced to $900. Deployment requires the attacker to have already obtained root access, after which they modify the PAM authentication workflow and install malicious shared object files, enabling PamDOORa to execute during authentication events including OpenSSH logins. Once active, it captures and XOR-encrypts credentials, storing them locally, whilst also enabling covert access via a specific port and password combination that bypasses normal authentication entirely.

Beyond credential harvesting, PamDOORa implements anti-debugging techniques, maps authentication attempts to live network connections by inspecting /proc/[pid]/fd socket metadata, exfiltrates stolen data, and suppresses forensic visibility by tampering with lastlog and likely btmp, utmp, and wtmp log files. Organisations running Linux infrastructure should audit PAM configurations and shared object files for unauthorised modifications, monitor for unexpected changes to authentication logs, and ensure robust controls are in place to detect and prevent privilege escalation, which is a prerequisite for PamDOORa deployment.

General News

European countries are exporting surveillance tech to countries with poor human rights records - A report published by Human Rights Watch alleges that European surveillance technology companies have sold spyware and intrusion tools to over two dozen nations with documented human rights abuses, with Bulgaria and Poland identified as notable exporters. Bulgaria sold surveillance technology to countries including the United Arab Emirates and Azerbaijan, whilst Poland permitted the sale of phone interception systems to Rwanda. France, Greece, Spain, Germany, and Italy declined to share relevant trade records, limiting the scope of the findings. The report also notes that all but two companies named in a 2024 Google Threat Analysis Group report on the commercial surveillance industry are based in the EU.

Human Rights Watch argues that the European Commission has failed to effectively enforce the bloc's 2021 updated export control rules, which were designed to require member states to consider human rights conditions in destination countries before approving surveillance technology exports. With the Commission due to evaluate those rules in September, the report calls for strengthened due diligence and transparency requirements. The Commission responded by reaffirming the significance of export controls whilst noting that individual member states retain ultimate responsibility for licensing decisions.

UK water company allowed hackers to lurk undetected for nearly two years - The UK's Information Commissioner's Office (ICO) has fined South Staffordshire Water £963,900 after the Cl0p ransomware group maintained undetected access to the company's network for nearly two years following initial compromise via a malicious email attachment in September 2020. The intrusion was only discovered in July 2022 when an IT performance slowdown prompted an internal investigation, by which point the attacker had moved laterally using a domain administrator account and exfiltrated approximately 4.1 terabytes of data, subsequently published on the dark web, including names, addresses, bank account details, and National Insurance numbers belonging to 633,887 customers and employees.

The ICO's investigation identified several significant security failures, including the absence of least privilege controls, no vulnerability scanning conducted during the nearly two-year intrusion period, monitoring coverage of only 5% of the IT environment, legacy systems still running Windows Server 2003, and two domain controllers left unpatched against the critical ZeroLogon vulnerability, which the attacker successfully exploited. The fine was reduced following South Staffordshire's cooperation, early admission of liability, and a voluntary settlement. The incident highlights the broader cyber risk facing UK water infrastructure, with five incidents reported to the Drinking Water Inspectorate between January 2024 and October 2025, and the government's Cyber Security and Resilience Bill expected to introduce expanded mandatory reporting requirements for critical infrastructure operators.

US govt seeks Instructure testimony on massive Canvas cyberattack - The US House Committee on Homeland Security has called on Instructure executives to testify following two cyberattacks by the ShinyHunters extortion group against the company's Canvas learning management platform within the space of a single week. The first breach, detected on 29 April 2026, resulted in the theft of data belonging to students and staff across 8,809 colleges, school districts, and online education platforms, with ShinyHunters claiming to have stolen 280 million records including names, email addresses, student identification numbers, and messages between students and teachers. A second attack exploited multiple cross-site scripting vulnerabilities to obtain authenticated admin sessions and deface Canvas login portals across institutions in at least eleven US states, disrupting final examinations and forcing some colleges to cancel assessments entirely.

Instructure subsequently reached an agreement with ShinyHunters to halt the public leak and ensure the stolen data was deleted, though the company stopped short of confirming whether a ransom was paid. The Homeland Security Committee has requested that a senior Instructure representative participate in a briefing no later than 21 May to address both intrusions, the scope of stolen data, containment and notification efforts, and coordination with federal agencies. The committee noted that the repeated compromises raise serious questions about Instructure's incident response capabilities and its obligations to protect the data of the tens of millions of students and educators who rely on the platform.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.