Cyber Threat Intelligence Digest: Week 21

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Alleged PoC for MiniPlasma Vulnerability Affecting Multiple Windows OS (CVE-2020-17103) - On May 16, 2026, GitHub user Nightmare-Eclipse shared an alleged proof-of-concept (PoC) exploit for MiniPlasma. MiniPlasma, identified as CVE-2020-17103, is a high-severity Improper Privilege Management vulnerability affecting multiple Windows operating systems (OSs). Windows OS is a Microsoft-developed platform used to run computers, servers, applications, hardware devices, and enterprise services through a graphical and command-line environment.

On December 8, 2020, Microsoft released security updates to fix CVE-2020-17103; however, Nightmare-Eclipse reported that, after revisiting the underlying technique and further investigation, the same issue previously reported by Project Zero remained present and unpatched, with the original Project Zero PoC still working without modification.

Alleged PoC Scanner for Actively Exploited SQL Injection Vulnerability Affecting Drupal Core (CVE-2026-9082) - On May 21, 2026, GitHub user 0xBlackash shared an alleged proof-of-concept (PoC) scanner for CVE-2026-9082. CVE-2026-9082 is a medium-severity Structured Query Language (SQL) Injection vulnerability affecting the following Drupal Core versions: 8.9.0 to 10.4.9, 10.5.0 to 10.5.9, 10.6.0 to 10.6.8, 11.0.0 to 11.1.9, 11.2.0 to 11.2.11, and 11.3.0 to 11.3.9. The advisory also identifies Drupal 11.1.x, 11.0.x, 10.4.x, and earlier versions as end-of-life (EOL) and not receiving security coverage. Drupal also notes that Drupal 8 and Drupal 9 have reached EOL.

Drupal Core is the open-source content management system framework that powers Drupal websites, used to build, manage, and publish web content and applications. Exploiting CVE-2026-9082 allows remote unauthenticated threat actors to perform arbitrary SQL injection on affected Drupal Core PostgreSQL sites, potentially leading to data disclosure, privilege escalation, or remote code execution (RCE). On May 22, 2026, Drupal disclosed that exploit attempts were being detected in the wild.

CVE-2026-42599 allows Cross-Site Scripting affecting Svelte - CVE-2026-42599 is a vulnerability in Svelte that allows attackers to inject malicious event handlers which run in a victim's browser when an application spreads user-controlled or external data into element attributes. If spread syntax is used with untrusted data, event handler properties can be included in the generated HTML. The vulnerability affects Svelte 5.55.6 and prior versions. It is recommended to update the affected application to Svelte 5.55.7 to mitigate the issue.

Potential Threats

Threat Actors Exploit Supply Chain Worm to Steal Developer Credentials - Threat actor TeamPCP has launched a coordinated supply chain attack compromising over 170 npm and PyPI packages, including TanStack, Mistral AI, and OpenSearch ecosystems. The malicious packages were not published using stolen credentials; they were published by TanStack's legitimate release pipeline using its trusted OIDC identity, after attacker-controlled code hijacked the runner mid-workflow.

The malware harvests credentials from over 80 file paths, including GitHub tokens, npm authentication tokens, and cloud API keys for AWS, Azure, GCP, and Kubernetes, then exfiltrates stolen material by creating public repositories on the victim's own GitHub account, a technique that evades DLP tools monitoring outbound traffic to unknown destinations.

North Korea-Linked Lazarus Threat Actor Deploys RemotePE Memory-Resident RAT Targeting Financial and Cryptocurrency Organizations - On May 22, 2026, Fox-IT reported on a North Korean Lazarus subgroup targeting financial and cryptocurrency organisations, using a multi-stage malware framework comprising DPAPILoader, RemotePELoader, and the memory-only remote access trojan (RAT) RemotePE. The framework enabled persistent and covert remote access designed to reduce forensic visibility on compromised hosts.

After gaining initial access through an unknown method, the threat actor deployed DPAPILoader, which masqueraded as a legitimate Windows service to maintain persistence across system reboots. DPAPILoader located specially crafted DPAPI-encrypted payload files, decrypted them using the victim system's keys, and reflectively loaded the second-stage payload, RemotePELoader, directly into memory. RemotePELoader performed several defence evasion techniques prior to C2 communication, including direct syscall resolution, DLL unhooking, and patching of Event Tracing for Windows (ETW) functions to suppress telemetry, before establishing HTTP POST connections to C2 infrastructure using traffic patterns mimicking legitimate Microsoft telemetry.

Upon receiving the final payload, RemotePELoader reflectively loaded RemotePE entirely in memory, providing command execution, file and process management, and reflective DLL loading whilst continuously polling C2 infrastructure for tasking. Throughout the intrusion chain, the framework reduced forensic visibility through DPAPI environmental keying, in-memory execution, ETW suppression, and Microsoft-themed network traffic patterns.

Threat Actors Use Steganography and DotNET Loaders to Deploy Remcos RAT Through Finance-Themed Phishing Emails - On May 20, 2026, Cofense reported that threat actors used image-based steganography campaigns to deliver remote access trojans (RATs), keyloggers, and information stealers whilst evading email and endpoint security controls. Cofense identified finance-themed phishing lures in 72% of tracked campaigns and observed threat actors abusing public image-hosting and file-sharing services to distribute concealed payloads. Cofense associated more than fifteen malware families with steganography campaigns, including Remcos RAT, Agent Tesla Keylogger, XWorm RAT, and FormBook.

Cofense described a steganography-based attack chain used in Remcos RAT campaigns. Threat actors sent phishing emails containing a JavaScript (JS) dropper attachment, or a link that downloaded the file, with lures referencing invoices, purchase orders, payment confirmations, or similar finance-related content. After execution, the JS file opened a benign decoy document whilst downloading an image file from an external hosting service. Although the image appeared benign in standard image-viewing software, it contained a Base64-encoded DotNET Loader DLL hidden through steganography. The JS dropper extracted and decoded the embedded DLL before launching the loader. Threat actors used the DotNET Loader to inject Remcos RAT into legitimate Windows processes such as explorer.exe, escalate privileges, establish persistence through Windows Registry modifications, and execute the malware in memory without writing the payload to disk.

General News

Dojo warns of AI fake receipts fuelling refund fraud - On 25 May 2026, payments company Dojo warned that fraudsters are increasingly using AI-generated receipts to fraudulently secure refunds from retailers. Data cited by Dojo showed global searches for "AI-generated receipts" rose by 2,753% over the past year, whilst Cifas findings indicated that AI-manipulated documents now account for more than 20% of falsified evidence used in UK refund and chargeback disputes, with total fraud cases exceeding 444,000 last year. Approximately one in ten UK returns is already estimated to be fraudulent.

The threat centres on generative AI tools capable of producing convincing fake proof-of-purchase documents that replicate retailer logos, item lists, timestamps, and transaction IDs, making them difficult for frontline staff to distinguish from genuine records. Sectors identified as most exposed include eCommerce, fast-food and quick-service restaurants, consumer technology, food delivery, telecoms, and financial services. Separate Experian data cited by Dojo indicated that 62% of digital-only retailers, 48% of retail banks, and 44% of telecom providers reported AI-related fraud attempts in 2025.

To mitigate exposure, Dojo advised organisations to verify submitted receipts against actual transaction records, incorporate unique markers such as QR codes or barcodes to enable traceability, and apply stricter refund controls for high-risk product categories. Staff training to identify signs of AI manipulation, behavioural monitoring for repeat refund patterns, and the deployment of AI-based document fraud detection systems were also recommended.

UK plans for cybercrime law reform would protect almost no one, experts warn - The British government's proposed reforms to the Computer Misuse Act 1990, announced in the King's Speech, have been criticised by industry sources as offering far narrower legal protections than the security community had anticipated. Whilst Security Minister Dan Jarvis pledged a statutory defence protecting researchers from prosecution, sources briefed on the proposals indicate the safeguards are extremely limited. The government plans to restrict the defence solely to cases involving the scanning of internet-facing systems, and would require researchers to cease activity immediately upon identifying a vulnerability, meaning they could not confirm, assess, or determine the exploitability of any finding. Industry professionals argue this renders any disclosure nearly worthless, as system owners routinely require proof that a vulnerability is genuine before taking action.

Further restrictions would limit eligibility to British nationals holding accreditation with the UK Cyber Security Council, of which only approximately 300 individuals currently qualify, representing around 0.4% of the estimated 70,000 highly skilled professionals in the sector. This requirement has been widely criticised as a "pay to play" model that would exclude bug bounty hunters, academic researchers, hobbyists, and professionals at smaller businesses. Additionally, accredited researchers would be required to conduct tests personally and could not direct others, cutting across standard commercial models in which senior staff oversee junior colleagues or automated tools.

NHS IT Outages disrupt 274,620 patient interactions - Analysis of Freedom of Information data published on 26 May 2026 revealed that NHS England and five major hospital trusts, comprising Manchester University, Guy's and St Thomas', Newcastle Hospitals, Mid and South Essex, Barts Health, and NHS England, recorded 274,620 IT incidents in 2025, with major outages disrupting tens of thousands of patient interactions. The most significant single-day disruption occurred during the Synnovis ransomware attack, during which 14,287 operations and appointments were cancelled or moved across the five trusts. The global IT outage in July 2024 disrupted a further 12,528 patient interactions, whilst a separate major incident in October 2025 led to 8,527 disruptions across four of the five trusts.

Routine care absorbed the majority of the impact, with appointment-related disruptions accounting for an average of 95% of total patient interactions affected across three of the five trusts. The data also highlighted significant inconsistencies in reporting across NHS organisations, with some trusts unable to provide figures on incident duration or the total number of incidents, suggesting the true scale of disruption may be greater than published totals indicate.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.