===================== = End-of-Day report = =====================

Timeframe: Freitag 22-05-2026 18:00 − Dienstag 26-05-2026 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl

===================== = News = =====================

∗∗∗ Update #1: Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne — DACH-Recruiting-Domains im Fokus ∗∗∗ --------------------------------------------- Uns sind weitere Köderdomains bekannt geworden, die demselben Muster folgen: valenzsearch[.]at, haasrecruiting[.]at, bergersearch[.]at --------------------------------------------- https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas-update

∗∗∗ Anthropic to release Mythos-class models to the public ∗∗∗ --------------------------------------------- Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe. --------------------------------------------- https://www.theregister.com/security/2026/05/25/anthropic-to-release-mythos-...

∗∗∗ Critical Ghost CMS Vulnerability Exploited to Hack 700+ Websites ∗∗∗ --------------------------------------------- A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major institutions such as Harvard University, University of Oxford, and DuckDuckGo. [..] The flaw received a CVSS severity score of 9.4, highlighting the serious risks posed by CVE-2026-26980. The vulnerability was reportedly discovered by Anthropic using its Claude AI system. [..] Investigators noted that a DLL file involved in the campaign carried a compilation timestamp dated February 16, 2026 [..] The malicious activity was first detected on May 7, 2026. --------------------------------------------- https://thecyberexpress.com/cve-2026-26980-ghost-cms-vulnerability/

∗∗∗ Github: Staged publishing and new install-time controls for NPM ∗∗∗ --------------------------------------------- Staged publishing is now generally available on npm. Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable. --------------------------------------------- https://github.blog/changelog/2026-05-22-staged-publishing-and-new-install-t...

∗∗∗ Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects ∗∗∗ --------------------------------------------- Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background. --------------------------------------------- https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-r...

∗∗∗ Fake software on GitHub and SourceForge distribute Deno RAT ∗∗∗ --------------------------------------------- We found fake installers and plugins for ChatGPT, Claude, AutoTune, and other popular software that can give attackers full control over your device. [..] The infection chain is usually started via MSI files or PowerShell scripts downloaded from GitHub or SourceForge in most of the analyzed cases. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-gith...

∗∗∗ Anruf, WhatsApp, QR-Code: Neue Phishing-Masche betrifft Erste Bank Kund:innen ∗∗∗ --------------------------------------------- Kriminelle geben sich aktuell als Mitarbeitende der Erste Bank aus und fordern ihre Opfer per WhatsApp dazu auf, einen Aktivierungs-QR-Code für George zu übermitteln. Wer den Code weitergibt, ermöglicht den Tätern Zugriff auf das Konto. --------------------------------------------- https://www.watchlist-internet.at/news/qr-code-erste-bank/

∗∗∗ Betrüger verschicken seit Monaten Scam-Mails von offizieller Microsoft-Adresse ∗∗∗ --------------------------------------------- Betrüger können über eine offizielle E-Mailadresse von Microsoft Nachrichten verschicken. Über die selbe Adresse werden auch Codes für die Zwei-Faktor-Authentifzierung versendet. [..] Die genutzte Absenderadresse lautet "msonlineservicesteam@microsoftonline.com". --------------------------------------------- https://www.derstandard.at/story/3000000322088/betrueger-verschicken-seit-mo...

∗∗∗ DBIR 2026: Sicherheitslücken als häufigstes Einfallstor für Angriffe ∗∗∗ --------------------------------------------- Obwohl der Bericht (DBIR 2026) noch auf Daten aus dem Jahr 2025 basiert und somit vor den jüngsten Fortschritten bei KI-Spitzenmodellen entstanden ist, sind die Trends eindeutig: KI verändert die Cybersicherheitsbranche grundlegend. [..] Fast ein Drittel (31 %) aller Sicherheitsverletzungen beginnt mit der Ausnutzung von Schwachstellen. --------------------------------------------- https://borncity.com/blog/2026/05/25/dbir-2026-sicherheitsluecken-sind-das-h...

∗∗∗ 2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services ∗∗∗ --------------------------------------------- While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-ph...

∗∗∗ Six Signals for Threat Attribution ∗∗∗ --------------------------------------------- Credible threat attribution weighs six signals together. Each signal has a disciplined methodology behind it, with citations and stress tests to back the conclusions. --------------------------------------------- https://zeltser.com/six-signals-for-threat-attribution

∗∗∗ Noroboto: Lying fonts and mitigation in Rust ∗∗∗ --------------------------------------------- The "noroboto.ttf" "lexploit" is straightforward: create a new malicious font definition which is embedded in a document according to the specification and lies about the Unicode representation of its glyphs. --------------------------------------------- https://tritium.legal/blog/noroboto

∗∗∗ Detection Logic Bugs, Developing Context to Bypass MiniPlasma Rules ∗∗∗ --------------------------------------------- Recently, because of Nightmare-eclipse’s Green Plasma and MiniPlasma variants, it’s been a busy week. There are tons of community detection rules out there now. But as someone who practices Adversarial Detection Engineering, that is, hunting for bugs in detection logic, you know a small tweaks can bypass detection. --------------------------------------------- https://detect.fyi/detection-logic-bugs-developing-context-to-bypass-minipla...

∗∗∗ Remove SPNs and Fix Kerberoasting ∗∗∗ --------------------------------------------- Remediate Kerberoasting vulnerabilities by removing SPNs for accounts that dont need them. --------------------------------------------- https://projectblack.io/blog/remove-spn-fix-kerberoasting/

∗∗∗ NISG 2026: Der praktische 6-Monats-Fahrplan für österreichische Unternehmen ∗∗∗ --------------------------------------------- Der 1. Oktober 2026 ist kein weiches Zieldatum. Ab diesem Tag gilt das Netz- und Informationssystemsicherheitsgesetz NISG 2026 in Österreich vollumfänglich [..] Dieser Fahrplan zeigt konkret, was in den nächsten 6 Monaten zu tun ist: So, dass ein IT-Verantwortlicher oder eine Geschäftsführerin morgen damit beginnen kann. --------------------------------------------- https://www.zettasecure.com//post//nisg-2026-fahrplan-oesterreich

===================== = Vulnerabilities = =====================

∗∗∗ Roundcube: Security updates 1.6.16 and 1.7.1 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1

∗∗∗ Debian SE Linux and PinTheft ∗∗∗ --------------------------------------------- PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers. [..] We duped on this bug with some other teams and a patch is available so we are releasing our PoC. --------------------------------------------- https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/

∗∗∗ Splunk: SVD-2026-0504: Denial of Service through coldToFrozen.sh Script in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2026-0504

∗∗∗ LWN: Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1074443/

∗∗∗ Synology-SA-26:10 Synology Chat Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_26_10

∗∗∗ MISP 2.5.38 - UI and security update ∗∗∗ --------------------------------------------- https://www.misp-project.org/2026/05/26/misp.2.5.38.released.html/

∗∗∗ Zyxel security advisory for missing authorization vulnerability in GS1200v3 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-a...