// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 4, 2026
Signal Brief · Archived

Week of May 4, 2026

2026-05-04 — 2026-05-10 · 14 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 4, 2026, ColdRecon logged 14 public endpoint-security events from open-source reporting — 5 incidents, 5 vuln disclosures, 4 research pocs. Vendors in the record this week: Google, xrdp, Ivanti.

The Week's Public Record

Events

2026-05-10
incident
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoaderOpenClaw Skill Malware Distribution
A malicious OpenClaw skill was discovered distributing Remcos RAT and GhostLoader malware. The skill uses fake AI instructions to trick users into executing the payload, leading to remote access and data theft. This incident highlights the abuse of AI skill platforms for malware delivery.
2026-05-10
research poc
PamDOORa Linux Backdoor Uses Malicious PAM Module to Steal SSH CredentialsPamDOORa
Researchers detail a Linux backdoor technique named PamDOORa that uses a malicious Pluggable Authentication Module (PAM) to intercept SSH credentials. The module logs passwords in clear text and can bypass detection by traditional security tools. This technique targets enterprise Linux environments and poses a stealthy persistence threat.
2026-05-08
vuln disclosure
Remote Code Execution Vulnerability in xrdp ServerCVE-2025-68670
Kaspersky discovered a remote code execution vulnerability (CVE-2025-68670) in the xrdp remote desktop server during a security audit of its USB Redirector module. The vulnerability exists in the xrdp_wm_parse_domain_information function, which processes the domain name before client authentication, allowing exploitation without valid credentials. The xrdp project patched the issue in version 0.10.5 and backported fixes to 0.9.27 and 0.10.4.1.
2026-05-07
vuln disclosure
Ivanti EPMM 0-Day Vulnerability CVE-2026-6973 Actively ExploitedCVE-2026-6973
Ivanti disclosed a critical zero-day vulnerability, CVE-2026-6973, in its Endpoint Manager Mobile (EPMM) product. The vulnerability is being actively exploited in attacks. Ivanti urges all on-premises EPMM customers to apply patches immediately.
2026-05-07
incident
Fake Claude AI Website Delivers New Beagle Windows MalwareBeagle
A fake Claude AI website distributes a previously undocumented Windows backdoor named Beagle. The malware is delivered via a malicious 'Claude-Pro Relay' download, targeting users seeking the AI tool. This incident highlights a new threat using AI-themed lures to compromise endpoints.
2026-05-06
incident
VoidStealer Malware Bypasses Google Chrome's App-Bound EncryptionVoidStealer Chrome App-Bound Encryption bypass
The VoidStealer information-stealing malware has been observed bypassing Google Chrome's App-Bound Encryption (ABE) to exfiltrate sensitive user data. This technique allows the malware to decrypt cookies and credentials protected by Chrome's latest security mechanisms, posing a significant risk to endpoint security.
2026-05-06
vuln disclosure
WatchGuard Agent for Windows Hard-Coded Cryptographic Key RCE VulnerabilityCVE-2026-6787
CVE-2026-6787 is a remote code execution vulnerability in WatchGuard Agent for Windows caused by hard-coded cryptographic keys. A local low-privileged attacker can extract the key and inject malicious code into the agent process, gaining SYSTEM-level privileges. The flaw affects all versions before 1.25.03.0000 and carries a CVSS 4.0 score of 8.5.
2026-05-06
incident
ClickFix Campaign Targets macOS Users with Fake Utility Lures to Deliver InfostealersClickFix
A threat campaign dubbed ClickFix uses fake macOS utility fixes to trick users into executing malicious Terminal commands, leading to infostealer infections. The attack evades traditional endpoint defenses by relying on social engineering rather than exploits, stealing credentials, cryptocurrency wallets, and sensitive data.
2026-05-06
vuln disclosure
Researcher Discloses Google Play Protect Bypass Using Reputation Hijacking and Review EvasionGoogle Play Protect Bypass via Trust-Model Collapse
A researcher disclosed a vulnerability in Google Play Store's trust model that allows attackers to bypass automated and manual security reviews. The exploit chain uses aged developer accounts, environment fingerprinting to evade sandbox detection, and post-approval injection of malicious functionality. Google classified the issue as 'Won't Fix (Intended Behavior)' despite significant internal engagement.
2026-05-05
vuln disclosure
CVE-2026-34464: Sandboxie-Plus Stack Buffer Overflow Enables Sandbox EscapeCVE-2026-34464
CVE-2026-34464 is a stack-based buffer overflow in Sandboxie-Plus versions up to 1.17.2. The flaw in the NamedPipeServer::OpenHandler allows a sandboxed process to overflow a fixed buffer in the SYSTEM-level SbieSvc service, potentially achieving remote code execution and sandbox escape. The vulnerability was fixed in version 1.17.3.
2026-05-04
research poc
Tenebris-Gate Multi-Layered Evasion Framework Bypasses Windows DefenderTenebris-Gate
Tenebris-Gate is a publicly available multi-layered evasion framework that encrypts and executes shellcode while bypassing Windows Defender detection. It uses compression, encryption, anti-debugging, API hashing, and tampered syscalls to avoid static and dynamic analysis. The tool was effective at the time of writing, having been publicly available for only two weeks.
2026-05-04
research poc
Researcher Demonstrates Detection Evasion Techniques Using API Hashing and Syscall ObfuscationDetection Evasion via API Hashing and Syscall Obfuscation
A security researcher published a proof-of-concept demonstrating how API hashing and syscall obfuscation can evade endpoint detection. The techniques reduce static signatures and bypass userland hooks, achieving zero detections on VirusTotal. This highlights weaknesses in signature-based and userland hooking defenses.
2026-05-04
incident
DigiCert Support Systems Breached, EV Code-Signing Certificates Fraudulently Issued and Used to Sign MalwareDigiCert 2026 Breach
Attackers compromised DigiCert's internal support systems via a social engineering attack, gaining access to initialization codes for pending EV code-signing certificates. They fraudulently obtained valid certificates and used them to sign Zhong Stealer malware. DigiCert revoked 60 certificates, 27 directly linked to the attacker.
2026-05-04
research poc
Google Threat Intelligence Group identifies first AI-discovered zero-day exploitAI-discovered zero-day exploit
Google's Threat Intelligence Group reported the first known case of a zero-day exploit discovered and developed using artificial intelligence. The finding demonstrates AI's emerging role in vulnerability research and exploit generation. This development could accelerate the discovery of novel attack vectors against endpoint security products.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →