// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 18, 2026
Signal Brief · Archived

Week of May 18, 2026

2026-05-18 — 2026-05-24 · 35 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 18, 2026, ColdRecon logged 35 public endpoint-security events from open-source reporting — 17 incidents, 10 research pocs, 8 vuln disclosures. Vendors in the record this week: Microsoft, Google, Mozilla.

The Week's Public Record

Events

2026-05-23
incident
TrapDoor Malware Targets Cryptocurrency Developers via Supply Chain AttackTrapDoor
A supply chain attack dubbed 'TrapDoor' uses hidden code in AI assistant configurations to steal cryptocurrency wallets and cloud credentials from blockchain engineers. The malware specifically targets developer endpoints, compromising sensitive data through malicious AI tool integrations.
2026-05-23
incident
SEO Poisoning Campaign Delivers Infostealer via Fake Gemini CLI and Claude Code InstallersSEO Poisoning Impersonating Gemini CLI and Claude Code
Financially motivated threat actors are using SEO poisoning to trick developers into downloading fake installers for Google Gemini CLI and Anthropic Claude Code. The campaign delivers a fileless PowerShell infostealer that targets developer workstations, stealing credentials and sensitive data.
2026-05-23
vuln disclosure
CVE-2013-3900: WinVerifyTrust Signature Validation WeaknessCVE-2013-3900
CVE-2013-3900 is a vulnerability in the Windows WinVerifyTrust function that validates Authenticode signatures on portable executable files. Attackers can append malicious data to a signed file without invalidating the signature, potentially allowing unsigned code to execute while appearing trusted. This undermines endpoint security mechanisms that rely on code-signing verification.
2026-05-23
vuln disclosure
Google Accidentally Publishes Exploit Code for Chromium Sandbox Escape Before PatchCVE-2025-2783
Google inadvertently published exploit code for a high-severity Chromium sandbox escape vulnerability (CVE-2025-2783) before a patch was available. The flaw allows attackers to bypass the browser's sandbox protections, potentially leading to arbitrary code execution. The premature disclosure increases the risk of in-the-wild exploitation before users can apply the fix.
Google · Microsoft · Mozilla · Brave · Opera · Vivaldi ↗ www.etvbharat.com (2026-05-23)
2026-05-22
incident
Multi-stage Linux intrusion via compromised F5 BIG-IP and unpatched Confluence leads to Active Directory relay attackMulti-stage Linux intrusion via F5 and Confluence
A threat actor compromised an end-of-life F5 BIG-IP edge appliance and pivoted to an internal Linux host via SSH. From there, they exploited an unpatched Atlassian Confluence server to gain code execution and used relay-style authentication attacks against Active Directory. The incident highlights risks from unpatched edge devices and SaaS applications enabling lateral movement to identity systems.
F5 · Atlassian · Microsoft ↗ Microsoft Threat Intel (2026-05-22)
2026-05-22
research poc
Google Study Shows LLM-Generated Malware Evades Detection Through Morphing TechniquesLLM-generated morphing malware
A Google study reveals that LLMs can generate malware that evades detection by dynamically changing its code structure and behavior. This morphing capability allows the malware to bypass signature-based and heuristic endpoint security tools. The research highlights an emerging threat where AI-generated attacks adapt faster than traditional defenses.
2026-05-22
incident
Lazarus Group Deploys RemotePE RAT in Memory-Only AttacksRemotePE
Fox-IT reports on RemotePE, a remote access trojan used by a Lazarus subgroup in memory-only attacks against financial and cryptocurrency organizations. The malware operates entirely in memory, leaving minimal forensic artifacts and evading traditional file-based detection.
2026-05-22
research poc
Google Project Zero Demonstrates Zero-Click Exploit Chain for Pixel 10Pixel 10 zero-click exploit chain
Google's Project Zero developed a zero-click exploit chain targeting Pixel 10 phones, achieving full escalation from remote access to kernel-level compromise without user interaction. The research highlights significant security weaknesses in the device's attack surface and serves as a proof-of-concept to drive improvements in mobile endpoint security.
2026-05-22
incident
Iranian APT Screening Serpens Uses AppDomainManager Hijacking and New RAT Variants in Espionage CampaignsAppDomainManager hijacking
Unit 42 reports that Iranian APT group Screening Serpens is conducting espionage campaigns targeting technology and defense sectors. The group leverages AppDomainManager hijacking for persistence and deploys new remote access trojan (RAT) variants to maintain access and exfiltrate data.
2026-05-22
research poc
Software-Emulated Device Nodes Enable BYOVD Attacks Without HardwareSoftware-Emulated Device Nodes for BYOVD
Researchers demonstrate that software-emulated device nodes can bypass hardware gating in Windows, allowing exploitation of vulnerable drivers from userland without physical hardware. This expands the Bring Your Own Vulnerable Driver (BYOVD) attack surface by making previously hardware-dependent driver bugs exploitable in software-only scenarios.
2026-05-22
incident
Banana RAT Distributed via Weaponized Brazilian NF-e Invoice LuresBanana RAT NF-e Invoice Lure Campaign
Attackers are leveraging Brazil's electronic invoice system (NF-e) as a lure to deliver Banana RAT, a banking trojan. The campaign uses social engineering to trick users into executing the malware, which then establishes persistence and steals financial information. This incident highlights the use of regionalized lures to bypass user suspicion and endpoint defenses.
2026-05-22
incident
Cloud Atlas Deploys VBCloud and PowerShower Backdoors via Phishing in 2025-2026Cloud Atlas 2025-2026 Campaign
The Cloud Atlas threat group conducted phishing campaigns targeting Russian and Belarusian organizations using malicious LNK files in ZIP archives to execute PowerShell scripts. The scripts deployed VBCloud for file exfiltration and PowerShower for network reconnaissance and lateral movement, employing techniques like UAC bypass and Kerberoasting. The campaign demonstrates evolving tooling and persistence mechanisms.
2026-05-22
vuln disclosure
Splunk Patches Multiple Vulnerabilities Enabling DoS Attacks and Data ExposureCVE-2025-33883, CVE-2025-33884, CVE-2025-33885
Splunk released patches for three vulnerabilities: CVE-2025-33883 (information disclosure), CVE-2025-33884 (denial of service), and CVE-2025-33885 (denial of service). These flaws allow low-privileged users to access sensitive data or cause service disruptions. The vulnerabilities affect Splunk Enterprise and Splunk Cloud Platform.
2026-05-22
research poc
Attackers use nested macOS-style folder structures to evade endpoint scansNested macOS-style folder evasion
A spear-phishing campaign was observed using nested macOS-style folder structures to hide malware and evade detection by security scans. The technique abuses the way some security tools parse or trust certain file system artifacts, allowing malicious payloads to remain undetected. This highlights a gap in endpoint detection mechanisms when handling non-standard folder formats.
2026-05-21
research poc
AMSI Bypass in Windows Scripting Host by Renaming WSCRIPT.EXE to AMSI.DLLAMSI.DLL Hijack via Executable Rename
A researcher demonstrated a method to disable the Antimalware Scan Interface (AMSI) in Windows Scripting Host (WSH) without admin privileges or registry changes. By copying WSCRIPT.EXE to AMSI.DLL and executing it, the scripting engine loads the renamed executable instead of the real AMSI.DLL, causing AMSI initialization to fail silently while scripts continue to run uninspected.
2026-05-21
vuln disclosure
Microsoft patches zero-day privilege escalation in Malware Protection Engine (mpengine.dll)CVE-2026-41091
Microsoft disclosed and patched a zero-day privilege escalation vulnerability, CVE-2026-41091, in the Microsoft Malware Protection Engine (mpengine.dll). The flaw affects multiple endpoint security products including Microsoft Defender and System Center Endpoint Protection. It was exploited in the wild before a patch was available.
2026-05-21
incident
ValleyRAT Malware Distributed Through Fake Microsoft Teams Download PagesValleyRAT via Fake Microsoft Teams Downloads
Attackers are distributing a sophisticated variant of the ValleyRAT malware by tricking users into downloading it from fake Microsoft Teams download pages. The malware provides remote access and control over compromised endpoints, posing a significant threat to endpoint security. This campaign highlights the use of social engineering to bypass initial security layers.
2026-05-21
incident
The Gentlemen Ransomware Incidents with Defense Evasion via Event Log Clearing and Defender TamperingThe Gentlemen Ransomware
Huntress investigated two incidents in April and May 2026 involving The Gentlemen ransomware-as-a-service operation. In both cases, attackers cleared Security, System, and Application Event Logs and used PowerShell to disable Microsoft Defender and add antivirus exclusions. A leak of the operation's internal chats revealed additional evasion tools and techniques.
2026-05-20
incident
Compromised @antv npm Packages Used for CI/CD Credential TheftMini Shai Hulud
A threat actor compromised an @antv maintainer account and published malicious versions of widely used npm data-visualization packages. The malicious payload executes during npm install, targeting GitHub Actions environments to steal credentials from multiple platforms. The attack propagated through dependency chains, affecting downstream packages with millions of weekly downloads.
antv · echarts-for-react ↗ www.microsoft.com (2026-05-20)
2026-05-20
vuln disclosure
Cisco ThousandEyes Enterprise Agent BrowserBot Command Injection VulnerabilityCVE-2026-20206
CVE-2026-20206 is a command injection vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent. An authenticated attacker with transaction test management privileges can execute arbitrary OS commands inside the BrowserBot container. Cisco has addressed the issue in the SaaS service, requiring no customer action.
2026-05-20
incident
GitHub Internal Repositories Breached via Weaponized VS Code ExtensionGitHub 2026 VS Code Extension Supply Chain Breach
Attackers compromised a GitHub employee's device using a weaponized Visual Studio Code extension, leading to unauthorized access and exfiltration of data from internal source code repositories. The breach was confirmed by GitHub on May 18, 2026.
2026-05-20
incident
TAX#TRIDENT Campaign Uses Fake Tax Pages to Spread Windows MalwareTAX#TRIDENT
A campaign tracked as TAX#TRIDENT is actively targeting Windows users with fake Indian Income Tax assessment pages to distribute malware. The attack uses social engineering to trick victims into downloading and executing malicious files. This incident highlights the ongoing risk of user-targeted malware delivery that can bypass endpoint defenses if users are deceived.
2026-05-20
incident
TamperedChef Malware Campaign Uses Signed Trojanized Apps to Deliver Stealers and RATsTamperedChef
A malware campaign named TamperedChef distributes trojanized productivity applications (PDF editors, calendar tools, file converters) signed with valid certificates to evade detection. The malware delivers information stealers and remote access trojans (RATs), posing a threat to endpoint security by bypassing trust-based checks.
2026-05-20
research poc
Webworm APT Group Adopts Discord and Microsoft Graph API for C&C in 2025 CampaignsWebworm APT 2025 Campaign
ESET researchers detail the 2025 activities of the China-aligned Webworm APT group, which shifted targeting to Europe and added new backdoors EchoCreep and GraphWorm that abuse Discord and Microsoft Graph API for command and control. The group also employs custom proxy tools and stages malware on GitHub, enhancing stealth and evasion.
2026-05-20
incident
Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify MalwareFox Tempest Malware-Signing Abuse
The Fox Tempest malware-signing service exploited Microsoft's Artifact Signing infrastructure to digitally sign malicious code. This allowed attackers to bypass endpoint security defenses that trust Microsoft-signed binaries. The incident highlights a novel abuse of trusted code-signing mechanisms to evade detection.
2026-05-19
research poc
Micro-Stager: ETW TI Evasion via NtContinue in Managed EnvironmentsMicro-Stager
FORTiSEC researchers developed 'Micro-Stager', a technique to evade ETW Threat Intelligence telemetry by leveraging the NtContinue API to set hardware breakpoints without triggering kernel sensors. The method bypasses the CLR crash that occurs when calling NtContinue directly from managed code like PowerShell, enabling stealthy endpoint evasion.
2026-05-19
research poc
Lenovo Signed Driver Abused in BYOVD Attack to Terminate EDR ProcessesBYOVD via Lenovo driver to terminate EDR processes
A signed Lenovo driver can be exploited in a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate endpoint detection and response (EDR) processes. This technique allows attackers with elevated privileges to disable security monitoring, enabling further malicious activity without detection.
2026-05-19
incident
HDFC Asset Management Company Discloses Cybersecurity Incident After Anonymous Access ClaimHDFC AMC Anonymous Access Claim Incident
HDFC AMC disclosed a cybersecurity incident on May 16, 2026, after an anonymous source claimed access to portions of its IT infrastructure. The company activated containment and incident response protocols and engaged a specialist firm to assess impact. Initial assessment suggests no material operational impact, but the scope of access and data exposure remains unknown.
2026-05-19
research poc
GhostTree Attack Technique Disrupts EDR and Bypasses File Scanning on WindowsGhostTree
Researchers disclosed a new attack technique named GhostTree that can disrupt endpoint detection and response (EDR) tools on Windows systems, causing them to hang and leave files unscanned. This technique bypasses file scanning mechanisms, raising concerns for defenders about potential exploitation.
2026-05-18
incident
Mac Password Stealer Impersonates Apple, Google, Microsoft via Fake UpdatesFakeUpdate Mac Password Stealer
A new malware campaign targets macOS users with fake browser or system update prompts impersonating Apple, Google, and Microsoft. The malware steals passwords and other sensitive data from the endpoint. It highlights a social engineering technique that bypasses traditional security awareness by mimicking trusted update flows.
2026-05-18
research poc
SHub Reaper macOS Stealer Uses applescript:// URL Scheme to Bypass Apple's TCC and Launch Malicious ScriptsSHub Reaper
SentinelOne researchers discovered a macOS stealer named SHub Reaper that uses the applescript:// URL scheme to launch the Script Editor with a malicious payload, bypassing Terminal and Apple's TCC 26.4 mitigations. The malware spoofs Apple, Google, and Microsoft in a single attack chain to steal sensitive data.
2026-05-18
vuln disclosure
Pwn2Own Berlin 2024: 47 Zero-Days Disclosed Across Security ProductsPwn2Own Berlin 2024
At Pwn2Own Berlin 2024, security researchers disclosed 47 previously unknown zero-day vulnerabilities in various endpoint security and enterprise products. The event awarded $1.3 million in bounties, highlighting weaknesses in widely used security tools.
CrowdStrike · Microsoft · Palo Alto Networks · Trend Micro · VMware ↗ infosecurity-magazine.com (2026-05-18)
2026-05-18
incident
Fortinet Confirms Limited Customer Data Exposure via Third-Party Cloud File StorageFortinet Customer Data Breach via Third-Party Cloud Storage
Fortinet confirmed unauthorized access to customer data stored in a third-party cloud-based file sharing environment. The breach did not involve encryption, ransomware, or compromise of Fortinet's corporate network, products, or source code. Exposed customer information could be used for phishing, social engineering, or impersonation attacks against affected enterprises.
2026-05-18
vuln disclosure
Windows Cloud Filter Driver EoP Regression Vulnerability Resurfaces After 6 YearsCVE-2025-21294
A patched elevation-of-privilege vulnerability in the Windows Cloud Filter driver (cldflt.sys) has reappeared as a working SYSTEM-level exploit due to a regression. The flaw allows attackers to gain SYSTEM privileges, raising concerns about regression vulnerabilities in Windows.
2026-05-18
vuln disclosure
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched SystemsMiniPlasma
MiniPlasma is a newly disclosed zero-day exploit that revives a 2020 vulnerability in the Windows cldflt.sys driver to achieve SYSTEM privilege escalation on fully patched Windows 11 systems as of May 2026. The technique bypasses existing patches, posing a risk to endpoint security by enabling attackers to gain elevated privileges.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →