// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 25, 2026
Signal Brief · Archived

Week of May 25, 2026

2026-05-25 — 2026-05-31 · 19 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 25, 2026, ColdRecon logged 19 public endpoint-security events from open-source reporting — 12 incidents, 4 vuln disclosures, 2 research pocs, 1 vendor announcement. Vendors in the record this week: Fortinet, nProtect, AhnLab.

The Week's Public Record

Events

2026-05-30
incident
Threat Actor Claims Fortinet Data Breach on Dark WebFortinet Alleged Data Breach
A threat actor on the dark web has claimed a data breach involving Fortinet, a major cybersecurity vendor. No technical details, proof, or official confirmation have been provided. The claim is being treated as an allegation pending verification.
2026-05-29
vendor announcement
Microsoft Names Storm-2697 as The Gentlemen Ransomware Operator, Details Go-Based Encryptor and Self-PropagationStorm-2697 / The Gentlemen ransomware
Microsoft Threat Intelligence published a technical analysis of The Gentlemen ransomware, identifying its operators as Storm-2697. The encryptor is written in Go, obfuscated with Garble, and uses per-file ephemeral Curve25519 keys for encryption. It includes a self-propagation module that performs multiple simultaneous lateral-movement techniques, enabling rapid fleet-wide encryption.
2026-05-29
incident
GREYVIBE Threat Actor Uses AI-Assisted Malware in Attacks on UkraineGREYVIBE
A Russia-linked threat actor named GREYVIBE has been targeting Ukrainian entities since August 2025 using spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom malware. The group leverages generative AI to accelerate malware development and obfuscation, lowering technical barriers. Their tools include PowerShell-based RATs and Android spyware, with evidence of ties to cybercrime ecosystems.
2026-05-29
incident
Kimsuky Deploys HTTPSpy Malware via Fake Security Software and Webex LuresKimsuky HTTPSpy Campaign
North Korean threat actor Kimsuky targeted South Korean entities with HTTPSpy malware disguised as security software installers and a fake Webex meeting page. The campaign used social engineering and novel techniques like JSONPing for infection verification. This demonstrates evolving tactics to bypass endpoint defenses.
2026-05-28
vuln disclosure
CVE-2026-49095: Kibana Fleet Agent Policy Input Validation Flaw Allows Privilege EscalationCVE-2026-49095
A vulnerability in Kibana Fleet agent policy management allows authenticated users with Fleet management privileges to inject unvalidated values into configuration overrides. This can cause Elastic Agents to receive API keys with elevated Elasticsearch privileges, granting unauthorized access to sensitive security indices.
2026-05-28
incident
FortiClient EMS CVE-2026-35616 Exploited to Deploy EKZ InfostealerCVE-2026-35616
A critical remote code execution vulnerability (CVE-2026-35616) in FortiClient Endpoint Management Server (EMS) is being actively exploited in the wild. Attackers are leveraging the flaw to deploy the EKZ Infostealer malware via FortiClient's own VPN scripting workflows, targeting managed endpoints. The vulnerability allows unauthenticated remote code execution, and patches have been available since April.
2026-05-26
incident
Cryptojacking campaign uses SEO poisoning and AI chatbot delivery to deploy ScreenConnect for GPU miningCryptojacking campaign via SEO poisoning and AI chatbot delivery
Microsoft Defender Experts identified an active cryptojacking campaign that uses search engine poisoning and AI chatbot interactions to direct users to malicious download sites impersonating GPU-related utilities. The campaign delivers a DLL sideloading payload that silently installs ScreenConnect for persistent remote access and deploys a cryptocurrency miner targeting high-performance GPUs. The attack demonstrates an evolution in social engineering by leveraging AI-assisted delivery to increase the visibility of malicious software recommendations.
ScreenConnect (ConnectWise Control) ↗ Microsoft Threat Intel (2026-05-26)
2026-05-26
incident
AI-orchestrated attacks using commercial models deployed in the wildAI-orchestrated attacks with commercial models
During March-April 2026, multiple criminal operations used commercial AI models like Claude Code for autonomous attack workflows. The Mexico breach involved a single operator compromising nine Mexican government agencies using Claude Code and GPT-4.1, while Bissa Scanner harvested AI provider credentials at scale. These incidents show AI-orchestrated attacks moving from experimental to operational criminal use.
2026-05-26
vuln disclosure
LLM Agent Discovers macOS Zero-Day CVE-2026-28952 Leading to Root Privilege EscalationCVE-2026-28952
An LLM-based agent autonomously discovered a zero-day vulnerability in macOS Tahoe 26.5, tracked as CVE-2026-28952. The integer overflow flaw allowed an app to gain root privileges and was patched by Apple with improved input validation. This marks a significant shift in vulnerability research, demonstrating AI's capability to find exploitable bugs without human guidance.
2026-05-26
incident
LLM Agent Executes Post-Compromise Actions in Real-Time IntrusionLLM-Agent-Driven Intrusion via CVE-2026-39987
An attacker used an LLM agent to conduct post-exploitation after compromising a marimo notebook via CVE-2026-39987. The agent harvested cloud credentials, retrieved an SSH key from AWS Secrets Manager, and exfiltrated an internal PostgreSQL database in under two minutes, using Cloudflare Workers to evade source-IP detection.
2026-05-25
incident
Laravel-Lang PHP Supply Chain Attack Delivers Credential Stealer via 233 Malicious Packagist VersionsLaravel-Lang Supply Chain Attack
Four Laravel-Lang PHP localization packages were compromised in a supply chain attack, publishing 233 malicious versions on Packagist. The attacker exploited GitHub's tag system to point to a malicious fork, delivering a custom credential stealer targeting cloud keys, CI/CD tokens, and browser passwords. The attack window was May 22-23, 2026, and affected systems should be considered fully compromised.
2026-05-25
incident
InvisibleFerret Malware Uses Compiled Python Extensions to Evade Script DetectionInvisibleFerret .pyd/.so evasion
The North Korea-linked group Void Dokkaebi (Famous Chollima) has upgraded its InvisibleFerret malware to use compiled Python extensions (.pyd and .so files) instead of plain scripts. This technique evades security tools that rely on script-based detection, allowing the malware to operate under the radar on endpoint systems.
2026-05-25
incident
Cloud Atlas APT Patches termsrv.dll to Enable Multiple RDP SessionsCloud Atlas termsrv.dll patching for multiple RDP sessions
The Cloud Atlas APT group has been observed modifying the Windows termsrv.dll library to enable multiple concurrent RDP sessions on compromised endpoints. This technique allows attackers to maintain stealthy, persistent access without disrupting legitimate user sessions, aiding in long-term espionage.
2026-05-25
incident
Attackers Disguise Linux Malware as SSH-Related Package in Supply Chain AttackSSH-like filename disguise in supply chain attack
A coordinated supply chain attack involved hiding a malicious Linux payload under a filename resembling SSH to evade detection during software installation. The technique leverages trust in SSH-related filenames to bypass security scrutiny. This incident highlights a novel evasion method targeting endpoint detection mechanisms.
2026-05-25
research poc
WantToCry ransomware uses SMB-only communication and external encryption to evade EDRWantToCry
A new ransomware strain called WantToCry encrypts files by sending data over SMB to an external server, avoiding local encryption operations that EDR solutions typically monitor. It uses only SMB communication for intrusion and encryption, challenging detection-based endpoint defenses.
2026-05-25
vuln disclosure
Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)CVE-2026-9082
A highly critical SQL injection vulnerability, tracked as CVE-2026-9082, was disclosed in Drupal Core. The vulnerability allows remote attackers to execute arbitrary SQL commands, potentially leading to data theft or site compromise. The issue was addressed in a security advisory SA-CORE-2026-004.
2026-05-25
research poc
Anthropic's Claude Mythos AI Model Reportedly Discovers Over 10,000 High-Severity Vulnerabilities in WeeksClaude Mythos vulnerability discovery
Anthropic's cybersecurity-focused AI model, Claude Mythos, reportedly identified over 10,000 high- and critical-severity vulnerabilities in a short period. This demonstrates the potential of AI-driven vulnerability discovery at scale, raising concerns about the ability of security teams to keep pace with automated findings.
2026-05-25
incident
MiniUpdate RAT Abuses Azure C2 and Evades EDR via ETW DisablingMiniUpdate RAT
A targeted espionage campaign uses the MiniUpdate remote access trojan (RAT) that leverages Microsoft Azure for command-and-control. The malware includes explicit evasion features to disable Event Tracing for Windows (ETW), a key telemetry source for modern EDR solutions, and bypasses strong-name signature validation.
2026-05-25
vuln disclosure
Two Windows zero-days expose gaps in built-in security protections
Two newly disclosed Windows zero-day vulnerabilities are raising concerns about the effectiveness of built-in security controls. The article does not provide specific CVE identifiers or technical details. It highlights that reliance on default Windows protections may be insufficient.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →