End-of-Day report
Timeframe: Dienstag 05-05-2026 18:00 - Mittwoch 06-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
MuddyWater hackers use Chaos ransomware as a decoy in attacks
The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence.
https://www.bleepingcomputer.com/news/security/muddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks/
OceanLotus suspected of using PyPI to deliver ZiChatBot malware
Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT.
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
OpenClaw, previously known as Clawdbot, Moltbot, and Molty, is an open-source framework designed for autonomous AI agents that execute complex tasks requiring high-privilege local system access. While intended for automation, its modular "skill" architecture has been weaponized as a significant attack vector.
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
Behörde für abgesicherte Ausweise geknackt: 15-Jähriger verhaftet
Millionen Datensätze aus französischen -abgesicherten Ausweisen- gerieten in falsche Hände. Kein fremder Geheimdienst, sondern ein Bursche ist verdächtig.
https://www.heise.de/news/Behoerde-fuer-abgesicherte-Ausweise-geknackt-15-Jaehriger-verhaftet-11283198.html
-Pressure Cooker-: Europols geheime Datenverarbeitung ohne Aufsicht
Interne, per Infofreiheit erlangte Warnungen belegen, dass das EU-Polizeiamt lange operative Netzwerke ohne IT-Kontrolle und richtige Protokollierung betrieb.
https://www.heise.de/news/Pressure-Cooker-Europols-geheime-Datenverarbeitung-ohne-Aufsicht-11283466.html
FSFE warnt: NHS sollte quelloffenen Code nicht depublizieren
Die Free Software Foundation Europe warnt vor dem Umstellen der NHS-Code-Repositories auf Privat aus Angst vor KI-Schwachstellensuche.
https://www.heise.de/news/FSFE-warnt-NHS-sollte-quelloffenen-Code-nicht-depublizieren-11283406.html
IPFire: Neue DNS Firewall soll URL-Filter und Pi-hole ablösen
Die Firewall-Distribution IPFire bringt mit Core Update 201 eine DNS Firewall mit, die unerwünschte Domains schon bei der Namensauflösung blockiert.
https://www.heise.de/news/IPFire-Neue-DNS-Firewall-soll-URL-Filter-und-Pi-hole-abloesen-11283482.html
Discounter-Falle: Gefälschte Suchergebnisse führen in Lidl-Fake-Shop
Wer sich online auf die Suche nach günstigen Haushaltsgeräten, Fahrrädern, Werkzeugen oder anderen beliebten Artikeln macht, landet häufig in einem Fake-Shop. Als -gesponserte Suchergebnisse- getarnte Werbeanzeigen führen direkt in die Falle, die optisch dem Web-Auftritt des bekannten Discounters Lidl nachempfunden ist.
https://www.watchlist-internet.at/news/lidl-fake-shop/
Paramiko Security Audit
Paramiko is a pure-Python implementation of SSHv2 that provides both client- and server-side functionality. It serves as the foundation for the high-level SSH library Fabric and is widely regarded as one of the most popular SSH solutions in the Python ecosystem. The Cryptography library, for its part, offers Python developers access to a broad range of cryptographic algorithms and primitives. It is a widely adopted Python/Rust library with more than 25,000 known dependencies.
http://blog.quarkslab.com/paramiko-security-audit.html
The Jenkins Threat Landscape
What usage patterns, plugin adoption, and configuration choices reveal about the Jenkins attack surface.
https://www.wiz.io/blog/jenkins-threat-risk-insights
New Infostealer Dubbed -Pheno- Hijacks Windows- Phone Link App to Steal MFA OTPs
Attackers have found a way to intercept SMS-based one-time passwords from a victims mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.
https://thecyberexpress.com/new-infostealer-pheno-steals-mfa-otps/
Vulnerabilities
Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.
https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html
PAN-OS-Lücke wird angegriffen, Updates erst in Wochen geplant
Palo Alto Networks warnt vor einer bereits angegriffenen kritischen Sicherheitslücke in PAN-OS. Updates kommen frühestens Mitte Mai.
https://www.heise.de/news/PAN-OS-Luecke-wird-angegriffen-Updates-erst-in-Wochen-geplant-11283352.html
An exploitable integer overflow in Lix (CVE-2026-44028)
Security researchers have found a security issue in Lix. This issue has been assigned CVE-2026-44028.
https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/
Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin
https://www.wordfence.com/blog/2026/05/attackers-actively-exploiting-critical-vulnerability-in-breeze-cache-plugin/
LWN Security updates for Wednesday
https://lwn.net/Articles/1071466/