Tageszusammenfassung - 07.05.2026

End-of-Day report

Timeframe: Mittwoch 06-05-2026 18:00 - Donnerstag 07-05-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

News

Hackers abuse Google ads for GoDaddy ManageWP login phishing

A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddys platform for managing fleets of WordPress websites.

https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-for-godaddy-managewp-login-phishing/

Fake Claude AI website delivers new Beagle Windows malware

A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle.

https://www.bleepingcomputer.com/news/security/fake-claude-ai-website-delivers-new-beagle-windows-malware/

When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Heres what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution.

https://blog.cloudflare.com/de-tld-outage-dnssec/

How Cloudflare responded to the -Copy Fail- Linux vulnerability

When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflares security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.

https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks.

https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html

Insolvenzmasse: Kriminelle imitieren neben Anwaltskanzleien nun auch Autohändler, Großhändler und Wirtschaftsprüfer

Die Masche bleibt gleich, aber die Deckmäntel ändern sich. Wurde früher ausschließlich die Identität von Anwaltskanzleien missbraucht, um über Vorschussbetrug an das Geld von Opfern zu gelangen, haben die Kriminellen nun ihr Portfolio erweitert. Sie geben sich mittlerweile auch als eine Vielzahl anderer Unternehmen und Agenturen aus. Ein Update.

https://www.watchlist-internet.at/news/insolvenzmasse-autohaendler-grosshaendler-wirtschaftspruefer/

World Password Day 2026: Why -Strong Passwords- Can-t Save You from AI, Infostealers, and the Telegram Underground

As we recognize World Password Day in 2026, the traditional advice to -use a complex password with numbers and symbols- feels hopelessly outdated. Today, a 16-character password is useless if an infostealer malware extracts it directly from a browser cache, or if an employee willingly pastes it into an unmanaged AI chatbot. Welcome to the real World Password Day 2026.

https://blog.checkpoint.com/security/world-password-day-2026-why-strong-passwords-cant-save-you-from-ai-infostealers-and-the-telegram-underground/

Polish intelligence warns hackers attacked water treatment control systems

The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, -with particular emphasis on the special services of the Russian Federation.-

https://therecord.media/polish-intelligence-warns-hackers-attacked-water-treatment

Warnung vor IONOS/1&1 Rechnungs-Phishing

Ich stelle mal eine kurze Warnung hier im Blog ein, weil mir bereits zum zweiten Monat eine Phishing-Mail von 1&1 in meinem Postfach zugestellt wurde, die Rechnungs-Phishing bei IONOS versucht.

https://borncity.com/blog/2026/05/07/warnung-vor-ionos-11-rechnungs-phishing/

Best OSINT Tools for Investigations and Threat Intelligence in 2026

Explore the best OSINT tools for your digital investigations, threat intelligence, reconnaissance, and tracking online activity in 2026.

https://hackread.com/best-osint-tools-investigate-threat-intelligence-2026/

Plastic Flowers to Protect the Hive

Agentic development has fundamentally changed the software ecosystem. Modern coding agents are trained and prompted to seek out tools that will help with their assigned coding tasks. They will install those tools into their user-s environment, with little to no oversight on what the installed package actually does, relying on name pattern matching more than any other signal.

https://phildini.dev/slopsquatting-for-good

Operation Epic Fury Exposes Critical OT Security Gaps in U.S. Oil and Gas Sector

The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities.

https://thecyberexpress.com/operation-epic-fury-ot-security-detection-gaps/

ClickFix Campaign Evolves with Targeting of MacOS Users

ClickFix started as a Windows problem. It is no longer one. Microsofts Defender Security Research Team published a detailed analysis documenting an active ClickFix campaign that is targeting macOS users since at least January 2026. The primary goal is delivering infostealers by convincing users to paste malicious commands into their own Terminal, framed as routine system maintenance.

https://thecyberexpress.com/clickfix-campaign-evolves-targets-macos-users/

Vulnerabilities

Cisco: Codeschmuggel-Leck in Unity Connection und weitere Lücken

Cisco hat fast zwei Handvoll Sicherheitsupdates veröffentlicht. Sie schließen mehrere hochriskante Lücken etwa in Unity Connection.

https://www.heise.de/news/Cisco-Codeschmuggel-Leck-in-Unity-Connection-und-weitere-Luecken-11285115.html

May 2026 EPMM Security Update

Ivanti has released updates for Ivanti Endpoint Manager Mobile (EPMM) which addresses five high severity vulnerabilities.

https://www.ivanti.com/blog/may-2026-epmm-security-update

Node.js 25: Ausbrüche aus JavaScript-Sandbox vm2 vorstellbar

Die Sandbox-Komponente vm2 der Open-Source-JavaScript-Laufzeitumgebung Node.js ist mit bestimmten Einstellungen verwundbar.

https://heise.de/-11285063

Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks

A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure. The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants.

https://thecyberexpress.com/salesforce-sfmc-ampscript-vulnerability/

Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin

https://www.wordfence.com/blog/2026/05/authenticated-arbitrary-file-upload-vulnerability-patched-in-slider-revolution-7-wordpress-plugin/

LWN Security updates for Thursday

https://lwn.net/Articles/1071700/