End-of-Day report
Timeframe: Mittwoch 06-05-2026 18:00 - Donnerstag 07-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
Hackers abuse Google ads for GoDaddy ManageWP login phishing
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddys platform for managing fleets of WordPress websites.
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-for-godaddy-managewp-login-phishing/
Fake Claude AI website delivers new Beagle Windows malware
A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle.
https://www.bleepingcomputer.com/news/security/fake-claude-ai-website-delivers-new-beagle-windows-malware/
When DNSSEC goes wrong: how we responded to the .de TLD outage
On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Heres what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution.
https://blog.cloudflare.com/de-tld-outage-dnssec/
How Cloudflare responded to the -Copy Fail- Linux vulnerability
When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflares security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.
https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/
Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks.
https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html
Insolvenzmasse: Kriminelle imitieren neben Anwaltskanzleien nun auch Autohändler, Großhändler und Wirtschaftsprüfer
Die Masche bleibt gleich, aber die Deckmäntel ändern sich. Wurde früher ausschließlich die Identität von Anwaltskanzleien missbraucht, um über Vorschussbetrug an das Geld von Opfern zu gelangen, haben die Kriminellen nun ihr Portfolio erweitert. Sie geben sich mittlerweile auch als eine Vielzahl anderer Unternehmen und Agenturen aus. Ein Update.
https://www.watchlist-internet.at/news/insolvenzmasse-autohaendler-grosshaendler-wirtschaftspruefer/
World Password Day 2026: Why -Strong Passwords- Can-t Save You from AI, Infostealers, and the Telegram Underground
As we recognize World Password Day in 2026, the traditional advice to -use a complex password with numbers and symbols- feels hopelessly outdated. Today, a 16-character password is useless if an infostealer malware extracts it directly from a browser cache, or if an employee willingly pastes it into an unmanaged AI chatbot. Welcome to the real World Password Day 2026.
https://blog.checkpoint.com/security/world-password-day-2026-why-strong-passwords-cant-save-you-from-ai-infostealers-and-the-telegram-underground/
Polish intelligence warns hackers attacked water treatment control systems
The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, -with particular emphasis on the special services of the Russian Federation.-
https://therecord.media/polish-intelligence-warns-hackers-attacked-water-treatment
Warnung vor IONOS/1&1 Rechnungs-Phishing
Ich stelle mal eine kurze Warnung hier im Blog ein, weil mir bereits zum zweiten Monat eine Phishing-Mail von 1&1 in meinem Postfach zugestellt wurde, die Rechnungs-Phishing bei IONOS versucht.
https://borncity.com/blog/2026/05/07/warnung-vor-ionos-11-rechnungs-phishing/
Best OSINT Tools for Investigations and Threat Intelligence in 2026
Explore the best OSINT tools for your digital investigations, threat intelligence, reconnaissance, and tracking online activity in 2026.
https://hackread.com/best-osint-tools-investigate-threat-intelligence-2026/
Plastic Flowers to Protect the Hive
Agentic development has fundamentally changed the software ecosystem. Modern coding agents are trained and prompted to seek out tools that will help with their assigned coding tasks. They will install those tools into their user-s environment, with little to no oversight on what the installed package actually does, relying on name pattern matching more than any other signal.
https://phildini.dev/slopsquatting-for-good
Operation Epic Fury Exposes Critical OT Security Gaps in U.S. Oil and Gas Sector
The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities.
https://thecyberexpress.com/operation-epic-fury-ot-security-detection-gaps/
ClickFix Campaign Evolves with Targeting of MacOS Users
ClickFix started as a Windows problem. It is no longer one. Microsofts Defender Security Research Team published a detailed analysis documenting an active ClickFix campaign that is targeting macOS users since at least January 2026. The primary goal is delivering infostealers by convincing users to paste malicious commands into their own Terminal, framed as routine system maintenance.
https://thecyberexpress.com/clickfix-campaign-evolves-targets-macos-users/
Vulnerabilities
Cisco: Codeschmuggel-Leck in Unity Connection und weitere Lücken
Cisco hat fast zwei Handvoll Sicherheitsupdates veröffentlicht. Sie schließen mehrere hochriskante Lücken etwa in Unity Connection.
https://www.heise.de/news/Cisco-Codeschmuggel-Leck-in-Unity-Connection-und-weitere-Luecken-11285115.html
May 2026 EPMM Security Update
Ivanti has released updates for Ivanti Endpoint Manager Mobile (EPMM) which addresses five high severity vulnerabilities.
https://www.ivanti.com/blog/may-2026-epmm-security-update
Node.js 25: Ausbrüche aus JavaScript-Sandbox vm2 vorstellbar
Die Sandbox-Komponente vm2 der Open-Source-JavaScript-Laufzeitumgebung Node.js ist mit bestimmten Einstellungen verwundbar.
https://heise.de/-11285063
Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks
A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure. The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants.
https://thecyberexpress.com/salesforce-sfmc-ampscript-vulnerability/
Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin
https://www.wordfence.com/blog/2026/05/authenticated-arbitrary-file-upload-vulnerability-patched-in-slider-revolution-7-wordpress-plugin/
LWN Security updates for Thursday
https://lwn.net/Articles/1071700/