Rough Monday.

Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.

The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping stolen access while defenders burn another weekend chasing logs and praying the weird traffic is just monitoring noise. The Internet’s held together with duct tape and bad sleep.

Anyway, Monday recap time. Same fire. New smoke.

⚡ Threat of the Week

Ivanti EPMM and Palo Alto Networks PAN-OS Flaws Under Attack—Ivanti warned customers that attackers have successfully weaponized CVE-2026-6973, an improper input validation defect in Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company did not say when the first instance of exploitation occurred, or precisely how many customers have been impacted. In a related development, attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks' customers' firewalls. As in the case of Ivanti, Palo Alto Networks did not say when or how it became aware of active exploitation, but said threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The memory corruption vulnerability, tracked as CVE-2026-0300, affects the authentication portal of PAN-OS and allows unauthenticated attackers to run code with root privileges on the PA-Series and VM-Series firewalls. Attack surface management platform Censys said it detected about 263,000 Internet-exposed hosts running PAN-OS. Patches are expected to be released starting May 13, 2026.

Webinar: Transform Your SOC - From Generic Detection to Exposure Intelligence

Join Gartner and XM Cyber on May 12th at 10 AM EST. Learn to break the reactive cycle of alert fatigue by infusing real-time exposure context into your SIEM and SOAR. Discover how to prioritize threats based on their actual reachability to your critical assets.

Reserve my Seat ➝

🔔 Top News

New Quasar Linux RAT Spotted—Attackers have found a new way to turn Linux systems into entry points for a supply chain or cloud infrastructure breach that are resilient to takedowns. The new malware framework, dubbed Quasar Linux or QLNX, is a modular Linux remote access trojan (RAT) that can harvest data from compromised systems. But what sets it apart is its use of a peer-to-peer (P2P) mesh capability that turns individual compromises into an interconnected infection network, making the campaign difficult to kill and allowing infected hosts to communicate with one another rather than relying entirely on centralized servers. QLNX also combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms to stay hidden on compromised systems while enabling persistent access. It also hides malicious processes under names that mimic legitimate Linux services and system binaries to blend into routine workflows. "Quasar Linux RAT (QLNX) is a comprehensive Linux implant that combines remote access capabilities with advanced evasion, persistence, keylogging, and credential harvesting features," Trend Micro said. "The malware carries embedded C source code for both its PAM backdoor and LD_PRELOAD rootkit as string literals within the binary."

PCPJack Replaces TeamPCP Malware to Steal Cloud Secrets—An unknown threat actor has launched a campaign to systematically clean up environments infected by the infamous TeamPCP hacking group and drop its own malicious tools to steal credentials from cloud, container, developer, productivity, and financial services for financial gain. Active since late April, the campaign is also capable of propagating itself by moving laterally both inside of a network and to other targets by breaking into open and exploitable cloud infrastructure. The broad credential harvesting sweep allows the malware to hack into more cloud servers and propagate the infection in a worm-like manner, while also rooting out any processes and artifacts belonging to TeamPCP. The external propagation is achieved by downloading parquet files from Common Crawl for target discovery. While threat actors aiming for cloud environments have long built methods to delete competing malware, particularly in cryptojacking campaigns, the lack of a miner and its specific targeting of TeamPCP tooling has raised the possibility that it may be someone who was ly associated with the group, is part of a rival crew, or is an unrelated third-party mimicking TeamPCP's tradecraft.

MuddyWater Uses Chaos Ransomware as Decoy in New Attack—An Iranian state-sponsored espionage group pretended to be a regular ransomware gang in a new ransomware attack detected in early 2026. The Iranian hackers known as MuddyWater disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence within a victim environment. Although the attack involved reconnaissance, credential harvesting, and data exfiltration, no file-encrypting ransomware was deployed, which is inconsistent with Chaos attacks. The victim was also added to the Chaos ransomware data leak site, but infrastructure and code-signing certificate evidence indicate the activity was likely used as a cover to mask the threat actor's true espionage goals and to complicate attribution. Rapid7 told The Hacker News that there is no evidence to suggest that MuddyWater is operating as an affiliate of Chaos.

DAEMON Tools Supply Chain Attack Leads to QUIC RAT—Hackers compromised installers of DAEMON Tools in a supply chain attack that affected users in more than 100 countries. The malicious versions, first observed in early April, impacted multiple releases of the software that were installed on thousands of machines across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The operation appears to be targeted. Most victims received only a data miner designed to gather system data, while a second, more advanced shellcode loader was deployed to just a handful of targets, including organizations in retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. It's suspected that the attackers likely used the initial data collection to profile infected systems before selectively deploying an implant codenamed QUIC RAT. The malware was deployed against only one known target, an unidentified educational institution in Russia. Kaspersky said the malicious code included Chinese-language elements, suggesting the attackers are familiar with the language, but stopped short of attributing the campaign to a specific group.

Cybercrime Groups Use Vishing for Data Theft and Extortion—An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, which targets organizations across multiple industries, highlights a growing trend where attackers weaponize legitimate IT management tools to bypass security controls and maintain persistence on compromised systems. What makes the campaign noteworthy is its deliberate avoidance of traditional malware in favor of two commercially available remote monitoring and management (RMM) tools, SimpleHelp and ScreenConnect, for persistent control over victim machines. The abuse of RMM tools by bad actors has surged in recent years as they offer a low-friction way to gain access to and maintain persistence on a victim environment. Because of how u