Cyber Threat Intelligence 11 May 2026

NCSA_THAICERT

Vulnerabilities

CVE-2025-68670: Discovering An RCE Vulnerability In Xrdp
"In addition to KasperskyOS-powered solutions, Kaspersky offers various utility software to streamline business operations. For instance, users of Kaspersky Thin Client, an operating system for thin clients, can also purchase Kaspersky USB Redirector, a module that expands the capabilities of the xrdp remote desktop server for Linux. This module enables access to local USB devices, such as flash drives, tokens, smart cards, and printers, within a remote desktop session – all while maintaining connection security."
https://securelist.com/cve-2025-68670/119742/
cPanel, WHM Release Fixes For Three New Vulnerabilities — Patch Now
"cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows -"
https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html
https://securityaffairs.com/191931/security/new-cpanel-vulnerabilities-could-allow-file-access-and-remote-code-execution.html
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-42208 BerriAI LiteLLM SQL Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/08/cisa-adds-one-known-exploited-vulnerability-catalog
New Linux 'Dirty Frag' Zero-Day Gives Root On All Major Distros
"A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. Security researcher Hyunwoo Kim, who disclosed it earlier today and published a proof-of-concept (PoC) exploit, says this local privilege escalation was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface. Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability, to modify protected system files in memory without authorization and achieve privilege escalation."
https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/
https://github.com/V4bel/dirtyfrag
https://www.openwall.com/lists/oss-security/2026/05/07/8
https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
https://www.bankinfosecurity.com/dirty-frag-gives-root-on-linux-distros-a-31641
https://securityaffairs.com/191847/hacking/dirty-frag-a-new-linux-privilege-escalation-vulnerability-is-already-in-the-wild.html
https://www.theregister.com/security/2026/05/08/dirty-frag-linux-flaw-one-ups-copyfail-with-no-patches-and-public-root-exploit/5237230
ClaudeBleed: A Flaw In Claude’s Browser Extension Allows Any Extension To Hijack It
"LayerX security researchers have discovered a flaw with Claude’s Chrome extension (“Claude in Chrome”) that allows any extension, even one with no special permissions at all, to effectively hijack Claude’s extension by injecting it with malicious instructions, extract any information that the attacker desires, and get Claude to perform active agentic actions on their behalf. LayerX reported the flaw to Anthropic. Anthropic replied that they were already aware of the issue and that it would be fixed in the next version of the extension. However, Anthropic issued only a partial fix, which did not address the root cause of the flaw, and the vulnerability can still be exploited."
https://layerxsecurity.com/blog/a-flaw-in-claudes-browser-extension-allows-any-extension-to-hijack-it/
https://cyberscoop.com/claude-chrome-extension-allows-plugins-to-hijack-ai/
https://hackread.com/claudebleed-vulnerability-hackers-claude-chrome-extension/
https://www.securityweek.com/vulnerability-in-claude-extension-for-chrome-exposes-ai-agent-to-takeover/
CVE-2026-2005: PostgreSQL Pgcrypto Heap Buffer Overflow Leading To RCE
"CVE-2026-2005 is a heap buffer overflow in PostgreSQL's pgcrypto extension that allows remote code execution inside the PostgreSQL server process. The vulnerable code has been present since pgcrypto was first contributed in 2005, more than 20 years ago. The bug was discovered by Xint Code, a fully autonomous AI-powered security analysis tool. A reliable RCE exploit was demonstrated live at ZeroDay.Cloud 2025 (London, Dec 10-11, 2025), and disclosed in collaboration with the Wiz Research Team. The patch was committed upstream on Feb 8, 2026 and shipped on Feb 12, 2026 across all supported major versions (18.2, 17.8, 16.12, 15.16, 14.21). Now that patches are available, this post details the root cause, walks through the exploit process, and provides remediation guidance."
https://www.zeroday.cloud/blog/postgres-xint

Malware

ClickFix Campaign Uses Fake MacOS Utilities Lures To Deliver Infostealers
"Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix‑style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. These commands, which are purported to install system utilities, load an infostealing malware like Macsync, Shub Stealer, and AMOS into the targets’ devices instead."
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/
PamDOORa: Analyzing a New Linux PAM-Based Backdoor For Sale On The Dark Web
"For $1,600, a threat actor on a Russian cybercrime forum is selling the complete source code for a Linux backdoor that embeds itself in one of the most trusted layers of the operating system: the Pluggable Authentication Module (PAM) stack. The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH. Allegedly this would remain persistent on Linux systems (x86_64). As Linux systems continue to dominate enterprise infrastructure and cloud environments, attackers are constantly exploring new post-exploitation tools to maintain persistence on compromised servers."
https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web
https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html
Pro-Ukraine BO Team And Head Mare Hackers Appear To Team Up In Attacks Against Russia
"A pro-Ukraine hacktivist group known as BO Team appears to be coordinating its cyber operations with another group, Head Mare, in attacks targeting Russian organizations, according to a new report. Researchers at Moscow-based cybersecurity firm Kaspersky said they identified overlapping infrastructure and tools used by both groups — including command-and-control systems operating on the same compromised host — suggesting some coordination. In previous reports, Kaspersky said BO Team, also known as Black Owl, operates more autonomously than other pro-Ukraine hacktivist groups, with its own resources and approaches to deploying malicious tools."
https://therecord.media/ukraine-bo-team-head-mare-hacktivists-team-up-kaspersky
JDownloader Site Hacked To Replace Installers With Python RAT Malware
"The website for the popular JDownloader download manager was compromised earlier this week to distribute malicious Windows and Linux installers, with the Windows payload found deploying a Python-based remote access trojan. The supply chain attack affects those who downloaded installers from the official website between May 6 and May 7, 2026 via the Windows "Download Alternative Installer" links or the Linux shell installer. According to the developers, the attackers modified the website's download links to point to malicious third-party payloads rather than legitimate installers."
https://www.bleepingcomputer.com/news/security/jdownloader-site-hacked-to-replace-installers-with-python-rat-malware/
https://hackread.com/hackers-hijack-jdownloader-site-malware-installers/
https://securityaffairs.com/191920/malware/official-jdownloader-site-served-malware-to-windows-and-linux-users.html
Malware Found In Trending Hugging Face Repository "Open-OSS/privacy-Filter"
"On the 7th of May 2026, we identified malicious code in the Hugging Face repository Open-OSS/privacy-filter, which at the time appeared among the platform's top trending repositories with over 200k downloads until its removal by the Hugging Face team. The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines."
https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter
https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/
Hackers Abuse Google Ads, Claude.ai Chats To Push Mac Malware
"Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac."
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/

Breaches/Hacks/Leaks

NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Users
"NVIDIA has confirmed in a statement for BleepingComputer that GeForce NOW user information has been exposed in a data breach. The gaming and hardware giant has clarified that the impact is limited to Armenia, and was caused by a compromise of the infrastructure operated by a regional partner. The company added that its own network was not impacted by the incident. “Our investigation found no impact on NVIDIA-operated services. The issue is limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. We are working closely with the partner to support their investigation and resolution. Impacted users will be notified by GFN.am,” the company said."
https://www.bleepingcomputer.com/news/security/nvidia-confirms-geforce-now-data-breach-affecting-armenian-users/
Trellix Source Code Breach Claimed By RansomHouse Hackers
"The attack on the Trellix source code repository disclosed last week has been claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion. Yesterday, the threat actor published on their data leak site screenshots indicating access to the cybersecurity company's appliance management system. However, BleepingComputer could not confirm the authenticity of the data. Trellix is an international cybersecurity firm with global Fortune 100 customers. In 2025, the company had more than 53,000 customers in 185 countries and 3,500 employees."
https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/
https://www.securityweek.com/ransomware-group-takes-credit-for-trellix-hack/
https://securityaffairs.com/191879/cyber-crime/ransomhouse-says-it-breached-trellix-and-exposes-internal-systems.html
Zara Data Breach Exposed Personal Information Of 197,000 People
"Hackers who gained access to the databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned. Zara has over 1,500 company-managed and franchised stores worldwide and is the flagship brand of the Inditex Group, one of the world's largest fashion distribution groups, which also owns Bershka, Zara Home, Oysho, Pull&Bear, Massimo Dutti, Stradivarius, and Uterqüe. As Inditex stated last month, when the data breach was widely reported, the compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets."
https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/
https://securityaffairs.com/191859/cyber-crime/zara-data-breach-197000-customers-exposed-in-third-party-security-incident.html
AI Firm Braintrust Prompts API Key Rotation After Data Breach
"AI evaluation and observability platform Braintrust urged customers this week to rotate API keys that may have been compromised after hackers accessed an AWS account. The incident, the company says, was discovered on May 4, after receiving a report of suspicious behavior, and was communicated to customers via email on May 5. The message also included indicators of compromise (IOCs) and remediation steps. Immediately after learning of the incident, Braintrust locked down the compromised account, audited related systems and restricted access to them, rotated internal secrets, and launched an investigation into the matter."
https://www.securityweek.com/ai-firm-braintrust-prompts-api-key-rotation-after-data-breach/
https://securityaffairs.com/191888/data-breach/braintrust-security-incident-raises-concerns-over-ai-supply-chain-risks.html

General News

Federal Jury Convicts Virgina Man On Charges Relating To The Deletion Of U.S. Government Databases
"A federal jury convicted Sohaib Akhter, 34, of Alexandria, Virgina, today on charges of conspiracy to commit computer fraud, password trafficking, and possession of a firearm by a prohibited person. “Sohaib Akhter harmed Americans who trusted their government with personal information and sensitive requests,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “His conviction shows that getting fired from a job is not an invitation to retaliate.”"
https://www.justice.gov/opa/pr/federal-jury-convicts-virgina-man-charges-relating-deletion-us-government-databases
https://www.bleepingcomputer.com/news/security/former-govt-contractor-convicted-for-wiping-dozens-of-federal-databases/
https://therecord.media/virginia-man-found-guilty-deleting-96-gov-databases
Kingdom Market Administrator Given 16-Year Sentence
"One of the leading figures behind a popular dark web marketplace was sentenced to more than 16 years in prison this week. Slovakian national Alan Bill, 33, pleaded guilty in January to a conspiracy to distribute controlled substances charge after admitting to his role in running Kingdom Market — a platform used by drug dealers and cybercriminals between March 2021 and December 2023. He was arrested on December 15, 2023 at Newark Airport before German law enforcement agencies seized Kingdom Market servers and shut the platform down."
https://therecord.media/kingdom-market-administrator-gets-16-year-sentence
Police Shut Down Reboot Of Crimenetwork Marketplace, Arrest Admin
"German authorities have shut down a relaunch version of the criminal marketplace 'Crimenetwork' that generated more than 3.6 million euros, and arrested its operator. Crimenetwork was the largest online cybercrime marketplace in Germany, operating since 2012 and with 100,000 registered users. The platform enabled the sale of illegal services, substances, and stolen data. In late 2024, the Public Prosecutor's Office in Frankfurt am Main, the Central Office for Combating Cybercrime (ZIT), and the Federal Criminal Police Office (BKA) dismantled the operation by seizing the platform and arresting one of its administrators."
https://www.bleepingcomputer.com/news/security/police-shut-down-reboot-of-crimenetwork-marketplace-arrest-admin/

อ้างอิง
Electronic Transactions Development Agency (ETDA)