Cyber Threat Intelligence 26 May 2026

NCSA_THAICERT

New Tooling

• OpenHack: Open-Source AI-Powered Vulnerability Research
  "Source-guided vulnerability research increasingly leans on coding harnesses such as Claude Code, Codex, and Cursor to drive agent-based reviews of application code. A new MIT-licensed project from the Dutch security firm Hadrian, called OpenHack, packages that approach into a file-based workspace that any of those harnesses can run. OpenHack is a set of agents and tools that mimics how Hadrian’s research team performs automated vulnerability research. The workflow runs inside a coding harness or a custom runner, with durable state kept in plain files such as cloned source, recon items, scenario prompts, scenario results, finding candidates, triage decisions, findings, and logs. The harness supplies model execution, terminal access, repository access, and human-in-the-loop approval."
  https://www.helpnetsecurity.com/2026/05/25/openhack-open-source-ai-powered-vulnerability-research/
  https://github.com/hadriansecurity/openhack

Malware

• RemotePE: The Lazarus RAT That Lives In Memory
  "Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multiple incident response engagements. This Lazarus subgroup overlaps with activity linked to AppleJeus2, Citrine Sleet3, UNC47364, and Gleaming Pisces5. In one investigation, we observed that the actor had replaced ThemeForestRAT and PondRAT with a more sophisticated memory-only toolset. This follow-up post covers all three malware families from that toolset: DPAPILoader, RemotePELoader and RemotePE."
  https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
  https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
  TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages And Hundreds Of Versions Across Npm, PyPI, And Crates.io
  "Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing. The earliest package Socket observed was the PyPI package [email protected], uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel published at 20:22:04 UTC. The packages were then published in waves by a handful of accounts and actively updated throughout the weekend."
  https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates
  https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
• Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning
  "There is a particular kind of security incident that is harder to explain than most: your WhatsApp account is sending messages you did not write, asking your contacts for money transfers, and when you check the “Linked Devices” section in the app, it shows nothing. No unauthorized sessions, no suspicious logins, no QR codes scanned by mistake. Just your phone, your account, and someone else apparently using it at the same time. That is exactly what happened to multiple iPhone users in Italy over the past few weeks, and the forensic investigation that followed has uncovered what appears to be an active zero-click exploitation campaign targeting a specific combination of iOS version and WhatsApp client."
  https://securityaffairs.com/192627/security/zero-click-whatsapp-account-takeover-hits-iphone-users-running-ios-16-no-linked-devices-no-warning.html

Breaches/Hacks/Leaks

• Hacker Selling 340 Million OnlyFans User Records Built From Old Breaches
  "A threat actor is advertising what they describe as a massive database containing information linked to hundreds of millions of OnlyFans users, including creators and subscribers. However, conversations with the seller and a review of sample data suggest that the collection did not result from a direct breach or scraping of OnlyFans systems. The listing appeared earlier this week on a well-known cybercrime forum, where a user operating under the alias “Euphoric_Reply_5727” offered what they described as “340 Million User Records” linked to OnlyFans users. The seller priced the database at 0.313 BTC, roughly $76,000 at the time of writing."
  https://hackread.com/hacker-selling-onlyfans-user-records-old-breaches/
  https://securityaffairs.com/192643/cyber-crime/340-million-onlyfans-profiles-allegedly-rebuilt-from-leaks.html
• Oncology Institute Discloses Data Breach
  "The Oncology Institute says a previously disclosed cybersecurity incident has been confirmed to impact patient information. The Oncology Institute (TOI) is an oncology provider founded in 2007 that delivers specialized cancer care through a network of over 100 clinics across five states. The healthcare organization told the SEC in November 2025 that it had learned of a cybersecurity incident affecting a third-party software services provider. At the time, the vendor’s investigation was ongoing and it could not say whether patient information had been compromised."
  https://www.securityweek.com/oncology-institute-discloses-third-party-data-breach/
• 266,000 Affected By Data Breach At Radiology Associates Of Richmond
  "Radiology Associates of Richmond (RAR) has disclosed a data breach impacting the protected health information of 266,000 individuals. According to the healthcare organization’s incident notice, the data breach occurred on or about July 25, 2025, when hackers accessed its internal systems. RAR did not say when the intrusion was discovered, but said that it worked with external cybersecurity experts to contain the attack and investigate its scope."
  https://www.securityweek.com/266000-affected-by-data-breach-at-radiology-associates-of-richmond/
• DocketWise Data Breach Impacts 143,000
  "Immigration and legal case management platform DocketWise is notifying over 143,000 people that their personal, financial, and medical information was compromised in a data breach. The incident, the company says, involved third-party partner repositories that a threat actor cloned using valid credentials. DocketWise launched an investigation into the matter in October 2025, and this year determined that some of the cloned repositories were used as a data migration pipeline for the DocketWise application, which contains law firm records, including personally identifiable information (PII)."
  https://www.securityweek.com/docketwise-data-breach-impacts-143000/

General News

• Turns Out The C-Suite Loves Shadow AI
  "Senior decision-makers are the heaviest users of unapproved AI tools, and they continue using them despite being aware of the security and privacy risks linked to shadow AI, according to TrustedTech’s Shadow AI in the Workplace report. The study found that 65% of decision-makers use shadow AI, compared with 31% of employees below decision-maker level. The data suggests that shadow AI is not mainly driven by junior employees experimenting with consumer tools. The people creating policies and overseeing teams appear to be some of the most active users of unapproved AI systems."
  https://www.helpnetsecurity.com/2026/05/25/trustedtech-workplace-shadow-ai-use-report/

อ้างอิง
Electronic Transactions Development Agency (ETDA)