• Eppendorf BioFlo 320
  "Successful exploitation of this vulnerability could allow an attacker to gain full access to functionality and data with the bioreactor."
  https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-146-01

Industrial Sector

• ABB B&R Automation Runtime DoS Vulnerability In System Diagnostics Manager (SDM)
  "An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited this vulnerability could cause the product to stop."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04
• ABB Ability Camera Connect
  "ABB is aware of public reports of vulnerabilities in a 3rd party component VLC media player Version 2.2.4 which was delivered together with the installation package of Camera Connect Version 1.5.0.14 and below. An update is available that resolves a privately reported outdated 3rd party component with vulnerabilities in the product versions listed as affected in this advisory. An attacker who successfully exploited any of these vulnerabilities in the 3rd party component could potentially compromise the system in different ways."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-05
• ABB Terra AC Wallbox
  "ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-01
• ABB AC500 V2
  "ABB became aware of vulnerabilities in AC500 V2 listed as affected in the advisory. An attacker who successfully exploited this vulnerability could access fragments of Modbus telegrams that have been sent earlier by that PLC"
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-02
• ABB AbilityTM Zenon Remote Transport Vulnerability
  "ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. The vulnerability enables unauthorized access to the Reboot OS function within the Remote Transport Service, allowing an attacker to trigger a system reboot without the required authentication. This functionality initiates a system reboot on the target machine. However, remote exploitation of this vulnerability is not feasible unless the attacker has already gained access to the network where the affected ABB Ability zenon system is deployed. At the time of writing, there is no evidence that this vulnerability is being actively exploited in the wild."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-03
• ABB LVS MConfig
  "ABB became aware of an internally discovered vulnerability in the MConfig product versions listed as affected in the advisory. An attacker with access to local networks who successfully exploits vulnerability could have access to application’s sensitive information. ABB strongly advises customers to update MConfig with latest software version."
  https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06

Vulnerabilities

• Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
  "Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659, carries a CVSS score of 8.8. It has been assigned an important severity. "Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network," Microsoft said in an advisory released last week."
  https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
  https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
• CISA Adds One Known Exploited Vulnerability To Catalog
  "CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
  CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability"
  https://www.cisa.gov/news-events/alerts/2026/05/26/cisa-adds-one-known-exploited-vulnerability-catalog
• Exploitation Of KnowledgeDeliver Via ViewState Deserialization Vulnerability
  "In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426."
  https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
  https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
  https://www.bleepingcomputer.com/news/security/knowledgedeliver-flaw-exploited-as-a-zero-day-to-install-web-shells/
  https://www.securityweek.com/hackers-exploited-knowledgedeliver-zero-day-for-web-shell-deployment/

Malware
INTRUSION ANALYSIS: China-Nexus Adversary Targeting Southeast Asian Edge Network Infrastructure
"A China-nexus intrusion set has been identified conducting a large-scale campaign targeting edge network devices across Southeast Asia. The adversary deploys a custom Linux ELF implant (router.elf) directly onto compromised border routers, establishing persistent command-and-control (C2) via DNS over HTTPS (DoH) while simultaneously weaponizing the router's iptables subsystem to hijack downstream DNS traffic at scale. Correlated Windows-side tradecraft leverages a cracked Cobalt Strike 4.4 Beacon delivered via DLL sideloading (version.dll), sharing identical C2 infrastructure and malleable C2 profiles with the router implant — confirming unified operational control."
https://qiita.com/Y4er/items/0b6071745e4b7b240b3e

• Phishing Campaign Deploys JavaScript-Driven PureLogs Variant To Steal Sensitive Data
  "FortiGuard Labs recently identified a phishing campaign distributing a PureLogs variant designed to collect sensitive data from the victim’s device. The analysis provides an in-depth examination of the campaign, including the phishing emails and the mechanisms by which the JavaScript file operates on the victim's device. This campaign uses deceptive emails disguised as purchase orders, a tactic commonly used to trick recipients into opening malicious attachments."
  https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
• 2 PhaaS 2 Furious: The Evolution Of Chinese-Language Phishing Services
  "While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. These services not only lower the barrier to entry for Chinese cyber criminals, but reveal broader patterns on the evolution of social engineering and credential theft. Late last year, Google took legal action against one PhaaS provider and has worked since then to endorse legislation and enact technical safeguards against these types of scams."
  https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services
  https://www.infosecurity-magazine.com/news/chinese-phishing-live-credential/
  https://www.helpnetsecurity.com/2026/05/26/chinese-language-phishing-services/
• BTMOB: A Stealthy RAT Burrowing Deep Into Android Devices
  "Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak. The combination of phishing-led delivery, ready-made app-building tooling and device takeover capabilities makes BTMOB a threat to watch well beyond Brazil or Latin America."
  https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
  https://www.infosecurity-magazine.com/news/btmob-android-rat-maas-builder/
• Fast And Furious – Nimbus Manticore Operations During The Iranian Conflict
  "During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran’s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts. Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat actor who primarily targets the defense, aviation and telecommunication sectors through career-themed phishing campaigns. Nimbus Manticore stands out compared to other Iranian-linked groups due to its complex malware toolset. In 2025, we documented the MiniJunk malware framework used by Nimbus Manticore to target high-profile organizations across Western Europe and the Middle East."
  https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
  https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html
  https://www.infosecurity-magazine.com/news/iranian-hackers-us-aviation/
  https://www.securityweek.com/iranian-apt-targets-aviation-software-companies-with-updated-tools/
  https://securityaffairs.com/192689/apt/nimbus-manticore-expanded-attacks-with-ai-assisted-malware-and-fake-zoom-installers.html
• Fake Software On GitHub And SourceForge Distribute Deno RAT
  "During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links to these platforms. DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime."
  https://www.malwarebytes.com/blog/threat-intel/2026/05/fake-software-on-github-and-sourceforge-distribute-deno-rat
• Smart Contracts For C&C: How ClearFake Hid In Plain Sight On BSC Testnet
  "TrendAI Research analyzed in May 2026 an intrusion where threat actors used a technique known as EtherHiding to store payload routing instructions inside BNB Smart Chain (formerly Binance Smart Chain or BSC) smart contracts. Unlike traditional command-and-control (C&C) infrastructure, this routing layer cannot be altered, suspended, or seized by security vendors, registrars, or law enforcement due to the immutable nature of the blockchain. TrendAI found that the injected JavaScript on compromised websites queried these contracts to retrieve and route victims to the next stage of the attack chain."
  https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
• Living Off The Land With VS Code: Inside a Sophisticated Phishing Campaign
  "In this blog post, we examine a multi-stage phishing campaign targeting staff members of the Punjab Safe Cities Authority (PSCA) and PPIC3 in Pakistan. The attack leveraged two distinct infection vectors, both relying on the same underlying infrastructure. The phishing email was analyzed by Joe Reverser in the report available here: https://www.joesandbox[.]com/joereverser/analysis/download/ff6db592-b57e-4d21-9d46-e69c2719d8a5?type=html. The Capability Preview image below already offers a comprehensive overview of the kill chain:"
  https://joesecurity.org/blog/8858614039441223943
• Dark Web Profile: CoinbaseCartel
  "CoinbaseCartel is a financially motivated threat actor that emerged on the Dark Web in September 2025. Unlike traditional ransomware groups, the group does not encrypt victim systems. Instead, it relies exclusively on data theft, threatening to publish exfiltrated data on its dark web leak site unless victims pay a ransom. This approach is commonly described as a single-extortion model. The group’s name carries no connection to the legitimate cryptocurrency exchange Coinbase. On its leak site, CoinbaseCartel describes itself as “redefining data extortion” and explicitly states that its operations have no political, personal, or activist agenda."
  https://socradar.io/blog/dark-web-profile-coinbasecartel/

Breaches/Hacks/Leaks

• Charter Confirms Data Breach After ShinyHunters Extortion Threat
  "U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. Charter Communications is one of the largest broadband providers in the United States, serving tens of millions of residential and business customers through its Spectrum brand. In a statement shared this weekend, the company said it is alerting authorities about the incident and that no sensitive personal customer information was stolen."
  https://www.bleepingcomputer.com/news/security/charter-confirms-data-breach-after-shinyhunters-extortion-threat/
• 7-Eleven Data Breach Exposes Personal Information Of 185,000 People
  "The ShinyHunters extortion gang stole the personal information of over 183,000 people after hacking the systems of convenience store chain giant 7-Eleven in April, according to data breach notification service Have I Been Pwned. Founded in 1927, 7-Eleven now operates, franchises, and licenses more than 86,000 stores worldwide, including 13,000 stores in the U.S. and Canada. 7-Eleven also operates and franchises Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations, and its 7Rewards and Speedy Rewards loyalty programs also have over 100 million members."
  https://www.bleepingcomputer.com/news/security/7-eleven-data-breach-exposes-personal-information-of-185-000-people/
  https://haveibeenpwned.com/Breach/7-Eleven
  https://www.securityweek.com/185000-likely-impacted-by-7-eleven-data-breach/
  https://www.helpnetsecurity.com/2026/05/26/7-eleven-data-breach-shinyhunters/
• Lithuania Suspects Foreign Involvement In Data Leak Of Over 600,000 National Register Entries
  "Lithuanian authorities are on high alert after a massive data leak involving more than 600,000 entries from national data registers, which is believed to have been executed by another country. The Lithuanian general prosecutor’s office on Friday announced the leak was primarily from registers of real estate and legal entities accessed by using login credentials of institutions authorized to receive the data. The head of the State Enterprise Centre of Registers, Adrijus Jusas, resigned Monday following the leak."
  https://www.securityweek.com/lithuania-suspects-foreign-involvement-in-data-leak-of-over-600000-national-register-entries/
  https://therecord.media/lithuania-investigates-theft-of-state-records
• MyPillow Must Decide Whether To Be Firm Or Soft As Ransomware Crims Demand Pay
  "Crims found the soft spot in the company's security. MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim. The pillow shop first appeared on Play’s name-and-shame data leak site on Monday, with the gang threatening to leak stolen data by Friday if MyPillow execs don’t pay the ransom demand."
  https://www.theregister.com/cyber-crime/2026/05/26/mypillow-appears-on-play-ransomware-leak-site/5246513

General News

• April 2026 Threat Trend Report On APT Attacks (South Korea)
  "ahnLab utilized its infrastructure to monitor Advanced Persistent Threat (APT) attacks on targets in Korea. this report summarizes the classification, statistics, and features of each type of APT attacks identified in Korea during the month of April 2026."
  https://asec.ahnlab.com/en/93831/
• 2026 Cloud Security Report: Why Traditional Network, Cloud, And Security Architecture Are Lagging Behind The AI Transformation
  "As AI rapidly reshapes industries, the role of the cloud has become even more critical. From automated customer experiences to intelligent cyber security and predictive analytics, AI transformations are increasingly being built on a cloud-first foundation. Over the past two years, AI has swiftly moved from an experimental state to an operational reality, with every leading organization embedding AI into the core of how they build, operate, and compete. However, security architectures have not kept pace with the AI transformation. Closing that gap requires more than incremental fixes. It demands a rethinking of how security is designed, deployed, and enforced across hybrid environments."
  https://blog.checkpoint.com/securing-the-cloud/2026-cloud-security-report-why-traditional-network-cloud-and-security-architecture-are-lagging-behind-the-ai-transformation/
• Why Network Segmentation Projects Fail: Four Patterns
  "In previous blogs, I’ve discussed why segmentation matters, the challenges of getting it right, and the benefits that organizations see when they fully commit to both macro- and micro-segmentation. Today, I want to flip the question around. Instead of asking what happens when segmentation succeeds, let’s ask: why do so many segmentation projects fail. That question is the focus of the newly released Cisco 2026 Segmentation Report, which draws on a survey of 400 failed segmentation projects at U.S.-based organizations with 500 or more employees. The findings are illuminating—and occasionally surprising."
  https://blogs.cisco.com/security/why-network-segmentation-projects-fail-four-patterns
  https://www.cisco.com/c/en/us/products/collateral/security/hypershield/segmentation-report-2026.pdf
• The Hackers Behind Shai-Hulud: Lucky Or Skilled?
  "TeamPCP has made a name for itself as a scourge of the open source community following its particular waves of the Shai-Hulud attacks, but the group's attack history is less "sophisticated threat actor" and more "right place, right time" luck. A financially motivated threat actor, TeamPCP formally emerged in late 2025, making a name exploiting the React2Shell vulnerability as well as targeting misconfigured Docker APIs and Next.js. As researchers from Flare recently noted, the group would historically use opportunistic compromises to conduct ransomware, steal data to turn around and sell, and mine cryptocurrency."
  https://www.darkreading.com/application-security/shai-hulud-hackers-teampcp-lucky-skilled
• What Happens When Security Teams Inherit Identity
  "At the Span Cyber Security Arena conference, I sat down with Eric Woodruff, Chief Identity Architect at Semperis, to talk about how organizations perceive identity and the challenges those perceptions create for security. He shared his perspective on where organizations struggle with identity, why identity platforms can become difficult to manage, how phishing-resistant authentication is viewed in practice, and what non-human identities and AI could mean for security."
  https://www.helpnetsecurity.com/2026/05/26/eric-woodruff-semperis-identity-security/
• CERT-In Recommends 12-Hour Patching For Internet-Facing Flaws Amid AI-Assisted Attacks
  "The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability discovery and exploitation, and enhance the scale and velocity of cyber attacks. "AI-assisted cyber exploitation reduces the time required for adversaries to identify, weaponize, and exploit vulnerabilities, exposed services, weak identities, insecure APIs, and misconfigured systems," CERT-In said in a 38-page blueprint published Monday."
  https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html
  https://www.cert-in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=CISG-2026-02
  https://www.infosecurity-magazine.com/news/cert-in-12-hour-patch-deadline-ai/
• 62% Of Database Ransom Wallets Were Never Paid
  "We built a five-year census of 65,907 exposed databases on the public internet. 30,515 of them (46.3%) carry a ransom or wipe marker. We then validated every bitcoin address inside those notes, ending with 514 distinct attacker wallets. When we priced the 512 we could resolve on-chain, 318 had received zero bitcoin. The 9.78 BTC (around $753,000) that did move concentrated into a handful of operators. Mass database extortion is industrial, automated, mostly unpaid, and still doing enormous damage."
  https://ransomnews.com/database-ransom-economics-2026/
  https://securityaffairs.com/192711/cyber-crime/the-hidden-ransomware-economy-running-on-exposed-databases.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)