NCSA_THAICERT

NCSA_THAICERT

Cybersecurity and Infrastructure Security Agency (CISA) ได้เผยแพร่คำแนะนำเกี่ยวกับระบบควบคุมอุตสาหกรรม (ICS) จำนวน 7 รายการ เมื่อวันที่ 12 พฤษภาคม 2569 เพื่อให้ข้อมูลที่ทันเวลาเกี่ยวกับประเด็นด้านความมั่นคงปลอดภัย ช่องโหว่ และการโจมตีที่เกี่ยวข้องกับระบบ ICS โดยมีรายละเอียดดังนี้

ICSA-26-132-01 Fuji Electric Tellus
ICSA-26-132-02 Subnet Solutions PowerSYSTEM Center
ICSA-26-132-03 ABB AC500 V3 Multiple Vulnerabilities
ICSA-26-132-04 ABB Automation Builder Gateway for Windows
ICSA-26-132-05 ABB AC500 V3 Stack buffer overflow in Cryptographic Message Syntax
ICSA-26-132-06 ABB WebPro SNMP Card PowerValue
ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share (Update A)

CISA แนะนำให้ผู้ใช้งานและผู้ดูแลระบบ ตรวจสอบคำแนะนำ ICS ที่เผยแพร่ล่าสุด เพื่อศึกษารายละเอียดทางเทคนิคและแนวทางการลดความเสี่ยง (mitigations)

อ้างอิง
https://www.cisa.gov/news-events/ics-advisories

NCSA_THAICERT

Vulnerabilities

SAP Fixes Critical Vulnerabilities In Commerce Cloud And S/4HANA
"SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in Commerce Cloud and S/4HANA. Commerce Cloud is an enterprise-grade e-commerce platform used by online stores owned by large retailers and global brands, while S/4HANA is a cloud-based Enterprise Resource Planning (ERP) suite that will replace the company's on-premises ECC ERP system. Tracked as CVE-2026-34263, the first critical flaw is a missing authentication check in SAP Commerce Cloud that allows unauthenticated attackers to execute code on vulnerable servers."
https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html
https://www.securityweek.com/sap-patches-critical-s-4hana-commerce-vulnerabilities/
Adobe Patches 52 Vulnerabilities In 10 Products
"Adobe on Tuesday announced the release of patches for 52 vulnerabilities across 10 products, including critical-severity bugs that could lead to code execution and privilege escalation. More than half of the weaknesses Adobe addressed this month could be exploited for arbitrary code execution. Application denial-of-service (DoS) was the second most common type of resolved issue. When it comes to the severity of the resolved vulnerabilities, the Adobe Connect update takes the lead. It addresses two critical-severity flaws that could be exploited for arbitrary code execution (CVE-2026-34659, CVSS score of 9.6) and privilege escalation (CVE-2026-34660, CVSS score of 9.3)."
https://www.securityweek.com/adobe-patches-52-vulnerabilities-in-10-products/
New Exim BDAT Vulnerability Exposes GnuTLS Builds To Potential Code Execution
"Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS."
https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html
https://www.exim.org/static/doc/security/EXIM-Security-2026-05-01.1/EXIM-Security-2026-05-01.1.txt
Fortinet Warns Of Critical RCE Flaws In FortiSandbox And FortiAuthenticator
"Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems. The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. "An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests," Fortinet said in a Tuesday advisory."
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/
https://fortiguard.fortinet.com/psirt/FG-IR-26-128
Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero-Days
"Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed. This Patch Tuesday addresses 17 "Critical" vulnerabilities, 14 of which are remote code execution, 2 are elevation of privilege, and 1 is an information disclosure flaw. The number of bugs in each vulnerability category is listed below:"
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/
https://blog.talosintelligence.com/microsoft-patch-tuesday-may-2026/
https://www.darkreading.com/application-security/patch-tuesday-microsoft-zero-day-sight
https://cyberscoop.com/microsoft-patch-tuesday-may-2026/
https://www.securityweek.com/microsoft-patches-137-vulnerabilities/
https://www.theregister.com/patches/2026/05/13/doozy-of-a-patch-tuesday-includes-30-critical-microsoft-cves/5239224
Apple Patches Dozens Of Vulnerabilities In MacOS, iOS
"Apple on Monday published 11 new security advisories to inform customers about dozens of vulnerabilities patched in its operating systems. iOS and iPadOS 26.5 address more than 60 CVEs, including 20 WebKit issues that can lead to crashes, exposure of sensitive user data, and security bypasses. Other vulnerabilities can be exploited for DoS attacks, security bypass, sandbox escape, access to sensitive user data, privilege escalation, and user tracking. Dozens of the vulnerabilities patched in the latest iOS and iPadOS versions were also addressed by Apple with the release of macOS Tahoe 26.5, which resolves nearly 80 vulnerabilities."
https://www.securityweek.com/apple-patches-dozens-of-vulnerabilities-in-macos-ios/
https://thehackernews.com/2026/05/ios-265-brings-default-end-to-end.html
Microsoft Releases Windows 10 KB5087544 Extended Security Update
"Microsoft has released the Windows 10 KB5087544 extended security update to fix the May 2026 Patch Tuesday vulnerabilities and resolve an issue with the new Remote Desktop warnings. If you are running Windows 10 Enterprise LTSC or are enrolled in the ESU program, you can install this update like normal by going into Settings, clicking on Windows Update, and manually performing a 'Check for Updates.'"
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5087544-extended-security-update/
Claude Mythos Finds Only One Curl Vulnerability; Experts Divided On What It Really Means
"A test of Anthropic’s restricted Claude Mythos model found just one low-severity vulnerability in the widely used open source data transfer tool curl, casting doubt on the AI company’s bold claims, though some argue the results say more about curl’s robust security than Mythos’ limitations. Daniel Stenberg, the lead developer of curl, revealed in a blog post on Monday that he was recently given the opportunity to test the Claude Mythos frontier AI model, which Anthropic claimed had identified thousands of zero-days in the weeks leading up to its launch. Anthropic is offering Mythos only to a few dozen major organizations as part of a restricted program due to concerns about potential misuse."
https://www.securityweek.com/claude-mythos-finds-only-one-curl-vulnerability-experts-divided-on-what-it-really-means/
Pwn2Own Berlin 2026 Hits Capacity As Rejected Hackers Release 0-Days
"The world’s most famous hacking contest is facing a crisis it didn’t see coming. For the first time in 19 years, Pwn2Own Berlin 2026 has reportedly run out of space. The event, run by Trend Micro’s Zero Day Initiative (ZDI), hit a hard limit on how many hackers it can actually host. For your information, Pwn2Own is a live competition where experts detect zero-day vulnerabilities."
https://hackread.com/pwn2own-berlin-2026-hits-capacity-hackers-0-days/

Malware

Free OnlyFans Lure Used To Spread Cross-Platform CRPx0 Malware
"OnlyFans – an attractive brand for hopeful users and their attackers. CRPx0 is a complex, stealthy and persistent malware campaign. It currently targets macOS and Windows systems, and appears to have Linux capabilities in development. It currently comprises cryptocurrency theft followed by large scale data exfiltration and ransomware. The campaign has been analyzed (PDF) in detail by Aryaka Threat Research Labs."
https://www.securityweek.com/free-onlyfans-lure-used-to-spread-cross-platform-crpx0-malware/
https://www.aryaka.com/docs/reports/crpx0-ransomware-operations-report.pdf
RubyGems Suspends New Signups After Hundreds Of Malicious Packages Are Uploaded
"ubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on Ruby Gems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being. Hundreds of packages involved – mostly targeting us, but some carrying exploits." Visitors to RubyGems' sign up page are now greeted with the message: "New account registration has been temporarily disabled.""
https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html
Foxconn Confirms Cyberattack Impacting North American Factories
"Taiwanese electronics manufacturer Foxconn said factories in North America are resuming their normal production cycles after a cyberattack affected several facilities. A spokesperson for the company confirmed the incident but declined to provide specifics on how many factories in North America were impacted. Foxconn has factories in Wisconsin, Ohio, Texas, Virginia, Indiana and several across Mexico. “The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production,” the spokesperson said."
https://therecord.media/foxconn-confirms-cyberattack-north-american-factories
https://www.theregister.com/cyber-crime/2026/05/12/foxconn-confirms-cyberattack-after-nitrogen-claims-apple-nvidia-data-theft/5239144
Vibe Hacking: Two AI-Augmented Campaigns Target Government And Financial Sectors In Latin America
"Threat actors using AI is an unsurprising and even long-predicted development. In a case in point, TrendAI Research has identified two emerging threat campaigns that used agentic AI to drive intrusion operations against government entities and financial organizations across several countries in Latin America. Though evidence suggests that the two groups are likely separate entities, they share strikingly similar tactics, as we detail in this report. This degree of overlap suggests that AI-assisted attacks are becoming a broader pattern among threat actor groups."
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html
Attackers Combine ClickFix With PySoxy Proxying To Maintain Persistence
"Cybercriminals have combined ClickFix attacks with PySoxy, a 10-year-old open-source Python SOCKS5 proxy, to maintain persistence on victims’ machines without malware, even after attempts at removal. The campaign has been detailed by cybersecurity researchers at ReliaQuest, who warned that it shows that ClickFix attacks are moving beyond one-time user execution into modular post-exploitation, making the attacks harder to identify and contain. ClickFix, is a social engineering tactic which tricks users into unwittingly running malicious commands or downloading harmful payloads onto their own machines. It has become a widely deployed method of distributing malware or stealing login credentials."
https://www.infosecurity-magazine.com/news/clickfix-combined-pysoxy-proxying/
Lorem Ipsum Malware: Trojanized MS Teams Installers Deliver Multi-Stage Loader And Backdoor
"BlueVoyant Security Operations Center (SOC) and Threat Fusion Cell (TFC) security researchers have been tracking an emerging, rapidly maturing threat group conducting a global SEO-poisoning campaign that distributes trojanized Microsoft Teams installers. These installers ultimately deploy a multi-stage shellcode loader and backdoor BlueVoyant has designated Lorem Ipsum. Active since at least February 2026, the campaign opportunistically targets users searching for Microsoft Teams across at least six countries, with a US-based healthcare-sector client confirmed as targeted, with successful BlueVoyant interdiction. In roughly ten weeks, the operators evolved from a minimally obfuscated test build into an operationally mature loader chain featuring substitution cipher decoding, XOR-encrypted shellcode stubs, DLL sideloading, JFIF-disguised C2 traffic, and a per-victim UUID-tracked callback architecture. Most distinctively, the loader abuses letsdiskuss[.]com, a legitimate India-based question-and-answer/blogging platform, as a dead-drop resolver for C2 infrastructure across at least four attacker-controlled profiles."
https://www.bluevoyant.com/blog/lorem-ipsum-trojanized-microsoft-teams-installers-multi-stage-loader-backdoor
Python Backdoor Threat Analysis Following An AI Deepfake Impersonation Campaign
"Genians Security Center identified a threat campaign suspected of being associated with APT37 that combines an obfuscated batch file command invocation technique with Compiled Python-based malware. This threat is distributed through email-based spear phishing in the form of ZIP-compressed files and begins by inducing the user to execute an LNK shortcut file contained inside. When the user runs the file, the actual command is reconstructed through an environment variable-based substring expansion technique, after which additional payloads are downloaded and executed sequentially."
https://www.genians.co.kr/en/blog/threat_intelligence/python

Breaches/Hacks/Leaks

Instructure Reaches 'agreement' With ShinyHunters To Stop Data Leak
"Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an "agreement" with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online. The company says over 30 million educators and students use its Canvas platform across more than 8,000 schools and universities worldwide. In a Tuesday statement, Instructure said the cybercrime gang also returned the stolen data (which includes usernames, email addresses, course names, enrollment information, and messages) and provided shred logs confirming its destruction."
https://www.bleepingcomputer.com/news/security/instructure-reaches-agreement-with-shinyhunters-to-stop-data-leak/
https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html
https://therecord.media/instructure-pays-ransom-canvas-incident-congress-investigation
https://www.malwarebytes.com/blog/news/2026/05/stolen-canvas-data-was-returned-after-hacker-agreement-instructure-says
https://www.securityweek.com/deal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-platform/
West Pharmaceutical Services Hit By Disruptive Ransomware Attack
"Pennsylvania pharma giant West Pharmaceutical Services is scrambling to restore systems impacted by a ransomware attack last week. The incident, the company says in an incident notice, occurred on May 4 and prompted the “proactive shutdown and isolation of affected on-premise infrastructure”. The containment measure disrupted the company’s business operations globally, West Pharmaceutical Services said in a Monday filing with the Securities and Exchange Commission (SEC)."
https://www.securityweek.com/west-pharmaceutical-services-hit-by-disruptive-ransomware-attack/
https://therecord.media/west-pharmaceutical-warns-of-ransomware-attack-impacting-operations

General News

April 2026 Threat Trend Report On Ransomware
"this report summarizes ransomware-related statistics based on Dedicated Leak Sites (DLS) (ransomware PR sites or PR pages) and Quantity of ransomware damaged systems identified during the month of April 2026. it also provides major ransomware issues in Korea and abroad and Damage Trends by Industry/Region."
https://asec.ahnlab.com/en/93657/
Cyber Threats Spike In April 2026 As Ransomware Expands And Attack Volumes Climb After Short-Lived Moderation
"In April 2026, global cyber-attack activity rebounded sharply following the brief moderation observed in March. Organizations experienced an average of 2,201 weekly cyber-attacks, representing a 10% increase month over month and an 8% increase year over year. This reversal underscores the volatility of today’s threat landscape. After three consecutive months of gradual decline, April’s data confirms that the earlier easing was temporary rather than structural. Attackers continue to leverage automation, expanded digital footprints, and exposed cloud and GenAI environments to sustain elevated pressure across industries and regions."
https://blog.checkpoint.com/research/cyber-threats-spike-in-april-2026-as-ransomware-expands-and-attack-volumes-climb-after-short-lived-moderation/
State-Sponsored Actors, Better Known As The Friends You Don’t Want
"Most organizations operate under the assumption that anything residing within their trust boundary is trustworthy. Software arrives from vetted vendors, employees pass background checks, cloud providers hold compliance certifications, and build pipelines produce signed artifacts. In practice, these assumptions are rarely scrutinized, and state-sponsored actors have constructed their operational methodology around exploiting precisely this gap. They operate inside the trust boundary, using trusted tools, holding valid credentials, and performing actions that appear entirely authorized. Conventional security architecture is not designed to identify this, and that limitation warrants acknowledgment before turning to what incident response looks like when the adversary is a state-sponsored."
https://blog.talosintelligence.com/state-sponsored-actors-better-known-as-the-friends-you-dont-want/
State Of Ransomware In 2026
"With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape. Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026:"
https://securelist.com/state-of-ransomware-in-2026/119761/
WannaCry, The Ransomware Attack That Changed The History Of Cybersecurity
"In memory of the day the digital world was shaken, but learned to fight back. The WannaCry ransomware attack represents one of the most significant events in recent cybersecurity history, not only for its global scale but also for the technical and geopolitical implications it raised. Analyzing its history means understanding how known vulnerabilities, advanced tools, and delays in mitigation can converge into an event capable of disrupting critical infrastructure worldwide."
https://securityaffairs.com/192015/malware/wannacry-the-ransomware-attack-that-changed-the-history-of-cybersecurity.html
Is The SOC Obsolete, And We Just Haven’t Admitted It Yet?
"For decades, the Security Operations Center (SOC) has been the beating heart of enterprise defense. Analysts monitor dashboards, triage alerts, and investigate incidents around the clock. The SOC is often portrayed as the last line of defense—a place where intelligence meets action. And yet, if we are honest, the SOC as we know it is already obsolete. Not because analysts aren’t skilled or diligent, but because the very nature of cyber threats has changed faster than our operational models can keep up."
https://www.securityweek.com/is-the-soc-obsolete-and-we-just-havent-admitted-it-yet/
Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended
"The notorious hacking group ShinyHunters, recently linked to the large-scale compromise and defacement of Instructure’s Canvas LMS platform, claims its official clearnet domain has been suspended by the domain registry, fueling online speculation that the site may have been targeted following the group’s recent attacks. The issue surfaced on Monday, May 11, 2026, when the group’s public-facing domain, shinyhunte[.]rs, suddenly went offline. Soon after, rumors spread across underground forums and social media platforms suggesting the domain may have been seized by law enforcement agencies, including speculation about possible FBI involvement."
https://hackread.com/canvas-hackers-shinyhunters-official-domain-suspended/

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

Vulnerabilities

New GhostLock Tool Abuses Windows API To Block File Access
"A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. This technique, created by Kim Dvash of Israel Aerospace Industries, abuses the Windows 'CreateFileW' API and file-sharing modes to prevent other users and applications from opening files while handles remain active. The GhostLock technique abuses the 'dwShareMode' parameter in the CreateFileW() function, which specifies the type of access other processes have to a file while it is opened."
https://www.bleepingcomputer.com/news/security/new-ghostlock-tool-abuses-windows-api-to-block-file-access/
https://ghostlock.io/
https://github.com/kimd155/ghostlock

Malware

Official CheckMarx Jenkins Package Compromised With Infostealer
"Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromise was claimed by the TeamPCP hacker group, which initiated a spree of supply-chain attacks that included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, resulting in the delivery of credential-stealing malware. Jenkins is one of the most widely used Continuous Integration/Continuous Deployment (CI/CD) automation solutions for software building, testing, code scanning, application packaging, and deploying updates to servers."
https://www.bleepingcomputer.com/news/security/official-checkmarx-jenkins-package-compromised-with-infostealer/
https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html
https://www.securityweek.com/checkmarx-jenkins-ast-plugin-compromised-in-supply-chain-attack/
https://www.theregister.com/devops/2026/05/11/checkmarx-tackles-another-teampcp-intrusion-as-jenkins-plugin-sabotaged/5237780
New TrickMo Variant: Device Take Over Malware Targeting Banking, Fintech, Wallet & Auth Apps
"Modern Android banking malware increasingly evolves through architectural redesigns intended to improve stealth, resilience, and operational flexibility rather than through entirely new user-facing capabilities. As platform protections and detection measures continue to improve, operators adapt by redesigning communication layers, modularising offensive functionality, and strengthening persistence and remote-control mechanisms."
https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app
https://www.bleepingcomputer.com/news/security/trickmo-android-banker-adopts-ton-blockchain-for-covert-comms/
https://www.infosecurity-magazine.com/news/trickmo-c-ton-network-android/
Behind a Fake Claude Code Installer
"Ontinue’s Cyber Defense Center has been observing an ongoing campaign targeting developers through fake installation pages that mimic popular developer tools, including counterfeit Claude Code installers. These lures swap legitimate one-line installers for attacker-controlled commands. Since the beginning of the year, multiple documented cases have highlighted similar fake agent/installer schemes targeting developers. This report details an additional payload stream not documented elsewhere: the same lure with a different payload."
https://www.ontinue.com/resource/blog-behind-a-fake-claude-code-installer/
https://www.infosecurity-magazine.com/news/fake-claude-code-installer/
https://www.theregister.com/security/2026/05/11/cookie-thieves-caught-stealing-dev-secrets/5238248
Operation HookedWing: 4-Year Multi-Sector Phishing Campaign
"From 2022 to the present, a persistent phishing campaign that has not been publicly documented until now, referred to in this report as Operation HookedWing, has been compromising organizations across multiple sectors and countries. The SOCRadar Threat Research team has identified that the campaign operates a custom phishing kit which, at the time of publication, has not been attributed to any known threat actor."
https://socradar.io/blog/operation-hookedwing-4-year-phishing/
https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/
Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 For Backdoor Deployment
"CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM. This product is widely used in Linux server operations and virtual hosting management. The vulnerability has a CVSS score as high as 9.8 (Critical). Without providing any account or password, an attacker can remotely bypass authentication and take over the cPanel / WHM control panel, allowing an unauthenticated remote attacker to gain administrator privileges on the affected server."
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/
https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
Inside AD CS Escalation: Unpacking Advanced Misuse Techniques And Tools
"Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. Due to misconfigured templates and overly permissive enrollment rights, AD CS has emerged as a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments."
https://origin-unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/
OpenClaw’s Hologram: Fake Installer Ships Rust Infostealer
"Hologram is dropper-delivered via a fake OpenClaw installer, undetected by automated sandboxes. The operator abuses Azure DevOps, Telegram, and Hookdeck as infrastructure—legitimate services inside most enterprise allowlists. While Huntress documented the first wave in February1, this post covers the second wave: six-binary modular implant framework, novel Hookdeck C2 relay, and the first documented use of clroxide in a crimeware campaign: built by the same developer, eleven weeks later. A third wave rotated infrastructure during analysis with some new capabilities."
https://www.netskope.com/blog/openclaw-hologram-fake-installer-ships-rust-infostealer
TanStack Npm Packages Compromised In Ongoing Mini Shai-Hulud Supply-Chain Attack
"The Socket Threat Research team detected a compromise across 84 npm package artifacts in the tanstack namespace. Affected packages were modified to add a suspected credential stealer targeting various CI systems, including Github Actions. All packages were flagged by Socket AI Scanner in six minutes or less after publication. Several of the newly turned malicious packages, like pkg:npm/@tanstack/react-router have over 12 million weekly downloads, and are widely consumed both directly and transitively across the npm ecosystem, making this compromise especially significant from a software supply-chain perspective."
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

Breaches/Hacks/Leaks

Instructure Confirms Hackers Used Canvas Flaw To Deface Portals
"Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions. The second hack was to draw attention and to pressure Instructure into entering negotiations to pay a ransom following an initial breach disclosed a week before. Instructure is the developer of Canvas, a popular learning management system (LMS) used by schools and universities around the world to handle assignments and coursework."
https://www.bleepingcomputer.com/news/security/instructure-confirms-hackers-used-canvas-flaw-to-deface-portals/
https://cyberscoop.com/canvas-instructure-data-theft-extortion-the-com/
https://www.infosecurity-magazine.com/news/shinyhunters-escalates-canvas/
https://www.securityweek.com/canvas-system-is-online-after-a-cyberattack-disrupted-thousands-of-schools/
https://www.theregister.com/security/2026/05/12/double-canvas-intrusion-confirmed-as-shinyhunters-resets-leak-deadline/5238361
Skoda Data Breach Hits Online Shop Customers
"Automobile manufacturer Skoda has disclosed a data breach impacting the personal information of its online shop’s users. The incident, the company says, was discovered as part of its technical security monitoring and was the result of a vulnerability in the portal’s software. Immediately after learning of the cyberattack, the car maker took the shop offline, patched the exploited vulnerability, reviewed existing security mechanisms, and retained external forensics experts to help with the investigation. It also notified the relevant authorities."
https://www.securityweek.com/skoda-data-breach-hits-online-shop-customers/
SailPoint Discloses GitHub Repository Hack
"Identity management and governance provider SailPoint has disclosed a cybersecurity incident involving its GitHub repositories. In a filing with the Securities and Exchange Commission (SEC), the company revealed that the incident occurred on April 20 and was immediately contained. “On April 20, 2026, we detected unauthorized access to a subset of our GitHub repositories. Our incident response team quickly terminated the unauthorized activity and resolved the issue,” the SEC filing reads."
https://www.securityweek.com/sailpoint-discloses-github-repository-hack/
https://securityaffairs.com/191997/data-breach/identity-security-firm-sailpoint-discloses-github-repository-breach.html
BWH Hotels Guests Warned After Reservation Data Checks Out With Cybercrooks
"BWH Hotels is informing customers about a third-party data breach that gave cybercriminals access to six months' worth of data. The notification email stated that BWH Hotels, which owns the WorldHotels, Best Western Hotels & Resorts, and Sure Hotels brands, identified the intrusion on April 22, but the affected data goes back to October 14, 2025. BWH Hotels CTO Bill Ryan, who penned the notification email, said names, email addresses, telephone numbers, and/or home addresses belonging to "certain guests" were accessed by an unauthorized third party. The intruders also accessed reservation details, such as reservation numbers, dates of stay, and any special requests."
https://www.theregister.com/security/2026/05/11/best-western-hotels-confirms-web-app-data-breach/5238020
Tables Turned: Gentlemen Ransomware Group Suffers Data Leak
"A ransomware organization is suffering an extreme case of turnabout is fair play through a data breach that splaying internal correspondence across the internet. "The Gentlemen" surfaced as a ransomware-as-a-service organization in mid-2025 with - as SOCRadar has noted - little intention of playing nice. Hints that The Gentlemen suffered a data breach first surfaced on May 4, in a post to cybercrime forum Breached with the subject line "The Gentlemen - hacked data for sale," requested $10,000, payable in bitcoin, "for the full data," with samples available on request. Whether or not someone paid isn't clear, but on Friday, the same user listed a link to file-sharing site MediaFire, for downloading the stolen data for free."
https://www.bankinfosecurity.com/tables-turned-gentlemen-ransomware-group-suffers-data-leak-a-31654

General News

April 2026 Dark Web Breach Incident Trend Report
"the April 2026 Dark Web Breach Incident Trend Report is compiled from data breach cases posted on the deep web and dark web forums. some information is included in cases where it is difficult to fully verify the factuality of the information due to the nature of the source."
https://asec.ahnlab.com/en/93628/
April 2026 Dark Web Issue Trend Report
"the April 2026 Dark Web Issue Trend Report summarizes the Major Issues that occurred on the deep web and dark web. due to the nature of the sources, some of the information is difficult to fully verify."
https://asec.ahnlab.com/en/93633/
Dark Web Threat Actor Trend Report, April 2026
"the April 2026 Dark Web Threat Actor Trend Report summarizes trends in hacktivists and threat actors operating on the deep web and dark web. due to the nature of the sources, some of the information is difficult to fully verify as factual."
https://asec.ahnlab.com/en/93634/
Q1 2026 Ransomware Report: Fewer Groups, Higher Impact
"Ransomware activity remained elevated in Q1 2026, continuing the trend established over the past year. According to the State of Ransomware Q1 2026 report from Check Point Research, overall attack volume stayed near historic highs. At the same time, the structure of the ransomware ecosystem changed materially. After two years of increasing fragmentation, activity is consolidating around a smaller number of dominant groups. For organizations, this shift reduces the number of active actors but increases the potential impact of individual incidents."
https://blog.checkpoint.com/research/q1-2026-ransomware-report-fewer-groups-higher-impact/
GTIG AI Threat Tracker: Adversaries Leverage AI For Vulnerability Exploitation, Augmented Operations, And Initial Access
"Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks."
https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access
https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html
https://www.bleepingcomputer.com/news/security/google-hackers-used-ai-to-develop-zero-day-exploit-for-web-admin-tool/
https://www.darkreading.com/cloud-security/hackers-ai-exploit-dev-attack-automation
https://cyberscoop.com/google-threat-intelligence-group-ai-developed-zero-day-exploit/
https://www.infosecurity-magazine.com/news/hackers-using-ai-zero-day-first/
https://hackread.com/google-hackers-used-ai-develop-zero-day-exploit/
https://www.securityweek.com/google-detects-first-ai-generated-zero-day-exploit/
https://securityaffairs.com/191984/ai/google-warns-artificial-intelligence-is-accelerating-cyberattacks-and-zero-day-exploits.html
Tech Can't Stop These Threats — Your People Can
"I begin, as every strong article should, with a caveat: Technical security controls are critically important. Deploy them all — the SOAR playbooks, the SIEM log ingestions, the EDR clients — and use as many as you have budget and time and manpower to use. And, for the love of all that's secure, don't stop tuning them. However, those same technical controls can't stop a growing category of cyberattacks that are specifically engineered to evade or abuse real systems and trusted employees to do their dirty work. For these cases, your best (and sometimes only) defense isn't another dashboard or detection; it's an employee who knows what they're looking at and what they can do to stop it."
https://www.darkreading.com/cyberattacks-data-breaches/tech-cant-stop-these-threats-people-can

อ้างอิง
Electronic Transactions Development Agency (ETDA)

NCSA_THAICERT

ปฏิบัติการ HookedWing แคมเปญฟิชชิ่งต่อเนื่องกว่.png