{"uuid": "70ba9fa9-d15f-42db-b39d-3ab33130ecb1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-26980", "type": "seen", "source": "https://threatintel.cc/2026/05/25/cyber-brief-apt-backdoors-cdn.html", "content": "Chinese APTs share Linux backdoor in Central Asia telco attacks \u2014 China-aligned threat clusters are using the Showboat/kworker Linux post-exploitation framework against telecom providers, with related reporting linking activity to Red Lamassu/Calypso and JFMBackdoor.\n\nRelated: Lumen Black Lotus Labs, PwC\n\nWebworm: New burrowing techniques \u2014 ESET reports that China-aligned Webworm has expanded its toolkit with EchoCreep and GraphWorm, using Discord and Microsoft Graph API for command-and-control while staging malware through GitHub.\n\nRelated: The Hacker News\n\nNetherlands seizes 800 servers of hosting firm enabling cyberattacks \u2014 Dutch FIOD arrested two suspects and seized more than 800 servers tied to alleged sanctions evasion and infrastructure used to support cyberattacks, interference operations and disinformation campaigns linked to Russian interests.\n\nRelated: FIOD\n\nUnderminr vulnerability lets attackers hide malicious connections behind trusted domains \u2014 Underminr abuses shared CDN and hosting infrastructure to make malicious traffic appear as trusted-domain traffic, potentially bypassing DNS filtering and hiding command-and-control, VPN or proxy connections.\n\nRelated: ADAMnetworks, Underminr\n\nKali365 phishing-as-a-service kit hijacks Microsoft 365 access tokens \u2014 The FBI warns that Kali365 uses device-code phishing to capture OAuth tokens, bypass MFA and give attackers persistent access to Microsoft 365 services such as Outlook, Teams and OneDrive.\n\nRelated: Help Net Security\n\nGhost CMS SQL injection flaw exploited in large-scale ClickFix campaign \u2014 Attackers are exploiting CVE-2026-26980 in Ghost CMS to steal admin API keys, inject malicious JavaScript and redirect visitors into fake Cloudflare ClickFix malware flows.\n\nRelated: The Hacker News\n\nLazarus deploys RemotePE memory-only RAT against financial and crypto firms \u2014 Researchers report that North Korea-linked Lazarus is using the RemotePE cross-platform malware in a multi-stage attack chain targeting financial and cryptocurrency organizations.\n\nTrapDoor supply chain attack spreads credential-stealing malware via npm, PyPI and Crates.io \u2014 A coordinated cross-ecosystem supply chain campaign is targeting npm, PyPI and Crates.io to distribute credential-stealing malware aimed at developer secrets, crypto wallets, SSH keys and cloud credentials.\n\nLaravel-Lang packages poisoned for malware delivery \u2014 Attackers rewrote Git tags across Laravel-Lang Composer packages, causing affected builds to pull credential-stealing malware capable of exfiltrating CI secrets and developer credentials.\n\nRelated: StepSecurity\n\n266,000 affected by Radiology Associates of Richmond data breach \u2014 Radiology Associates of Richmond disclosed a breach affecting protected health information after attackers accessed internal systems and acquired files tied to affected individuals.\n\nVerizon DBIR 2026 reinforces fundamentals, patching and third-party risk \u2014 Help Net Security\u2019s DBIR analysis highlights low remediation rates, rising supply chain breach involvement and continued exposure from basic control failures, including missing MFA, weak credential management and excessive cloud privileges.\n\nOpenHack brings open-source AI-powered vulnerability research to security teams \u2014 Hadrian released OpenHack, an MIT-licensed project that uses AI coding harnesses, file-based workflows and human approvals to support structured vulnerability research.\n\nRelated: GitHub\n\nShadow AI use is heaviest among senior decision-makers \u2014 TrustedTech research reported by Help Net Security says 65 per cent of decision-makers use unapproved AI tools, compared with 31 per cent of employees below decision-maker level.", "creation_timestamp": "2026-05-25T11:28:15.000000Z"}