2026-05-11 AI创业新闻
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera. Ollama is a popular open-source framework that allows large language models (LLMs) to be run locally instead of on the cloud.
On GitHub, the project has more than 171,000 stars and has been forked over 16,100 times. “Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader,” according to a description of the flaw in CVE.org. “The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file’s actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer.” GGUF, short for GPT-Generated Unified Format, is a file format that’s used to store large language models so that they can be easily loaded and executed locally. It’s analogous to other popular model saving formats like PyTorch .pt/.pth (based on Python’s pickle module), safetensors, and Open Neural Network Exchange (ONNX).
The problem, at its core, stems from Ollama’s use of the unsafe package when creating a model from a GGUF file, specifically in a function named “WriteTo(),” thereby making it possible to execute operations that bypass the memory safety guarantees of the programming language. In a hypothetical attack scenario, a bad actor can send a specially crafted GGUF file to an exposed Ollama server with the tensor’s shape set to a very large number to trigger the out-of-bounds heap read during model creation using the /api/create endpoint. Successful exploitation of the vulnerability could leak sensitive data from the Ollama process memory. This may include environment variables, API keys, system prompts, and concurrent users’ conversation data.
This data can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The exploitation chain unfolds over three steps - Upload a crafted GGUF file with an inflated tensor shape to a network-accessible Ollama server using an HTTP POST request. Use the /api/create endpoint to activate model creation, firing the out-of-bounds read vulnerability. Use the /api/push endpoint to exfiltrate data from the heap memory to an external server.
“An attacker can learn basically anything about the organization from your AI inference — API keys, proprietary code, customer contracts, and much more,” Cyera security researcher Dor Attias said. “On top of that, engineers often connect Ollama to tools like Claude Code. In those cases, the impact is even higher – all tool outputs flow to the Ollama server, get saved in the heap, and potentially end up in an attacker’s hands.” Users are advised to apply the latest fixes, limit network access, audit running instances for internet exposure, and isolate and secure them behind a firewall. It’s also recommended to deploy an authentication proxy or API gateway in front of all Ollama instances, as the REST API does not provide authentication out of the box.
Two Unpatched Flaws in Ollama Lead to Persistent Code Execution The development comes as researchers at Striga detailed two vulnerabilities in Ollama’s Windows update mechanism that can be chained into persistent code execution. The shortcomings remain unpatched following disclosure on January 27, 2026, and have been published following the elapse of a 90-day disclosure period. According to Bartłomiej “Bartek” Dmitruk, co-founder of Striga, the Windows desktop client auto-starts on login from the Windows Startup folder, listens on 127.0.0[.]1:11434, and periodically polls for updates in the background via the /api/update endpoint to run any pending updates on the next app start. The identified vulnerabilities relate to a path traversal and a missing signature check that, when combined with the on-login routine, can permit an attacker with the ability to influence update responses to execute arbitrary code at every login.
The flaws are listed below - CVE-2026-42248 (CVSS score: 7.7) - A missing signature verification vulnerability that does not verify the update binary prior to installation, unlike its macOS version. CVE-2026-42249 (CVSS score: 7.7) - A path traversal vulnerability that stems from the fact that the Windows updater creates the local path for the installer’s staging directory directly from HTTP response headers without sanitizing it. To exploit the flaws, the attacker needs to be in control of an update server that’s reachable by the victim’s Ollama client.In such a situation, it could lead to a scenario where an arbitrary executable is supplied as part of the update process and gets written to the Windows Startup folder without raising any signature check issues. To be able to control the update response, one approach involves overriding the OLLAMA_UPDATE_URL to point the client at a local server on plain HTTP.
The attack chain also assumes AutoUpdateEnabled is on, which is the default setting. What’s more, the missing integrity check can lead to code execution on its own without the need for exploiting the path traversal vulnerability. In this case, the installer is dropped into the expected staging directory. During the next launch from the Startup folder, the update process is invoked without re-verifying the signature, causing the attacker’s code to be executed instead.
That being said, the remote code execution is not persistent, as the next legitimate update overwrites the staged file. By adding the path traversal to the mix, a bad actor can redirect the executable to be written outside the usual path and achieve persistent code execution. According to CERT Polska, which took over the coordinated disclosure process, Ollama for Windows versions 0.12.10 through 0.17.5 are vulnerable to the two flaws. In the interim, users are recommended to turn off automatic updates and remove any existing Ollama shortcut from the Startup folder (“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup”) to disable the silent on-login execution pathway.
“Any Ollama for Windows installation running version 0.12.10 through 0.22.0 is vulnerable,” Dmitruk said. “The path traversal writes attacker-chosen executables into the Windows Startup folder. The missing signature verification keeps them there: the post-write cleanup that would remove unsigned files on a working updater is a no-op on Windows. On the next login, Windows runs whatever was left behind.” “The chain produces persistent, silent code execution at the privilege level of the user running Ollama.
Realistic payloads include reverse shells, info-stealers exfiltrating browser secrets and SSH keys, or droppers that pivot to additional persistence mechanisms. Anything that runs as the current user. Removing the dropped binary from the Startup folder ends the persistence, but the underlying flaws remain.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the “feature::LOADFEATUREFILE” adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the “plugin” parameter in the “create_user API” call that could result in arbitrary Perl code execution on behalf of the already authenticated account’s system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.
The shortcomings have been patched in the following versions - cPanel and WHM - 11.136.0.9 and higher 11.134.0.25 and higher 11.132.0.31 and higher 11.130.0.22 and higher 11.126.0.58 and higher 11.124.0.37 and higher 11.118.0.66 and higher 11.110.0.116 and higher 11.110.0.117 and higher 11.102.0.41 and higher 11.94.0.30 and higher 11.86.0.43 and higher WP Squared - 11.136.1.10 and higher cPanel has released 110.0.114 as a direct update for customers who are still on CentOS 6 or CloudLinux 6. Users are advised to update to the latest versions for optimal protection. While there is no evidence that the vulnerabilities have been exploited in the wild, the disclosure comes days after another critical flaw in the product ( CVE-2026-41940 ) has been weaponized by threat actors as a zero-day to deliver Mirai botnet variants and a ransomware strain called Sorry. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 . The malware family is assessed to be a major update of the Maverick family, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.
At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. “The observed infection chain bundles a malicious MSI installer inside a ZIP file,” security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said . “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” The malware leverages DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which functions as a loader with a “comprehensive watchdog subsystem” that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection. Specifically, the malicious DLL will only execute if it was loaded by either “logiaipromptbuilder.exe” (the Logitech program) or “tclloader.exe” (likely a reference to an executable used during testing).
It also removes any usermode hooks placed by endpoint security software within “ntdll.dll” by replacing the library and disables Event Tracing for Windows (ETW) telemetry. What’s more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that’s used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese. “For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,” Elastic explained.
The main component launched following these checks is the banking trojan that once again verifies if it’s running on a Brazilian system, and then proceeds to establish persistence using a scheduled task. Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information. TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation . This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.
The extracted URL is matched against a hard-coded list of targeted financial institutions. If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks - Run shell commands Capture screenshots Start/stop screen streaming Manipulate clipboard Launch a keylogger Remotely control mouse/keyboard Manage files and processes Enumerate running processes List visible windows Serve fake credential-stealing overlays To conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools. In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim’s contacts.
Like in the case of SORVEPOTEL , the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers. The Outlook agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, thereby bypassing spam filters and giving the messages an illusion of trust. “TCLBANKER hijacks a victim’s WhatsApp session and Outlook account to spam up to 3,000 contacts with the trojanized installer, this sends malware from the victim’s own accounts, through their own contacts, using legitimate infrastructure,” an Elastic spokesperson told The Hacker News. Traditional email gateways and reputation-based defenses are essentially blind to it.
REF3076 appears to be in early operational stages, with debug logging paths, test process names, and an incomplete phishing site present in the code. This indicates the campaign is still being fleshed out and could further evolve over time. “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem,” Elastic concluded. “Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware.” “The campaign inherits the trust and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts.
This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data.” The list of identified apps is below - Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber) Call History of Any Number (com.pixelxinnovation.manager) Call Details of Any Number (com.app.call.detail.history) Call History Any Number Detail (sc.call.ofany.mobiledetail) Call History Any Number Detail (com.cddhaduk.callerid.block.contact) Call History Of Any Number (com.basehistory.historydownloading) Call History of Any Numbers (com.call.of.any.number) Call History Of Any Number (com.rajni.callhistory) Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number detail (com.call.detail.caller.history) Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Detail (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Detail (com.callhistory.anynumber.chapfvor.history) Call History of Any Number (com.callhistory.callhistoryany.call) Call History Any Number Detail (com.name.factor) Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Call History Of Any Number (com.chdev.callhistory) Phone Call History Tracker (com.phone.call.history.tracke) Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner) Call History Of Any Number (com.any.numbers.calls.history) Call History Any Number Detail (com.callapp.historyero) Call History - Any Number Data (all.callhistory.detail) Call History For Any Number (com.easyranktools.callhistoryforanynumber) Call History of Numbers (com.sbpinfotech.findlocationofanynumber) Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call History Pro (com.all_historydownload.anynumber.callhistorybackup) At least one of the flagged apps was published under the developer name “Indian gov.in” in an attempt to build a false sense of trust and unsuspecting trick users into downloading it.
However, this trick masks a nefarious motive where victims are asked to make a payment in order to view details of a phone number’s call and SMS history. Once the payment is made, users are served entirely fabricated phone numbers and names directly embedded into the source code. Evidence indicates that the activity may have been active since at least November 2025 . A second cluster of these apps has been found to prompt users to enter their email address to which the purported details of any phone number would be delivered to.
As in the prior case, no data is generated until a payment is made. The payments either rely on subscriptions via Google Play Store’s official billing system or via third-party apps that support Unified Payments Interface (UPI), an instant payment system widely used in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. A third method includes payment card checkout forms directly inside the apps.
The last two approaches are in violation of Google’s policy. In at least one case, the apps implemented an additional trick to convince the user to make a payment. Should they exit the app without making any payment, it displays a deceptive notification claiming that a call history for a certain phone number had been successfully sent to their email address. Clicking on the notification directly takes the user to a subscription screen.
The subscription plans vary across the app, ranging anywhere from about $6 to $80. Users who may have fallen prey to the scam should have had their subscriptions canceled after the apps were removed from the Google Play Store. What makes this activity notable is that the apps have a simple user interface and do not request any sensitive permissions. And to top it all, they do not even contain any functionality to retrieve call, SMS, or WhatsApp data.
“Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies,” ESET said. “Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.” The disclosure comes as Group-IB said bad actors have stolen an estimated $2 million from Indonesian users as part of a fraud campaign that involved posing as the country’s tax platform, CoreTax, and other trusted brands. The campaign, which began in July 2025, has been linked to a financially motivated threat cluster called GoldFactory . “The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution,” Group-IB said .
At a high level, these attacks involve using social engineering to distribute the fake apps via WhatsApp, which, when installed, deploy Android malware such as Gigabud RAT , MMRat , and Taotie that are capable of harvesting sensitive data and downloading additional components. The stolen information is then used to conduct account takeover attacks and financial theft. “The malware infrastructure supporting this fraud campaign is not limited to a single impersonated service. The same infrastructure has been observed actively abusing more than 16 trusted brands, collectively targeting Indonesia’s broader population of approximately 287 million,” Group-IB said.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches
The hardest part of cybersecurity isn’t the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one “Patient Zero” infection. In 2026, hackers are using AI to make these “first clicks” nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down the whole company?
Register for the Webinar: The Patient Zero Playbook What is “Patient Zero”? In medicine, Patient Zero is the first person to carry a disease into a population. In cybersecurity, it’s the first device an attacker hits. Once they are “in,” they don’t stay there—they move fast to find your data, your passwords, and your backups.
What You Will Learn Thisisn’t a boring lecture. It is a technical deep dive into how modern breaches start and how to kill them instantly. We are covering: The AI Phish: How attackers use generative AI to bypass your current filters. The 5-Minute Window: Why the first few minutes of an infection determine if you’ll be in the news tomorrow.
Zero Trust in Action: How to isolate an infected device so the “virus” has nowhere to go. The Recovery Blueprint: What to do the second you realize you have a Patient Zero. Why You Can’t Miss This Most security tools are great at finding “known” viruses. But they struggle with stealthy, custom-made attacks designed specifically for your company.
This webinar shows you how to build a defense that assumes someone will click a bad link—and ensures that click doesn’t cost you millions. Secure Your Spot – Register Now ➜ Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. “QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware. “Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines.” The malware’s ability to systematically harvest a wide range of credentials poses a severe risk to developer environments.
A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to their publishing pipeline, allowing the attacker to push poisoned versions that can lead to cascading downstream impacts. QLNX executes filelessly from memory, masquerades itself as a kernel thread (e.g., kworker or ksoftirqd), and is capable of profiling the host to detect containerized environments, wiping system logs to cover up the tracks, and setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection. Furthermore, it exfiltrates the collected data to an attacker-controlled infrastructure, and receives commands that make it possible to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a peer-to-peer (P2P) mesh network. Exactly how the malware is delivered is unclear.
However, once a foothold is established, it enters a primary operational phase by running a persistent loop that continuously attempts to establish and maintain communication with the command-and-control (C2) server over raw TCP, HTTPS, and HTTP. In total, QLNX supports 58 distinct commands that give the operators complete control of the compromised host. QLNX also comes with a Pluggable Authentication Module ( PAM ) inline-hook backdoor that intercepts plaintext credentials during authentication events, logs outbound SSH session data, and transmits the data to the C2 server. The malware also supports a second PAM-based credentials logger that’s automatically loaded into every dynamically linked process to extract the service name, username, and authentication token.
It employs a two-tiered rootkit architecture: a userland rootkit deployed through the Linux dynamic linker’s LD_PRELOAD mechanism to ensure that the implant’s artifacts and processes stay hidden. There also exists a kernel-level eBPF component that uses BPF subsystem to conceal processes, files, and network ports from standard userland tools such as ps, ls, and netstat upon receiving instructions from the C2 server. “The QLNX implant was built for long-term stealth and credential theft,” Trend Micro said. “What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments. The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. The patterns that emerge from this data tell a consistent story.
Threat actors are exploiting the predictable gaps created by constrained, severity-based security operations, and they are doing it systematically. Understanding where those gaps actually live requires looking at the full alert picture, starting with the category most teams have been conditioned to ignore. The 1% problem that adds up to one missed breach per week In this analysis of 25M alerts, nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. On endpoints specifically, that figure climbed to nearly 2%.
At enterprise scale, percentages like these are not noise. The average organization generates approximately 450,000 alerts per year. One percent of that is roughly 54 real threats annually, about one per week, that never get investigated under a traditional SOC or MDR model. Detection did not fail.
Triage economics just made investigation impossible. These are not theoretical risks sitting at the edge of an attacker’s wishlist. They are real compromises hiding in the category of alerts that operations teams have been trained to deprioritize. EDR “mitigated” does not mean clean Endpoint findings from the report deserve special attention because they challenge a foundational assumption in most security programs: that EDR remediation can be trusted at face value.
Of the 82,000 alerts that underwent live forensic memory scans, 2,600 had active infections. Of those confirmed compromised endpoints, 51% had already been marked as “mitigated” by the source EDR vendor. In over half of confirmed endpoint compromises detected through forensic analysis, the EDR had closed the ticket and declared the threat resolved. Without memory-level forensics, those infections remain invisible.
The tools most organizations rely on as their endpoint safety net are reporting clean on machines that are not clean. The malware families found running in memory during these scans include Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer, not obscure proof-of-concept tools, but the workhorses of active criminal and nation-state operations. Phishing has left your email gateway behind The phishing data in the report reflects a fundamental shift in attacker methodology that most email security architectures are not designed to catch. Less than 6% of confirmed malicious phishing emails contained attachments.
Most relied on links and language. More significantly, attackers have migrated their infrastructure onto platforms that are trusted by default: Vercel, CodePen, OneDrive, and even PayPal’s own invoicing system. One campaign documented in the report uses PayPal’s legitimate payment request infrastructure to send threat emails, with callback numbers embedded in the payment notes and Unicode homoglyphs to defeat signature-based detection. The sending domain passes every standard authentication check because the mail genuinely originates from PayPal.
Cloudflare Turnstile CAPTCHA has become a reliable signal of malicious intent: sites using it were consistently more likely to be phishing pages, while Google reCAPTCHA correlated with legitimate infrastructure. Attackers are using the mechanisms built to stop bots to stop automated security scanners instead. Four new techniques for bypassing email gateways were identified in the data: Base64 payloads hidden inside SVG image files, links embedded in PDF annotation metadata invisible to surface-level scanners, dynamically loaded phishing pages served through legitimate OneDrive shares, and DOCX files concealing archived HTML content containing QR codes. None of these is exotic.
They are operational techniques being used at scale. Cloud telemetry shows attackers playing long games Cloud alert data from the report shows a pronounced concentration around defense evasion and persistence tactics, with relatively few high-impact behaviors like lateral movement or privilege escalation appearing in the signal. Attackers are being both cautious and patient. The dominant pattern is long-term access.
Token manipulation, abuse of legitimate cloud features, andobfuscation to avoid triggering higher-severity detections. The goal is to remain present and undetected, not to make noise. AWS misconfigurations compound this risk quietly. S3 accounts for roughly 70% of all cloud control violations in the dataset, with the most common issues centered on access management, server logging, and cross-account restrictions.
These findings rarely trigger alerts. Most are classified as low severity. And they have been repeatedly exploited once attackers establish any foothold, dramatically accelerating what they can do next. Why traditional SOCs and MDRs cannot close this gap This is an operational and capacity problem that technology alone did not solve until recently.
Human analysts do not scale with alert volume. As telemetry expands across endpoint, cloud, identity, network, and SaaS, every SOC eventually hits the same ceiling. The only way to operate within budget is aggressive triage: automate most closures, investigate only what looks critical, and trust that severity labels reflect reality. The 2026 data shows that trust is misplaced at scale.
MDR providers face identical constraints. The human-scaled operating model means approximately 60% of alerts still go unreviewed whether handled in-house or outsourced. Adding more analysts moves the ceiling but does not eliminate it. SOAR platforms give you workflow automation but require your team to design every playbook and still do not replace investigative execution.
The deeper problem is the feedback loop that never closes. When low-severity alerts are never investigated, missed threats never surface. Detection rules that fail to catch real attacks never get corrected. The system does not self-improve because the inputs it would need to improve are never examined.
What changes when you investigate everything Investigating all 25 million alerts in the above-cited report required removing the constraint that has historically made full coverage impossible. Specifically, human analyst capacity is the bottleneck. In this dataset, Intezer AI SOC was used to triage and investigate, with less than 2% of alerts escalated to a human analyst, 98% verdict accuracy, and sub-minute median triage time across the full volume. The effects of full-coverage investigation are measurable.
When every alert receives forensic-grade analysis regardless of severity, triage outcomes are grounded in evidence rather than assumptions about what low-severity labels mean. Early-stage threats that produce only weak initial signals,get surfaced before they progress. Detection engineering also benefits directly, because every investigation generates feedback that can be looped back into rule tuning at the source. The practical result for human analysts is a shift in where their time is spent.
Escalations become less frequent and higher confidence, which means analysts engage at the point of decision rather than spending capacity on discovery and initial classification. For the broader organization, this translates into a security posture that improves continuously rather than one that holds steady while the threat landscape moves around it. To explore the full report and research findings, see the 2026 AI SOC Report for CISOs by Intezer . Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that’s being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called “darkworm.” The backdoor is designed as a Pluggable Authentication Module ( PAM )-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It’s also capable of harvesting credentials from all legitimate users who authenticate through the compromised system. “The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH,” Flare.io researcher Assaf Morag said in a technical report. “Allegedly this would remain persistent on Linux systems (x86_64).” PamDOORa is the second Linux backdoor after Plague to be discovered targeting the PAM stack over the past year.
PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications. Because PAM modules typically run with root privileges , a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access. “Despite its strengths, the Pluggable Authentication Module’s (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext,” Group-IB noted in September 2024. “The pam_exec module, which allows the execution of external commands, can be exploited by attackers to gain unauthorized access or establish persistent control by injecting malicious scripts into PAM configuration files.” The Singaporean security vendor also detailed how it’s possible to manipulate PAM configuration for SSH authentication to execute a script via pam_exec, effectively allowing a bad actor to obtain a privileged shell on a host and facilitate stealthy persistence.
The latest findings from Flare.io show that PamDOORa, besides enabling credential theft, incorporates anti-forensic capabilities to methodically tamper with authentication logs to erase traces of malicious activity. Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely to involve the adversary first obtaining root access to the host through some other means and deploying the PamDOORa PAM module to capture credentials and establish persistent access over SSH. Morag told The Hacker News that PamDOORa was compared with several similar PAM-based backdoors, including Plague. Although they share a similar approach of altering the PAM behavior to enable credential capture, the “small differences in the design” indicate that the backdoor does not overlap with any of them.
“But without comparing the two binaries, we cannot completely rule out,” Morag added. After an initial asking price of $1,600 on March 17, 2026, the “darkworm” persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale. “PamDOORa represents an evolution over existing open-source PAM backdoors,” Morag explained. “While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026. “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in a write-up.
“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” The vulnerability currently does not have a CVE identifier, as the embargo is said to have been broken after detailed information and an exploit for the xfrm-ESP Page-Cache Write vulnerability were published publicly by an unrelated third-party. Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023.
Interestingly, the same January 17, 2017, commit was the root cause behind another buffer overflow ( CVE-2022-27666 , CVSS score: 7.8) that affected various Linux distributions. xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a small amount in the kernel’s page cache. However, the exploit requires the unprivileged user to create a namespace, a step that’s blocked by Ubuntu through AppArmor . In such an environment, xfrm-ESP Page-Cache Write cannot be triggered.
That’s where the second exploit, RxRPC Page-Cache Write, comes in. “RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions,” Kim explained. “For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.” “Chaining the two variants makes the blind spots cover each other.
In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” CloudLinx, in an advisory of its own, said the flaw resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface.” “The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g., pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to,” AlmaLinux said . Similar advisories have been released by other Linux distributions - Amazon Linux Debian ( xfrm-ESP Page-Cache Write , RxRPC Page-Cache Write ) Red Hat Enterprise Linux Rocky Linux SUSE Adding to the urgency is the release of a working proof-of-concept (PoC) that can be exploited to gain root in a single command. Until the patches are available, it’s advised to blocklist esp4, esp6, and rxrpc modules so they cannot be loaded - sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true” It’s worth mentioning here that Dirty Frag, despite sharing some overlaps with Copy Fail, can be exploited irrespective of whether the Linux kernel’s algif_aead module is enabled or not.
“Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available,” the researcher said. “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.” Update The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6 . The RxRPC Page-Cache Write vulnerability has been assigned the identifier CVE-2026-43500, although no patch is available as of writing. “On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user,” Ubuntu said .
“In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.” In an advisory, Google-owned Wiz described Dirty Frag as a vulnerability chain that combines two page-cache write primitives in the Linux kernel: one in the xfrm-ESP (IPsec) subsystem and another in RxRPC. “Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation,” researchers Merav Bar and Rami McCarthy said . “Unlike race-condition-based exploits, this bug class is deterministic and highly reliable, similar to previous vulnerabilities like Copy Fail and Dirty Pipe.” “To pull off this exploit, an attacker needs two things: access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers (e.g., via splice()-related paths). However, there is a significant hurdle: the exploit usually requires high-level system permissions, such as CAP_NET_ADMIN.
This means exploitation is less likely in hardened containerized environments (e.g., Kubernetes with default seccomp profiles).” Limited In-The-Wild Exploitation Observed Microsoft said it’s currently observing limited in-the-wild activity to achieve privilege escalation using the “su” (aka substitute user) command, which it noted “may be indicative of techniques associated with either ‘Dirty Frag’ or ‘ Copy Fail ‘.” “The campaign shows a sequential attack timeline where an external connection gains SSH access and spawns an interactive shell, followed by staging and execution of an ELF binary (./update) that immediately triggers a privilege escalation via ‘su,’” Microsoft added . Upon gaining elevated access, the unknown threat actors have been found to modify a GLPI LDAP authentication file, perform reconnaissance of the GLPI directory and system configuration, and inspect an exploit artifact. This step is followed by the attackers accessing sensitive data and interacting with multiple PHP session files, including deleting and forcefully wiping some of them, likely in an attempt to disrupt active sessions and access to session contents. “Dirty Frag is notable because it introduces multiple kernel attack paths involving rxrpc and esp/xfrm networking components to improve exploitation reliability,” Microsoft said.
“Rather than relying on narrow timing windows or unstable corruption conditions often associated with Linux local privilege escalation exploits, Dirty Frag appears designed to increase consistency across vulnerable environments.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows “a remotely authenticated user with administrative access to achieve remote code execution,” Ivanti said in an advisory released today. “We are aware of a very limited number of customers exploited with CVE-2026-6973.
Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340 , then your risk of exploitation from CVE-2026-6973 is significantly reduced.” It’s currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.
Also patched by Ivanti in EPMM are four other flaws - CVE-2026-5786 (CVSS score: 8.8) - An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access. CVE-2026-5787 (CVSS score: 8.9) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. CVE-2026-5788 (CVSS score: 7.0) - An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods. CVE-2026-7821 (CVSS score: 7.4) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.
“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products,” the company said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. “The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts,” SentinelOne security researcher Alex Delamotte said in a report published today. PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, aswell as move laterally within the compromised networks. It’s assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through credential theft, fraud, spam, extortion, or resale of stolen access.
The What makes this activity notable is that it shares significant targeting overlaps with TeamPCP , a threat actor that rose to prominence late last year by exploiting known security vulnerabilities (e.g., React2Shell ) and misconfigurations in cloud services to enlist the endpoints in an ever-expanding network for conducting data theft and other post-exploitation actions. At the same time, PCPJack lacks a cryptocurrency mining component, unlike TeamPCP. While it’s not known why this obvious monetization strategy was not adopted, the similarities between the two clusters indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with the group’s tradecraft. The starting point of the attack is a bootstrap shell script that’s used to prepare the environment – such as configuring the payload host – and download next-stage tooling, while simultaneously taking steps to infect its own infrastructure, terminate and remove processes or artifacts that are associated with TeamPCP, install Python, establish persistence, download six Python scripts, launch the orchestration script, and remove itself.
The six Python payloads are as follows - worm.py (written to disk as monitor.py), the main orchestrator that launches the purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting known flaws ( CVE-2025-55182 , CVE-2025-29927 , CVE-2026-1357 , CVE-2025-9501 , and CVE-2025-48703 ), and uses Telegram for command-and-control (C2) parser.py (utils.py), to handle credential extraction to categorize stolen keys and secrets lateral.py (_lat.py), to facilitate reconnaissance, harvest secrets, and enable lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services crypto_util.py (_cu.py), to encrypt credentials before exfiltration to the attacker’s Telegram channel cloud_ranges.py (_cr.py), to collect IP address ranges assigned to Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, and refresh the data every 24 hours cloud_scan.py (_csc.py), to run cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost. “When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a ‘PCP replaced’ field sent to the C2,” Delamotte said. This “implies a direct focus on the threat actor’s activities rather than pure cloud attack opportunism.” Further analysis of the threat actor’s infrastructure has uncovered another shell script (“check.sh”) that detects the CPU architecture and fetches the appropriate Sliver binary. It also scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI, and transmits them to an external server.
“Overall, the two toolsets are well developed and indicate that the owner values making code as a modular framework, despite some redundancies in behavior,” SentinelOne said. “This campaign does not [deploy miners], and it deliberately removes the miner functions associated with TeamPCP. Despite that, this actor has well-defined scopes for extracting cryptocurrency credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it’s not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress.
Customers with Advanced Threat Prevention can also block exploitation attempts by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. In an advisory issued Wednesday, the network security company said it’s aware of limited exploitation of the flaw. It’s tracking the activity under the CL-STA-1132 , a suspected state-sponsored threat cluster of unknown provenance. “The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software.
Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process,” Palo Alto Networks Unit 42 said . The cybersecurity company said it has observed unsuccessful exploitation attempts against a PAN-OS device starting April 9, 2026, a week after which the attackers managed to successfully obtain remote code execution against the appliance and inject shellcode. As soon as initial access was achieved, the threat actors took steps to clear crash kernel messages, delete nginx crash entries and nginx crash records, and remove crash core dump files in an attempt to cover up the tracks. Post-exploitation activities conducted by the adversary included conducting Active Directory (AD) enumeration and dropping additional payloads like EarthWorm and ReverseSocks5 against a second device on April 29, 2026.
Both tools have been previously used by various China-nexus hacking groups. “Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints,” Unit 42 said. “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.