Reporting Period	Classification	Generated
2026-05-01 (24h)	TLP:CLEAR	2026-05-02

1. Executive Summary

Thirty-six reports were processed across three correlation batches in the last 24 hours, with two critical and twenty-five high-severity items. The day was dominated by ransomware extortion-site activity (sixteen RansomLock entries spanning Qilin, Everest, Safepay, Nightspire, Pear, AiLock, Inc Ransom, and Blackwater) and by a steady drumbeat of vulnerability disclosures. Two critical CVEs surfaced on Telegram threat-actor channels — an Apache MINA deserialization-to-RCE flaw (CVE-2026-42779) and an authentication-bypass tutorial covering CVE-2026-41940 — both circulating with proof-of-concept material. Operationally significant items include the new ConsentFix v3 toolkit, which automates OAuth consent-phishing against Microsoft Azure tenants and bypasses MFA via first-party Microsoft app trust; the continued exposure window for the CopyFail Linux LPE (CVE-2026-31431); a fresh wave in the npm supply-chain assault (Shai-Hulud: The Third Coming and Mini Shai-Hulud, attributed by Unit 42 to TeamPCP); and the public release by ShinyHunters of a 5.1M-record ZenBusiness corpus exfiltrated from Snowflake/Salesforce/Mixpanel. No new CISA KEV additions were observed in the source set for this period.

2. Severity Distribution

Severity	Count	Key Drivers
🔴 CRITICAL	2	CVE-2026-42779 Apache MINA deserialization RCE; CVE-2026-41940 authentication bypass (Telegram PoCs)
🟠 HIGH	25	Qilin/Everest/Safepay/Nightspire/AiLock/Pear ransomware victim posts; ConsentFix v3 OAuth abuse; CopyFail Linux LPE; npm supply-chain campaigns; ZenBusiness 5.1M breach; SMB / Firewalld / FRRouting CVEs
🟡 MEDIUM	5	Instructure cyber incident; further Qilin victims; ocfs2 / ALSA Linux kernel CVEs
🟢 LOW	1	CVE-2026-41080 Microsoft disclosure (low impact)
🔵 INFO	3	Disneyland face recognition coverage; CVE-2026-21510 Akamai write-up; Windows Run dialog refresh

3. Priority Intelligence Items

3.1 CVE-2026-42779 — Apache MINA deserialization filter bypass to RCE (CRITICAL)

Source: Telegram (channel name redacted)

A critical deserialization filter-bypass vulnerability in Apache MINA’s AbstractIoBuffer.resolveClass() is being shared on Telegram with weaponisation context. Crafted serialized data triggers arbitrary Java code execution because the resolveClass implementation does not adequately enforce the configured deserialization filter. Affected products include any application embedding Apache MINA for asynchronous I/O. The disclosure is paired with exploitation guidance, and the same correlation batch links it to other technology-sector vulnerability chatter, suggesting active researcher and adversary interest.

Indicators of Compromise

N/A — no IOCs published with this disclosure.
ATT&CK: T1059 - Command and Scripting Interpreter; T1203 - Exploitation for Client Execution

SOC Action: Inventory Apache MINA usage (direct dependencies and transitive use through frameworks such as Apache Directory and SSHD-MINA). Block or constrain Java deserialization at the application layer using ObjectInputFilter allowlists and verify that any custom resolveClass() overrides cannot be reached via untrusted input. Until vendor patches land, restrict MINA-listening services to trusted network segments and add WAF/IDS signatures for Java serialized object magic bytes (AC ED 00 05) over MINA ports.

3.2 CVE-2026-41940 — Authentication bypass with PoC tutorial in circulation (CRITICAL)

Source: Telegram (channel name redacted)

A Persian-language tutorial walking through exploitation of CVE-2026-41940, an authentication bypass driven by improper input validation in the identity-verification path, is circulating on a Telegram channel. The flaw lets attackers authenticate as any user without valid credentials and is being paired with phishing pretexts (T1566 → T1078) to maximise reach. A companion video posted on the same channel raises the likelihood of low-skill operators picking up the technique.

Indicators of Compromise

N/A — affected product not disclosed in the data set.
ATT&CK: T1078 - Valid Accounts; T1566 - Phishing

SOC Action: Where the affected product can be identified, audit identity-provider logs for unexpected authentication successes lacking corresponding MFA challenge events, and stage anomaly detection for impossible-travel and short-session-token reuse. Maintain an internal ticket pending vendor disclosure and re-tag once the affected product surface is confirmed by primary sources.

3.3 ConsentFix v3 — Automated OAuth consent-phishing against Microsoft Azure (HIGH)

Source: BleepingComputer

ConsentFix v3 is a new evolution of the ClickFix-style OAuth consent attack, now packaged for scale. The kit automates Azure tenant discovery, pre-stages disposable accounts on Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream, and uses Pipedream as a serverless webhook + token-exchange engine. Victims are coaxed (via Cloudflare Pages-hosted lookalike pages and DocSend-wrapped phishing PDFs) into pasting/dragging a localhost OAuth callback URL containing an authorization code; the backend exchanges it for refresh tokens against pre-trusted first-party Microsoft client IDs (Family of Client IDs / FOCI), defeating MFA. Captured tokens are loaded into Specter Portal for hands-on-keyboard tenant access.

Indicators of Compromise

Infrastructure types: Cloudflare Pages-hosted phishing portals; Pipedream webhooks; DocSend-hosted PDFs with embedded malicious links
Tooling: Specter Portal (post-exploitation)
Tradecraft: Abuse of FOCI / first-party Microsoft client IDs for token issuance
ATT&CK: T1566 - Phishing; T1204 - User Execution: Malicious File; T1078.004 - Valid Accounts: Cloud Accounts

SOC Action: In Entra ID, restrict user consent for applications (Admin Center → Enterprise Applications → Consent and permissions → Do not allow user consent), require admin approval for any OAuth scope that requests Mail.Read, Files.Read.All, offline_access, or directory scopes, and alert on Add OAuth2PermissionGrant events outside change windows. Hunt sign-in logs for FOCI client IDs (Azure CLI 04b07795-8ddb-461a-bbee-02f9e1bf7b46, Azure PowerShell 1950a258-227b-4e31-a9cf-717495945fc2, etc.) where the resource is Microsoft Graph and the IP geolocates outside expected user travel. Block outbound DNS to *.pipedream.net from corporate identities used for Azure administration. Review tenant audit log for Consent to application events in the last 30 days and revoke service principal grants that lack a ticketed business owner.

3.4 CVE-2026-31431 — “CopyFail” universal Linux local privilege escalation remains widely unpatched (HIGH)

Source: Wired Security

The CopyFail flaw, disclosed earlier in the week, gives any local user root on essentially every Linux build since 2017. Patches are landing in distro repositories, but Wired’s reporting underlines that estate coverage is poor — both endpoint Linux installs and data-centre fleets remain widely vulnerable. Yesterday’s 19:24 UTC correlation batch flagged CopyFail as one of two critical-tier “exploitation of vulnerabilities in widely used software and protocols” trends, indicating it is repeatedly resurfacing in cross-report analysis.

Indicators of Compromise

N/A (LPE — no remote IOCs)
ATT&CK: T1068 - Exploitation for Privilege Escalation; T1059 - Command and Scripting Interpreter

SOC Action: Push CopyFail patches through the urgent change channel for all Linux endpoints, build agents, container hosts, and Kubernetes worker nodes. Until 100% coverage is reached, deploy the auditd rule set covering execve of /usr/bin/cp, /usr/bin/mv, and any binary writing to /etc/passwd, /etc/shadow, /etc/sudoers, or /root/.ssh/authorized_keys from non-root UIDs, and pipe to SIEM. For container hosts, ensure --security-opt=no-new-privileges and read-only root filesystems are enforced on workloads that do not require write access.

3.5 npm supply-chain campaigns: Shai-Hulud: The Third Coming and Mini Shai-Hulud (HIGH)

Source: Unit 42

Unit 42 has rolled up the post-September 2025 npm threat landscape into a single attack-surface view. Two campaigns ran in April 2026: “Shai-Hulud: The Third Coming” (started 22 April) and “Mini Shai-Hulud” (started 29 April). A malicious @bitwarden/cli@2026.4.0 package impersonating the Bitwarden CLI is attributed to TeamPCP; on install it executes a multi-stage payload that harvests cloud, CI/CD, and developer credentials, then republishes backdoored versions of every package the victim can publish. The same payload appears across Docker Hub images, GitHub Actions, and VS Code extensions, indicating a coordinated push to weaponise compromised developer-tool credentials at scale. The shift to wormable propagation, CI/CD persistence, and dormant “sleeper” dependencies is now the baseline TTP for npm-borne intrusion.

Indicators of Compromise

Package: @bitwarden/cli@2026.4.0 (malicious impersonation)
Strings: "Shai-Hulud: The Third Coming" (in published GitHub repos)
Distribution surfaces: Docker Hub images, GitHub Actions, VS Code extensions
ATT&CK: T1195.002 - Supply Chain Compromise: Software Supply Chain; T1071 - Application Layer Protocol; T1568 - Dynamic Resolution; T1574.001 - DLL/Library Search Order Hijacking
Threat actor: TeamPCP

SOC Action: Block install of @bitwarden/cli@2026.4.0 at the registry proxy / Artifactory / Nexus layer. Sweep developer endpoints and CI runners for the package, plus any VS Code extension or Docker image published in the same window. Immediately rotate npm publish tokens, GitHub PATs, and any secret cached in ~/.npmrc, ~/.docker/config.json, GitHub Actions runner secrets, and CI-scoped cloud roles. Add a CI policy that fails builds when package-lock.json introduces a new top-level package whose first-publish date is under 30 days, and require a second-set-of-eyes review for those PRs.

3.6 ZenBusiness — 5.1M record breach published by ShinyHunters (HIGH)

Source: HaveIBeenPwned

HaveIBeenPwned added ZenBusiness as a breach affecting 5,118,184 unique email addresses. ShinyHunters claim to have exfiltrated terabytes of CRM data via Snowflake, Mixpanel, and Salesforce in March 2026, and after a ransom demand went unpaid the corpus was released publicly. Compromised fields include email address, name, and phone number depending on source file. The same actor was previously named in connection with Instructure’s September 2025 Salesforce-targeted social-engineering breach (item 3.7), making this a continuation of ShinyHunters’ established Snowflake / SaaS-CRM extortion playbook.

Indicators of Compromise

Affected SaaS surfaces: Snowflake, Mixpanel, Salesforce
Exposed fields: email address, name, phone number
Actor: ShinyHunters
Volume: 5,118,184 unique email addresses

SOC Action: If ZenBusiness is in the supplier inventory, treat user accounts that share email addresses with the leaked set as candidates for credential stuffing and SMS / vishing pretexts; force password reset and step-up MFA on those accounts. For organisations using Snowflake, Mixpanel, or Salesforce, validate that every human and service account has phishing-resistant MFA, that network policies restrict console access to corporate egress, and that data-exfiltration alerting is in place for high-row-count export operations.

3.7 Instructure (Canvas LMS) discloses cyber incident (MEDIUM, operationally significant)

Source: BleepingComputer

Instructure, vendor of the widely deployed Canvas LMS, disclosed a cybersecurity incident perpetrated by a “criminal threat actor” and is investigating with outside forensics. Canvas Data 2 and Canvas Beta have been under maintenance since 1 May; customers are warned of impact to API-key-dependent integrations. Instructure previously suffered a Salesforce-environment breach in September 2025 attributed to ShinyHunters — the same actor active in this period (item 3.6) — so a re-breach or campaign continuation is plausible but unconfirmed.

SOC Action: If Canvas is in scope, rotate any API keys held by Instructure-side integrations and reduce scope to the minimum required. Monitor SSO logs for anomalous authentications brokered through Canvas. Hold off on new Canvas integrations or bulk data exports until Instructure publishes scope; contact account team for IR-grade detail before assuming PII safety.

3.8 Microsoft Linux-kernel CVE batch — SMB, Firewalld, FRRouting (HIGH)

Source: Microsoft MSRC

Three high-severity Linux ecosystem CVEs were published via MSRC in this period. CVE-2026-31608 is a double-free in the SMB server’s smb_direct_free_sendmsg after smb_direct_flush_send_list(), with realistic potential for arbitrary code execution on hosts exposing SMB Direct (RDMA). CVE-2026-4948 in Firewalld lets a local unprivileged user modify firewall state via a mis-authorised D-Bus setter — useful as a defence-evasion primitive after initial access. CVE-2026-28532 is an integer overflow in FRRouting’s OSPF TLV parser (versions < 10.5.3) that can lead to denial-of-service or arbitrary code execution against routers and SDN controllers running FRR, with the correlation batch flagging shared government-sector relevance with the Apache MINA RCE.

Indicators of Compromise

CVE-2026-31608  — Linux kernel SMB server (smb_direct_free_sendmsg double-free)
CVE-2026-4948   — Firewalld D-Bus setter mis-authorization (local privilege/posture change)
CVE-2026-28532  — FRRouting < 10.5.3 OSPF TLV parser integer overflow
ATT&CK: T1071.002 - Application Layer Protocol: File Transfer Protocols (SMB); T1543 - Create or Modify System Process; T1499 - Endpoint Denial of Service

SOC Action: Patch Linux kernel SMB / ksmbd builds (CVE-2026-31608) and validate that internet-facing SMB endpoints are not exposed; consider firewall-blocking TCP/445 from untrusted networks until patched. Push Firewalld package updates across RHEL/Fedora/Debian fleets and audit polkit rules that grant non-root users org.fedoraproject.FirewallD1 access. For network teams, upgrade FRRouting to ≥ 10.5.3 on edge / DC routers, route reflectors, and any SDN control plane; restrict OSPF adjacency to authenticated peers and trusted L2 segments.

3.9 Ransomware-as-a-Service activity: Qilin, Everest, Safepay, Nightspire, AiLock, Pear (HIGH)

Source: RansomLook (Qilin), RansomLook (Everest), RansomLook (Safepay), RansomLook (AiLock), RansomLook (Nightspire), RansomLook (Pear)

Qilin posted six victims yesterday and remains the pipeline-wide leading ransomware actor (84 reports in the last 30 days) — yesterday’s named victims include Standard-Examiner, North Star Signs, Armstrong George Cohen Will Ophthalmology, LSM Lee, Star Precision, and ADMINS. Everest posted three new victims (TSYS, Epiq Global, Symcor), indicating continued targeting of large business-services and outsourcing providers consistent with their double-extortion model. Safepay added energyaction.com.au and hpk.hamburg, and the AI-correlation engine flagged Safepay’s sectoral expansion as a critical trend. AiLock’s RaaS — first identified March 2025 with ChaCha20 + NTRUEncrypt hybrid encryption and a 72-hour negotiation window — posted Site Design Group. Nightspire and Pear contributed additional victim posts to the day’s haul.

Indicators of Compromise

Ransom note pattern (AiLock):  ReadMe[1].txt; encrypted file extension .AiLock
Ransom note pattern (Safepay): readme_safepay_ascii.txt; readme_safepay.txt
Safepay contact: VanessaCooke94@protonmail[.]com
Qilin TOX: contact via Tox; Jabber qilin@exploit[.]im
ATT&CK: T1486 - Data Encrypted for Impact; T1071 - Application Layer Protocol; T1078 - Valid Accounts; T1566 - Phishing

SOC Action: Subscribe SOC alerting to RansomLook for the named groups so victim posts trigger an immediate supplier-impact check against the third-party register. For the ransomware TTPs in evidence, ensure EDR has detections for Volume Shadow Copy deletion (vssadmin delete shadows), wbadmin delete catalog, and bulk file-encryption rates against file servers. Hunt mail flow for the Safepay ProtonMail contact (VanessaCooke94@protonmail[.]com) and block at the gateway. Confirm immutable / air-gapped backups for tier-1 systems and run a monthly recovery rehearsal.

4. AI-Identified Correlation Trends

Risk	Trend	Supporting Evidence
🔴 CRITICAL	Exploitation of vulnerabilities across software components (deserialization, OAuth, auth-bypass)	CVE-2026-42779 Apache MINA RCE; ConsentFix v3 OAuth abuse; CVE-2026-41940 authentication bypass
🔴 CRITICAL	Ransomware groups expanding sector reach with double-extortion	Safepay: energyaction.com.au; Safepay: hpk.hamburg
🔴 CRITICAL	Exploitation of vulnerabilities in widely used software/protocols	CVE-2026-31431 CopyFail Universal Linux LPE; “Nearly every Linux system built since 2017 vulnerable”
🟠 HIGH	Increased ransomware activity focused on healthcare and technology	Ransomware 2026 leaderboard tracker; Nightspire victim post; ConsentFix v3
🟠 HIGH	Phishing remains the dominant initial-access TTP across actors	Everest (TSYS, Epiq Global, Symcor); LAPSUS forum activity; MacSync stealer Homebrew malvertising
🟠 HIGH	Rise of extortion-as-a-service platforms leveraging pure data theft	WorldLeaks: Ceywater Consultants; WorldLeaks: Peyton Law Firm
🟠 HIGH	Increased ransomware activity targeting critical sectors (healthcare, government)	Killsec3 Medical PAY post; cPanel patch deadline; ransomware-responder sentencing

5. Trending Entities (Pipeline-Wide)

Threat Actors

• Qilin (84 reports, last seen 2026-05-02) — RaaS market leader; six new victim posts yesterday across publishing, retail, healthcare, and manufacturing.
• The Gentlemen (63 reports) — Active mid-tier RaaS, last observed 2026-04-29.
• Coinbase Cartel (31 reports) — Crypto-targeting cluster, last observed 2026-04-23.
• DragonForce (27 reports) — Persistent RaaS affiliate ecosystem, last observed 2026-04-22.
• ShinyHunters (22 reports, last seen 2026-05-02) — Re-surfaced this period with the public ZenBusiness 5.1M leak; previously linked to Instructure.
• TeamPCP (18 reports, last seen 2026-05-02) — Attributed by Unit 42 to the @bitwarden/cli npm supply-chain compromise.
• Inc Ransom (16 reports, last seen 2026-05-02) — New victim post against northshoreenv.com.

Malware Families

• RansomLook / RansomLock parser tags (50 / 43 reports) — Reflects pipeline-wide victim-post ingestion volume rather than a single family.
• RaaS (23 reports) — Generic RaaS-tagged content; consistently the dominant operating model in this period.
• Tox / Tox1 (21 / 13 reports) — Tox is a privacy-focused IM client used as a victim-negotiation channel by Qilin and other RaaS crews.
• Qilin ransomware (11 reports, last seen 2026-05-02) — Linked to actor Qilin’s six new posts.
• Gentlemen ransomware (9 reports) — Companion family to The Gentlemen actor entries.
• dragonforce ransomware (9 reports) — Family payload tied to DragonForce affiliate ecosystem.
• AiLock (this period) — Hybrid ChaCha20 + NTRUEncrypt RaaS, 72-hour ransom window, .AiLock extension.
• ConsentFix v3 (this period) — OAuth phishing toolkit targeting Azure with Pipedream automation and Specter Portal post-exploitation.
• Shai-Hulud (this period) — Wormable npm supply-chain payload in two April 2026 campaigns (Third Coming, Mini).

6. Source Distribution

Source	Reports	URL	Notes
RansomLook	16	link	Primary feed for ransomware victim-site posts (Qilin, Everest, Safepay, Nightspire, AiLock, Pear, Inc Ransom, Blackwater)
Microsoft (MSRC)	6	link	Linux kernel SMB / Firewalld / FRRouting / ALSA / ocfs2 CVEs and CVE-2026-41080
Unknown (Telegram OSINT)	6	—	Two critical CVE PoC tutorials (CVE-2026-42779, CVE-2026-41940), ransomware leaderboard tracker, LAPSUS forum thread, CVE-2026-21510 Akamai write-up
BleepingComputer	3	link	ConsentFix v3 deep-dive; Instructure incident; Windows Run modernisation
Unit42	2	link	npm supply-chain landscape (Shai-Hulud variants); detection-beyond-the-endpoint guidance
Wired Security	2	link	CopyFail Linux LPE feature; weekly news round-up (Disneyland face recognition)
HaveIBeenPwned	1	link	ZenBusiness 5.1M-record breach (ShinyHunters)

7. Consolidated Recommendations

• 🔴 IMMEDIATE: Patch CopyFail (CVE-2026-31431) across the entire Linux estate — endpoints, build agents, container/Kubernetes hosts. The CVE is repeatedly resurfacing in correlation analysis, and Wired’s coverage indicates broad unpatched exposure (item 3.4).
• 🔴 IMMEDIATE: Block ConsentFix v3-style OAuth consent attacks: tighten Entra ID consent policy to admin-approval only, hunt for risky FOCI client-ID sign-ins, and revoke unaudited service-principal grants from the past 30 days (item 3.3).
• 🔴 IMMEDIATE: Block @bitwarden/cli@2026.4.0 at registry proxies and rotate npm publish tokens, GitHub PATs, and CI runner secrets for any developer who installed npm packages in the last seven days (item 3.5).
• 🟠 SHORT-TERM: Inventory and constrain Apache MINA exposure ahead of vendor patches for CVE-2026-42779; treat any internet-reachable MINA listener as actively at-risk (item 3.1).
• 🟠 SHORT-TERM: Push the MSRC Linux ecosystem CVE batch (CVE-2026-31608 SMB, CVE-2026-4948 Firewalld, CVE-2026-28532 FRRouting) through standard change windows, prioritising internet-adjacent SMB and OSPF-speaking devices (item 3.8).
• 🟡 AWARENESS: Treat the ZenBusiness leak as a credential-stuffing and vishing pretext source for any user shared with the breach corpus; extend monitoring to any Snowflake/Salesforce/Mixpanel tenant the organisation operates (item 3.6).
• 🟢 STRATEGIC: Operationalise Unit 42’s “beyond the endpoint” guidance — close visibility gaps in identity, cloud control plane, and shadow IT — to counter the cloud-to-endpoint pivot pattern that ConsentFix v3 and ShinyHunters’ SaaS-CRM playbook both exploit (items 3.3, 3.6).

---

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 36 reports processed across 3 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.