daily critical
cti daily-brief cve-2026-0300 cve-2026-31431 palo-alto-networks muddywater apt37 apt29 shinyhunters the-gentlemen quasar-linux tclbanker

CTI Daily Brief: 2026-05-05 - Palo Alto PAN-OS Zero-Day Under Active Exploitation; Linux 'Copy Fail' LPE; APT29, APT37, MuddyWater Activity

Critical PAN-OS CVE-2026-0300 (CVSS 9.3) actively exploited in the wild, Linux kernel 'Copy Fail' (CVE-2026-31431) deterministic LPE, APT37 BirdCall Android backdoor, MuddyWater Chaos-decoy espionage, ShinyHunters claims 280M Instructure records, and DAEMON Tools supply-chain compromise.

Reporting Period Classification Generated
2026-05-05 (24h) TLP:CLEAR 2026-05-06

1. Executive Summary

The pipeline ingested 60 reports across 15 distinct sources in the last 24 hours, dominated by 31 high-severity items and 7 critical-severity items. The headline event is CVE-2026-0300, a critical (CVSS 9.3) unauthenticated buffer overflow in the Palo Alto Networks PAN-OS User-ID Authentication Portal that is already being exploited in the wild against Internet-exposed PA-Series and VM-Series firewalls; Shadowserver tracks over 5,800 exposed VM-Series instances and patches do not arrive until 13–28 May 2026. Unit 42 also disclosed CVE-2026-31431 (“Copy Fail”), a deterministic local privilege escalation in the Linux kernel algif_aead/AF_ALG path affecting kernels 4.14–6.19.12 across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and AlmaLinux, with significant container-escape and CI/CD implications. State-aligned activity is heavy: ESET attributes the APT37 ‘BirdCall’ Android backdoor to a North Korean campaign against ethnic Koreans in Yanbian, China; Rapid7 observed MuddyWater using Chaos ransomware as an attribution decoy via Microsoft Teams social engineering; and Lab52 published declassified artefacts attributed to APT29 (‘EasterBunny’). Criminal extortion remains active — ShinyHunters claims 280 million records from 8,809 educational institutions tied to Instructure’s Canvas, and DAEMON Tools Lite confirms a supply-chain compromise of its signed installer between 8 April and 5 May 2026. No CISA KEV additions were observed in the data set for this period.

2. Severity Distribution

Severity Count Key Drivers
🔴 CRITICAL 7 PAN-OS CVE-2026-0300 (in-the-wild RCE); Linux Copy Fail (CVE-2026-31431); libssh2 CVE-2026-7598; Xorg/xwayland CVE-2026-34001; Citizens Bank/Everest breach claim
🟠 HIGH 31 APT37 BirdCall, APT29 EasterBunny, MuddyWater/Chaos; Quasar Linux malware; TCLBANKER banking trojan; DAEMON Tools supply-chain; ShinyHunters/Instructure; Cisco DoS CVE-2026-20188; Rowhammer NVIDIA; The Gentlemen, Sinobi, Qilin, Inc Ransom, Lamashtu, Krybit ransomware leak posts
🟡 MEDIUM 9 Nissan Motor Corporation breach claim (Telegram OSINT); LegionProxy 10K-account leak; Cisco Talos VoIP scam clustering; Mako/lxml/Xorg secondary CVEs
🟢 LOW 1 CVE-2026-43037 (Linux ip6_tunnel skb handling)
🔵 INFO 12 Wired/Schneier commentary; SANS Stormcast; Sysdig and CrowdStrike vendor announcements

3. Priority Intelligence Items

3.1 Palo Alto PAN-OS Captive Portal Zero-Day (CVE-2026-0300) — Active Exploitation

Source: Wiz, BleepingComputer, CertEU

Palo Alto Networks disclosed a critical (CVSS 9.3) buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that grants unauthenticated remote attackers arbitrary code execution as root on PA-Series and VM-Series firewalls via specially crafted packets. Palo Alto has confirmed limited in-the-wild exploitation targeting portals exposed to untrusted networks or the public Internet. Shadowserver is tracking 5,800+ exposed VM-Series firewalls (most in Asia and North America), with Shodan reporting 67 instances exposing port 6081. Patches roll out across PAN-OS 10.2, 11.1, 11.2, and 12.1 branches between 13 May and 28 May 2026. Cloud NGFW and Panorama are not affected. Mapped to T1068 (Exploitation for Privilege Escalation) and T1190-class network service exploitation.

Affected products: PAN-OS 10.2, 11.1, 11.2, 12.1 (multiple branch versions — see vendor advisory).

SOC Action: Until patches are available, immediately disable the User-ID Authentication Portal where not strictly required, or restrict TCP/6081 and TCP/6082 to internal trusted zones via management-plane ACL. Hunt firewall logs and PCAP for unsolicited inbound traffic to 6081/6082; query EDR/perimeter telemetry for new outbound connections from firewall management interfaces; verify firewall configuration drift on Captive Portal Settings (Device > User Identification > Authentication Portal Settings).

Indicators of Compromise

Affected ports: TCP/6081, TCP/6082 (User-ID Authentication Portal / Captive Portal)
CVE: CVE-2026-0300
ATT&CK: T1068, T1071, T1064

3.2 Linux Kernel “Copy Fail” Local Privilege Escalation (CVE-2026-31431)

Source: Unit 42

Researchers publicly disclosed a deterministic, AI-discovered local privilege escalation in the Linux kernel’s algif_aead module within the AF_ALG (user-space crypto) interface. The flaw stems from a 2017 in-place optimisation bug that causes req->src and req->dst to share a scatterlist, allowing an unprivileged local attacker to write four controlled bytes past the legitimate buffer directly into the page cache of privileged binaries (e.g. su, sudo) without altering on-disk files. Affected kernels span 4.14 through 6.19.12 — covering Ubuntu, RHEL, Debian, SUSE, Amazon Linux, and AlmaLinux. A 732-byte Python proof-of-concept reportedly works without modification across distributions. Because the page cache is shared kernel-wide, the bug enables Kubernetes container escape, multi-tenant host takeover, and CI/CD pipeline compromise. Mapped to T1068.

Affected sectors: All Linux server estates, Kubernetes/container platforms, DevOps and CI/CD infrastructure.

SOC Action: Inventory Linux kernel versions across the estate and prioritise patching of multi-tenant Kubernetes nodes, build/CI hosts, and any system where untrusted code executes (developer workstations, sandboxes). Where immediate kernel updates are not feasible, blacklist or unload the algif_aead module via modprobe denylist. Monitor EDR for setsockopt calls binding to AF_ALG sockets paired with anomalous splice() activity from non-root users.

Indicators of Compromise

CVE: CVE-2026-31431 ("Copy Fail")
Vulnerable kernels: 4.14 ≤ Linux ≤ 6.19.12
Vulnerable component: net/crypto - algif_aead module (AF_ALG interface)
ATT&CK: T1068

3.3 APT37 ‘BirdCall’ Android Backdoor — North Korean Targeting of Yanbian Ethnic Koreans

Source: Recorded Future News

ESET attributed an Android-targeting espionage campaign to APT37 (a DPRK-linked actor reportedly housed within North Korea’s Ministry of State Security). Victims in China’s Yanbian Korean Autonomous Prefecture downloaded compromised card games from the legitimate Sqgame website; the initial APK was benign and was weaponised via a later update from a compromised server. Seven versions of the backdoor — dubbed BirdCall — were recovered; capabilities include screenshot capture, call recording, microphone eavesdropping, and exfiltration of contacts, SMS, call logs, media files, and private keys. The Sqgame supply chain is reportedly compromised since at least November 2024; ESET says the update package is no longer malicious. The campaign appears focused on North Korean defectors and refugees. Mapped to T1566 (Phishing), T1078 (Valid Accounts), T1003.

Affected sectors: Mobile/Android users (NGO, refugee, and dissident communities in Yanbian).

SOC Action: Where managed Android devices are in scope, block the Sqgame distribution domains at the proxy/MDM layer and audit installed APKs for sideloaded games of Sqgame origin. Use mobile EDR to flag applications requesting accessibility, microphone, contacts, SMS, and external storage permissions immediately after first launch. For high-risk traveller cohorts in or near the DPRK border region, enforce Play Store-only installation and disable “Install from unknown sources.”

3.4 MuddyWater Uses Chaos Ransomware as Attribution Decoy

Source: BleepingComputer

Rapid7 (with moderate confidence) attributes a recent intrusion to MuddyWater (a.k.a. Static Kitten, Mango Sandstorm, Seedworm — assessed to operate on behalf of Iran’s Ministry of Intelligence and Security), in which the actor staged a Chaos ransomware extortion façade to obscure cyber-espionage objectives. Initial access was via Microsoft Teams social engineering: attackers initiated chats with employees, escalated to screen-sharing, harvested credentials (often via fake Microsoft Quick Assist phishing pages or by tricking users into typing passwords into local text files), and manipulated MFA. Persistence relied on AnyDesk, DWAgent, and RDP, plus a loader (ms_upd.exe) that drops a custom backdoor (Game.exe) disguised as a Microsoft WebView2 application — supporting 12 commands including PowerShell/CMD execution, file upload/delete, and persistent shell access. Attribution rests on infrastructure overlap and a code-signing certificate previously seen on Stagecomp/Darkcomp malware. MuddyWater has reused this ransomware-as-cover technique (Qilin in late 2025).

Affected sectors: Likely strategic targets aligned with Iranian intelligence priorities; any organisation receiving cold Teams contact from external tenants is at elevated risk.

SOC Action: Enforce Teams external-federation restrictions to a vetted allow-list; block external screen-share by default. Hunt for ms_upd.exe and Game.exe running under user temp paths and for child processes of Teams.exe invoking PowerShell, cmd.exe, or installer binaries. Detect AnyDesk.exe / DWAgent.exe / quickassist.exe execution outside of approved IT remote-support workflows. Audit recent MFA method changes on privileged accounts in the last 30 days. ATT&CK: T1566, T1021, T1078.004, T1003.002.

Indicators of Compromise

Loader: ms_upd.exe (user temp paths)
Backdoor: Game.exe (masquerading as Microsoft WebView2)
Tooling: AnyDesk, DWAgent, RDP (post-exploitation persistence)
Initial access vector: Microsoft Teams external chat → screen-share → credential phish
ATT&CK: T1566, T1021, T1078.004, T1003.002, T1059

3.5 Quasar Linux (QLNX) — Stealthy Implant Targeting Developers

Source: BleepingComputer

Trend Micro disclosed a previously undocumented Linux implant, Quasar Linux (QLNX), designed to compromise developer workstations and DevOps pipelines (npm, PyPI, GitHub, AWS, Docker, Kubernetes) for downstream supply-chain attacks. QLNX dynamically compiles its rootkit and PAM backdoor on the target via gcc, runs in-memory, deletes its on-disk binary, wipes logs, spoofs process names, and clears forensic environment variables. It maintains persistence through seven mechanisms: LD_PRELOAD, systemd, crontab, init.d, XDG autostart, .bashrc injection, and a respawn watchdog. The implant offers a 58-command RAT core, dual-layer rootkit (userland LD_PRELOAD plus kernel eBPF), credential harvesting (SSH keys, browsers, cloud configs, /etc/shadow, clipboard), keylogging, screenshot/clipboard surveillance, TCP tunneling, SOCKS proxy, port scanning, SSH-based lateral movement, and peer-to-peer mesh C2. Trend Micro reports only four AV vendors detect the binary at time of publication. ATT&CK: T1078, T1204, T1496.

Affected sectors: Software development, DevOps, cloud-native engineering teams.

SOC Action: Deploy Linux EDR with eBPF visibility to developer hosts and CI runners; alert on processes hidden via LD_PRELOAD mismatches between /proc/<pid>/maps and ls. Hunt for unexpected gcc invocations from non-developer service accounts, .bashrc modifications outside golden-image baselines, and PAM module changes. Restrict outbound from build hosts to known package mirrors and block peer-to-peer/SOCKS-style egress.

3.6 ShinyHunters Claims 280M Records from Instructure (Canvas LMS)

Source: BleepingComputer

The ShinyHunters extortion group claims to have stolen 280 million records covering students, teachers, and staff across 8,809 school districts, universities, and online education platforms using Instructure’s Canvas learning management system. Per the actor’s own description, exfiltration was achieved by abusing legitimate Canvas data-export features — DAP queries, provisioning reports, and user APIs — yielding hundreds of GB of names, email addresses, private messages, and enrolment data. Instructure has confirmed a breach and notified affected institutions; CU Boulder, Rutgers, and Tilburg University have publicly acknowledged investigations. No CVE; the attack vector is API/feature abuse rather than software vulnerability.

Affected sectors: Higher education, K-12, online learning platforms (worldwide).

SOC Action: Education-sector tenants should review Canvas administrator audit logs for unusual DAP query volume, provisioning-report generation outside scheduled windows, and user-API token issuance over the past 60 days. Rotate all API tokens, force password reset for administrative accounts, and confirm Canvas SSO integration is not configured to expose long-lived service credentials. Notify legal/privacy office given likely PII/FERPA-class exposure.

3.7 DAEMON Tools Lite Supply-Chain Compromise (8 April – 5 May 2026)

Source: BleepingComputer

Disc Soft Limited confirmed that its build environment was compromised, resulting in digitally signed trojanised installers of the free DAEMON Tools Lite (versions 12.5.0.2421 through 12.5.0.2434) being distributed from the official site between 8 April and 5 May 2026. Kaspersky observed infections in 100+ countries. The first-stage payload is an information stealer that profiles the host (hostname, MAC, processes, installed software, locale) before dispatching a second-stage in-memory backdoor and, in at least one case, QUIC RAT with process-injection capabilities. Paid editions (DAEMON Tools Pro, Ultra) are reported unaffected. A clean version 12.6 was released on 5 May 2026.

Affected sectors: Broad — retail, government, scientific, manufacturing victims observed across Russia, Belarus, Thailand; consumer infections reported in Brazil, Turkey, Spain, Germany, France, Italy, China.

SOC Action: Query software inventory for installations of DAEMON Tools Lite 12.5.0.2421–12.5.0.2434 dating from on/after 8 April 2026; quarantine, uninstall, and replace with v12.6 from the official source. Conduct full credential rotation, browser-token revocation, and EDR forensic sweep on affected endpoints. ATT&CK: T1204, T1059.003, T1071.001, T1082, T1105, T1003.

Indicators of Compromise

Trojanised package: DAEMON Tools Lite 12.5.0.2421 – 12.5.0.2434 (free edition)
Distribution window: 8 April 2026 – 5 May 2026
Clean release: DAEMON Tools Lite 12.6.0
Implants observed: Information stealer (stage 1), in-memory backdoor (stage 2), QUIC RAT (observed in at least one case)
ATT&CK: T1204, T1059.003, T1071.001, T1082, T1105, T1003

3.8 Other Notable Items

  • TCLBANKER (Brazilian Banking Trojan)Elastic Security Labs tracks REF3076 deploying TCLBANKER (assessed major update of MAVERICK/SORVEPOTEL) via a trojanised Logitech Logi AI Prompt Builder MSI with malicious screen_retriever_plugin.dll sideload. Targets 59 Brazilian banking, fintech, and crypto domains via UI Automation; uses WPF full-screen overlays, environment-gated decryption, and self-propagates through WhatsApp (browser-session hijack) and Outlook COM bots. C2 hosted on Cloudflare Workers. ATT&CK: T1566, T1189.
  • APT29 ‘EasterBunny’Lab52 published declassified artefacts from a 2019 incident attributed to APT29, declassified in November 2025, providing additional insight into long-running Russian SVR-aligned tradecraft. Operationally historical but useful for retrospective hunting.
  • Cisco Crosswork/NSO DoS (CVE-2026-20188)BleepingComputer reports an unauthenticated, low-complexity DoS in Cisco Crosswork Network Controller and Network Services Orchestrator due to insufficient connection rate limiting; recovery requires manual reboot.
  • Rowhammer Against NVIDIA Ampere (GPUHammer-class) — Schneier covers two independent research teams demonstrating GDDR bitflips on NVIDIA Ampere GPUs that can yield full host compromise when IOMMU is disabled (default in many BIOS configurations).
  • Citizens Bank (April 2026, Everest ransomware) — Reported via Telegram OSINT (channel name redacted). Attribution unconfirmed beyond the Telegram post; treat with low confidence pending corroboration.
Risk Trend Supporting Evidence
🔴 CRITICAL Critical vulnerabilities in widely used software platforms being exploited. PAN-OS CVE-2026-0300 (in-the-wild); Xorg/xwayland CVE-2026-34001 use-after-free
🟠 HIGH Increased ransomware activity targeting diverse sectors with advanced TTPs. MuddyWater/Chaos decoy operation; The Gentlemen multi-victim leak posts (Nrt India, Mundo Amtae, Da Guan, IPE, Gator Cases, DATAMATIC, C2O, Worralls, Riggotts)
🟠 HIGH Supply-chain attacks leveraging phishing and backdoors are prevalent. DAEMON Tools Lite trojanised installer; APT37 BirdCall via Sqgame update channel; Quasar Linux developer-targeting implant
🟡 MEDIUM Shared TTP cluster — exploitation for privilege escalation. PAN-OS CVE-2026-0300 ↔ Cisco CVE-2026-20188 (T1068 overlap, network-edge devices)
🟡 MEDIUM Sector overlap — technology infrastructure under sustained pressure. Xorg/xwayland CVE ↔ Rowhammer/NVIDIA (technology, infrastructure shared sectors)

Threat Actors

  • Qilin (93 reports, 30-day) — Active RaaS with multiple onion infrastructure; Asphalt Specialists and Sysco listed as recent victims; reused as cover by MuddyWater in late 2025.
  • The Gentlemen (59 reports) — High-volume leak-site activity in this period (11 victims posted 2026-05-06). Tox-based comms; phishing-led intrusion.
  • ShinyHunters (25 reports) — 280M-record Instructure breach claim; pattern continues with API/feature-abuse exfiltration against SaaS providers.
  • DragonForce (28 reports) — Long-tail leak-site activity continues.
  • Inc Ransom (20 reports) — Aerodiagnostics victim posted; ~30% leak-site uptime.
  • Lamashtu (20 reports) — Phishing-distributed payloads with PGP-signed extortion emails.
  • MuddyWater / Static Kitten / Mango Sandstorm / Seedworm — Iranian state actor, Teams social-engineering tradecraft (this brief).
  • APT37 — DPRK MSS-aligned, Android espionage via Sqgame supply chain (this brief).
  • APT29 — Russian SVR-aligned, declassified EasterBunny artefacts (this brief).

Malware Families

  • The Gentlemen ransomware (7 reports, 30-day) — Tox C2; phishing initial access (T1566).
  • Chaos ransomware — RaaS used as MuddyWater decoy.
  • Quasar Linux (QLNX) — Developer-targeting Linux RAT/rootkit (this brief).
  • TCLBANKER — Brazilian banking trojan, WhatsApp/Outlook self-propagation (this brief).
  • BirdCall — APT37 Android espionage backdoor (this brief).
  • QUIC RAT — Observed in DAEMON Tools supply-chain compromise.
  • Game.exe / ms_upd.exe — MuddyWater custom loader/backdoor (WebView2 masquerade).
  • MAVERICK / SORVEPOTEL — TCLBANKER lineage.

6. Source Distribution

Source Reports URL Notes
RansomLook 24 link Leak-site monitoring (The Gentlemen, Sinobi, Qilin, Inc Ransom, Lamashtu, Krybit). High volume but largely repetitive per-victim posts.
BleepingComputer 8 link Primary coverage of PAN-OS zero-day, MuddyWater, Quasar Linux, ShinyHunters/Instructure, DAEMON Tools, Cisco DoS.
Microsoft (MSRC) 8 link CVE advisory ingest — libssh2, Xorg/xwayland, lxml, Mako, ip6_tunnel.
Unknown / Telegram 4 Telegram OSINT (channel names redacted): Citizens Bank, Nissan breach claims, server posts. Treat with reduced confidence.
Wiz 2 link PAN-OS CVE-2026-0300 deep-dive; Jenkins threat landscape.
Sysdig 2 link Vendor product announcements (informational).
Cisco Talos 1 link VoIP scam-number clustering analysis.
SANS ISC 1 link Daily Stormcast podcast.
Wired Security 1 link Commentary on AI-generated content in cybercrime forums.
CertEU 1 link PAN-OS advisory 2026-006.
Elastic Security Labs 1 link TCLBANKER technical breakdown.
Recorded Future News 1 link APT37 BirdCall reporting.
CrowdStrike 1 link Vendor Gartner positioning announcement (informational).
SentinelOne 1 link LABScon25 replay — supply-chain risk in foreign-manufactured networked devices.
Unit 42 1 link “Copy Fail” Linux LPE technical report.
Schneier on Security 1 Rowhammer/NVIDIA Ampere commentary (URL not captured).
Lab52 1 link APT29 EasterBunny declassified artefacts.
HaveIBeenPwned 1 link LegionProxy breach (10,144 accounts).

7. Consolidated Recommendations

  • 🔴 IMMEDIATE: Treat PAN-OS CVE-2026-0300 as an active-incident control; identify all PA-Series and VM-Series firewalls, validate User-ID Authentication Portal exposure, and apply the vendor mitigation (disable portal or restrict to trusted internal zones) ahead of the 13–28 May 2026 patch window. Capture PCAP on TCP/6081 and TCP/6082 and retain for forensic review.
  • 🔴 IMMEDIATE: Scope and triage CVE-2026-31431 (“Copy Fail”) across Linux multi-tenant Kubernetes nodes, CI/CD runners, build hosts, and shared developer workstations. Where kernels cannot be patched immediately, deploy a modprobe denylist for algif_aead.
  • 🟠 SHORT-TERM: Pivot Microsoft Teams threat-hunting to detect MuddyWater-style external chat → screen-share → credential phish chains. Audit external federation, block default external screen-share, and review the last 30 days of MFA-method changes on privileged identities.
  • 🟠 SHORT-TERM: Inventory and remove any DAEMON Tools Lite 12.5.0.2421–12.5.0.2434 installations dating from on/after 8 April 2026; perform full credential rotation and EDR forensic sweep on affected endpoints.
  • 🟡 AWARENESS: Education-sector defenders should review Canvas DAP/provisioning/user-API logs for the ShinyHunters/Instructure exfiltration TTP and rotate API tokens. Brazilian-market financial defenders should add TCLBANKER signatures (Logitech MSI sideloading, screen_retriever_plugin.dll) to detection content.
  • 🟢 STRATEGIC: Re-baseline developer-host hardening to defend against Quasar Linux-class implants — eBPF-aware EDR, signed-package enforcement, and strict outbound egress from build infrastructure. Reassess GPU-host BIOS settings (enable IOMMU) in light of Rowhammer/NVIDIA research.

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 60 reports processed across 4 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.