daily critical
cti daily-brief akira everest qilin safepay pcpjack cve-2026-23918 cve-2026-24072

CTI Daily Brief: 2026-05-07 - Apache HTTP/2 RCE & mod_rewrite EoP CVEs; PCPJack cloud worm; Akira ransomware spree (38 victims)

Critical Apache HTTP Server RCE and privilege-escalation flaws lead the day; the PCPJack worm steals credentials at cloud scale by evicting TeamPCP; Akira posts 38 fresh victims spanning healthcare, manufacturing and education; Everest, Safepay and M3rx round out a heavy ransomware leak cycle.

Reporting Period Classification Generated
2026-05-07 (24h) TLP:CLEAR 2026-05-08

1. Executive Summary

The 2026-05-07 pipeline cycle processed 181 reports across one correlation batch, with the threat landscape dominated by ransomware leak-site activity and two newly disclosed Apache HTTP Server flaws. The AI-rated critical line of the day is web-server exploitation: CVE-2026-23918 (HTTP/2 double-free with possible RCE on early reset) and CVE-2026-24072 (mod_rewrite ap_expr privilege escalation). On the credential-theft side, the new PCPJack cloud worm is evicting TeamPCP infections at scale and harvesting credentials, drawing high-confidence correlation between two independent reports. Ransomware leak feeds were exceptionally noisy: Akira alone posted 38 victims spanning healthcare, manufacturing, education, legal and aerospace sectors, while Everest, Safepay and M3rx contributed an additional 15 listings concentrated on industrial, retail and government targets. No CISA KEV additions surfaced in the data set for this period.

2. Severity Distribution

Severity Count Key Drivers
🔴 CRITICAL AI trend: Apache HTTP/2 RCE (CVE-2026-23918) and mod_rewrite EoP (CVE-2026-24072)
🟠 HIGH AI trend: PCPJack/TeamPCP credential theft; Akira/Everest mass victim postings
🟡 MEDIUM Browser application-bound encryption bypass research
🟢 LOW 1 Elastic Security Labs detection-engineering guide (Traefik fuzzing → Cloudflare block)
🔵 INFO No data available for this period

Note on counts: The CognitiveCTI daily collection returned a per-report severity tally only for newly published items in the rolling 24-hour window (1 low-severity Elastic article). The 181-report correlation batch from 2026-05-07 does not expose a per-batch severity breakdown via the pipeline; severity drivers above are taken from the AI-identified trends and correlation entries within batch 111.

3. Priority Intelligence Items

3.1 Apache HTTP Server — HTTP/2 double-free RCE and mod_rewrite privilege escalation

Source: CognitiveCTI Correlation Batch 111 (2026-05-07)

Two Apache HTTP Server vulnerabilities surfaced in the same correlation cluster and were jointly assessed by the pipeline as the day’s critical theme. CVE-2026-23918 is described as a double-free in the HTTP/2 stack on early stream reset, with possible remote code execution. CVE-2026-24072 is an elevation-of-privilege flaw in mod_rewrite reachable via ap_expr. The two reports correlate at 0.70 confidence on shared sector (IT infrastructure) and TTP T1068 — Exploitation for Privilege Escalation. CVE-2026-23918 additionally correlates at 0.80 with the “Malware Bypasses Browser Application-Bound Encryption Protections” research on shared TTPs T1071.001 (web protocols) and T1027 (obfuscated files), suggesting overlap between exploitation tooling and post-exploitation evasion in the technology sector. No in-the-wild exploitation language was captured in the source titles.

SOC Action: Inventory all Apache HTTP Server instances; identify versions exposing HTTP/2 (mod_http2) or mod_rewrite with ap_expr evaluation in RewriteCond/RewriteRule. Stage upstream patches in a test environment and prioritise externally reachable servers. Until patched, consider disabling HTTP/2 on internet-facing vhosts (Protocols http/1.1) where feasible, and audit RewriteRule directives for untrusted input flowing into ap_expr. Hunt for crash signatures on Apache workers and unexpected child process exec lineage (T1068).

3.2 PCPJack — cloud worm evicts TeamPCP, harvests credentials at scale

Source: CognitiveCTI Correlation Batch 111 (2026-05-07)

Two reports — “New PCPJack worm steals credentials, cleans TeamPCP infections” and “PCPJack Cloud Worm Evicts TeamPCP and Steals Credentials at Scale” — correlate at 0.90 confidence on shared actor TeamPCP, malware PCPJack, and TTP T1566 — Phishing. The pattern described is unusual: a worm that explicitly removes a competing actor’s foothold while installing its own credential-harvesting payload. The pipeline rates the resulting credential-theft trend as high. Sector targeting in the landscape summary calls out financial services and other organisations holding sensitive credentials. Specific IOCs were not exposed in the correlation entries.

SOC Action: Hunt for evidence of PCPJack and TeamPCP across cloud workloads and SaaS administrative consoles. Correlate any sudden TeamPCP-attributed indicator disappearance with new outbound credential-exfil traffic from the same host — eviction-then-replacement is the diagnostic signal here. Rotate any service-account credentials cached on cloud build agents, and review IAM access-key creation events (CloudTrail CreateAccessKey, GCP serviceAccountKeys.create, Entra Add app role assignment) over the past 14 days. ATT&CK: T1566 (Phishing), T1078 (Valid Accounts).

3.3 Akira ransomware — 38 victims posted in a single 24-hour window

Source: CognitiveCTI Correlation Batch 111 (2026-05-07)

Akira contributed the largest leak-site cluster of the cycle, with 38 victim postings correlated at 0.90 confidence on shared actor, TTP T1566 — Phishing, and target sectors Education, Manufacturing and Healthcare. Notable named victims include Elia Law Firm, Jacobs Doland Beer, Grau GmbH, School Health, Truckload Carriers Association, Mabetex Group, Shingle & Gibb Automation, MN Health Insurance Network, Netgain Networks, ServiceMaster Clean services, Fletcher Chrysler Products, Salimetrics, Alkegen, ATF Aerospace and Pipestone. Pipeline-wide, Akira now sits at 47 reports across 30 days and is associated with a fresh “Akira ransomware” malware entity that appeared on 2026-05-07 and already has 25 mentions — consistent with a tooling refresh or a high-tempo affiliate burst.

SOC Action: Treat Akira as an active priority threat for healthcare, manufacturing and education networks. Block known Akira initial-access vectors: Cisco/Fortinet/SonicWall VPN brute-force and stale credential reuse — enforce MFA on every remote-access portal, expire any non-MFA local VPN accounts, and alert on impossible-travel logins to VPN/SSO. Hunt for Veeam, ESXi and Hyper-V management plane logons from non-admin workstations (Akira’s pre-encryption staging pattern). Validate offline backup integrity and immutability today.

3.4 Everest, Safepay and M3rx — secondary leak-site activity

Source: CognitiveCTI Correlation Batch 111 (2026-05-07)

Three further ransomware/leak operators were clustered at 0.90 confidence in the same batch:

  • Everest (6 victims): Rehab Clinics Group Ltd, K Subsea Group, Tokoparts, Super AI, Nutrabio, Complete Aircraft Group. Shared elements: Sector Government, TTP T1078 — Valid Accounts.
  • Safepay (5 victims): mbk-gmbh.de, smp.cat, studioubertazzi.it, ettp.be, id-s.de. Shared elements: Sector Industrial Services, TTP T1566 — Phishing.
  • M3rx (4 victims): kbtoys.com.au, pvdd.ca, alge-stop.dk, datasavior.com. Shared elements: Sector Retail, TTP T1486 — Data Encrypted for Impact.

The Everest/Government TTP correlation (valid accounts) is the most operationally relevant signal — consistent with credential-led intrusions rather than mass-exploitation campaigns.

SOC Action: For organisations matching the Everest, Safepay or M3rx target profiles, prioritise valid-account hygiene: review dormant local admin accounts, inspect EntraID/Okta sign-ins from anonymising infrastructure, and confirm conditional-access policies require MFA on all privileged roles. For retailers, validate point-of-sale and e-commerce backup restores (T1486 readiness drill).

3.5 Elastic Security Labs — detection guide for Traefik probing & fuzzing

Source: Elastic Security Labs

The only freshly published report in the daily window is a defensive engineering walkthrough by Erik-Jan de Kruijf describing how an ES QL detection rule against Traefik access logs can identify high-volume HTTP 404 patterns from a single source IP and trigger an automated Cloudflare API block. The guidance maps to ATT&CK T1046 — Network Service Scanning and T1071.001 — Application Layer Protocol: Web Protocols. Severity is low (best-practice/enablement content), but the rule pattern is immediately reusable for any team running Traefik or similar reverse proxies behind Cloudflare.
SOC Action: If you operate Traefik, deploy the ES QL rule (HTTP 404 frequency by source IP within a short time window) and wire the detection to a Cloudflare API blocklist update. Generalise the pattern to other reverse proxies (Nginx, HAProxy) and bind the same automation to existing SQLi/LFI rules. Track suppression list growth as a leading indicator of perimeter probing volume.
Risk Trend Supporting Evidence
🔴 CRITICAL Exploitation of vulnerabilities in web servers leading to potential remote code execution CVE-2026-23918 (Apache HTTP/2 double-free, possible RCE); CVE-2026-24072 (Apache mod_rewrite EoP via ap_expr)
🟠 HIGH Increased use of phishing and credential theft by multiple actors New PCPJack worm steals credentials, cleans TeamPCP infections; PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
🟠 HIGH Targeting of healthcare, manufacturing and education sectors by ransomware actors Akira mass postings (Elia Law Firm, MN Health Insurance Network, School Health and 35 others); Everest leaks (Rehab Clinics Group Ltd, Nutrabio)

Threat Actors

  • Qilin (95 reports) — leading ransomware operator across the 30-day pipeline window; correlated today via Sylvania and Norcal Training Center postings.
  • The Gentlemen (52 reports) — sustained leak-site presence; no fresh entries in batch 111.
  • Akira (47 reports) — most active actor in this cycle with 38 new victim listings.
  • DragonForce (28 reports) — recent activity outside batch 111.
  • Coinbase Cartel (26 reports) — financial-services-themed actor; no batch 111 activity.
  • ShinyHunters (25 reports) — credential-theft and data-broker activity.
  • Everest (22 reports) — 6 fresh leaks today, government and industrial.
  • Inc Ransom (20 reports).
  • Lamashtu (20 reports).
  • Shinyhunters (20 reports) — separate pipeline entity, likely deduplication artefact with ShinyHunters.

Malware Families

  • RansomLook (73 reports) — leak-site monitoring feed driving most ransomware ingest.
  • RansomLock (44 reports) — secondary leak-tracking source.
  • Tox1 (33 reports).
  • Akira ransomware (25 reports) — new entity with rapid ramp, first seen 2026-05-07.
  • Other1 (19 reports).
  • RaaS (19 reports) — generic RaaS taxonomy entity.
  • Tox (18 reports).
  • Qilin (14 reports as malware entity).
  • Akira (13 reports as malware entity, distinct from “Akira ransomware”).
  • Akira Ransomware (10 reports) — third Akira-family entity, likely dedup candidate.

Vulnerabilities trending feed returned only 1 entity (CVE-2025-47812, last seen 2026-04-17) and is not representative of today’s activity. The two operationally relevant CVEs from batch 111 (CVE-2026-23918, CVE-2026-24072) are not yet reflected in the pipeline-wide vulnerability trending index.

6. Source Distribution

Source Reports URL Notes
Elastic Security Labs 1 link Only fresh report in the daily collection window — Traefik detection guide.
CognitiveCTI Correlation Batch 111 181 (batch total) Yesterday’s pipeline cycle; per-source breakdown not exposed by the batch endpoint.

7. Consolidated Recommendations

  • 🔴 IMMEDIATE: Patch or mitigate CVE-2026-23918 (Apache HTTP/2 double-free, possible RCE) and CVE-2026-24072 (mod_rewrite ap_expr EoP) on all internet-facing Apache HTTP Servers; disable HTTP/2 on exposed vhosts as a stop-gap and audit ap_expr use in rewrite rules. (Section 3.1)
  • 🔴 IMMEDIATE: Healthcare, manufacturing and education organisations should treat Akira as an active threat — enforce MFA on all VPN/SSO portals, expire stale local VPN accounts, and validate offline-backup immutability today. (Section 3.3)
  • 🟠 SHORT-TERM: Hunt for PCPJack/TeamPCP indicators across cloud workloads; rotate credentials cached on build agents and review IAM access-key creation events for the last 14 days. (Section 3.2)
  • 🟠 SHORT-TERM: For target profiles matching Everest, Safepay or M3rx (industrial services, government, retail), audit dormant local admin accounts and confirm conditional-access MFA on all privileged roles. (Section 3.4)
  • 🟡 AWARENESS: Reverse-proxy operators should adopt the Elastic Security Labs Traefik fuzzing detection pattern (HTTP 404 frequency by source IP → Cloudflare API block) and generalise it to existing SQLi/LFI rules. (Section 3.5)
  • 🟢 STRATEGIC: Trending-entity data shows Akira-family malware fragmented across three pipeline entities (“Akira ransomware”, “Akira”, “Akira Ransomware”) and ShinyHunters across two — feed back to the CTI pipeline owners to consolidate, since fragmented entities currently understate single-actor activity in trending dashboards.

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 181 reports processed across 1 correlation batch. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.