Reporting Period	Classification	Generated
2026-05-21 (24h)	TLP:CLEAR	2026-05-22

1. Executive Summary

The pipeline ingested 12 reports from 6 sources for the 24 hours ending 2026-05-22 UTC, with 8 rated high severity and no critical-severity items. Ransomware-as-a-service activity dominated the daily picture: Qilin posted three new victims to its leak site (ROTO Immobilien, Snyder Packaging, Vernon & Ginsburg) while Huntress published fresh defense-evasion TTPs for The Gentlemen RaaS, including event-log clearing and Microsoft Defender tampering via PowerShell. The most operationally significant headline is a law-enforcement win — Canadian authorities arrested Jacob Butler (“Dort”), alleged operator of the Kimwolf IoT botnet linked to a record ~30 Tbps DDoS event, on a U.S. extradition warrant. Trend Micro detailed a five-year influence and fraud operation (“Patriot Bait”, actor bandcampro) that abused a jailbroken Google Gemini CLI to automate QAnon-styled crypto pump-and-dump and WordPress credential theft, illustrating how non-English prompting and persistent memory files defeat frontier-AI guardrails. No CISA KEV additions were observed; CISA did announce a new public nomination workflow allowing researchers and vendors to submit candidate exploited vulnerabilities to the catalog.

2. Severity Distribution

Severity	Count	Key Drivers
🔴 CRITICAL	0	No critical-rated reports in this period
🟠 HIGH	8	Qilin RaaS victim posts (x3); The Gentlemen defense evasion; Middle East C2 mapping; Patriot Bait AI fraud; Kimwolf botmaster arrest; cross-platform NPM stealer
🟡 MEDIUM	2	First VPN takedown (FR/NL); FTC “Active Listening” settlement
🟢 LOW	0	—
🔵 INFO	2	CISA KEV nomination form; ISC Stormcast podcast

3. Priority Intelligence Items

3.1 Kimwolf IoT botmaster “Dort” arrested in Canada on U.S. extradition warrant

Source: Krebs on Security

Ontario Provincial Police arrested 23-year-old Jacob Butler of Ottawa (alias “Dort”) on 2026-05-20 pursuant to a U.S. extradition warrant from an Alaska district court. Butler is alleged to have built and operated Kimwolf, an IoT botnet that enslaved millions of traditionally firewalled devices (digital photo frames, IP cameras) and was tied to a ~30 Tbps DDoS attack — the largest publicly recorded — and over 25,000 attack commands targeting victims that included DoD address ranges. DCIS and the FBI Anchorage field office are investigating. The arrest follows the March 19 international seizure of Kimwolf, Aisuru, JackSkid and Mossad botnet infrastructure, and an April European takedown of ~four-dozen DDoS-for-hire domains. Butler also allegedly conducted swatting attacks against the Synthient founder and other researchers who unmasked him.

Affected sectors: Internet infrastructure, U.S. Department of Defense network ranges, security researchers (harassment/swatting).

SOC Action: Treat the Kimwolf takedown as a temporary supply-side disruption, not a structural one. Re-baseline IoT egress alerts (T1071.001) for known Aisuru/JackSkid/Mossad-pattern beacons; competitors will move to absorb orphaned bots. Verify upstream DDoS mitigation runbooks can absorb 30+ Tbps volumetric events and that on-call has the carrier contact path for emergency BGP/anycast scaling.

3.2 Qilin RaaS posts three new victims; correlation confidence 0.90

Sources: RansomLook — ROTO Immobilien, RansomLook — Snyder Packaging, RansomLook — Vernon & Ginsburg

Qilin claimed three additional victims on its leak site within the 24-hour window — German real-estate firm ROTO Immobilien, U.S. packaging vendor Snyder Packaging, and U.S. law firm Vernon & Ginsburg. The CognitiveCTI correlation engine grouped the three at 0.90 confidence on shared actor (Qilin) and malware (RansomLook), and they cluster with phishing TTP T1566. Qilin is the pipeline’s top-trending threat actor over the last 30 days (118 reports) and RansomLook is the top-trending malware family (139 reports), indicating sustained, high-tempo operations across multiple sectors. Qilin continues to operate via Jabber and Tox for affiliate communication and rotates Tor file servers for data hosting.

Affected sectors: Real estate (DE), packaging/manufacturing (US), legal services (US).

SOC Action: Hunt for Qilin initial-access patterns — phishing with malicious attachments (T1566), valid-account abuse on edge appliances (T1078), and inbound RDP from low-reputation ASNs. In legal-sector and SMB environments specifically, audit privileged-account logons over the last 14 days and confirm immutable/offline backups exist for shared file repositories and matter-management databases. Block Jabber and Tox traffic at the egress proxy if not business-justified.

3.3 The Gentlemen ransomware: defense-evasion TTPs and CVE-2024-55591 in initial-access playbook

Source: Huntress

Huntress analysed two April–May 2026 intrusions involving The Gentlemen, a RaaS operation claiming 400+ victims across 70 countries since mid-2025. Both incidents used Scheduled Tasks (T1053.005) and PowerShell (T1059.001), cleared Security/System/Application Windows Event Logs (T1070.001), and attempted to disable Microsoft Defender and add AV exclusions (T1562.001). A recent leak of the group’s internal database exposed initial-access reliance on edge-appliance bugs — explicitly including the Fortinet authentication bypass CVE-2024-55591 — plus negotiation playbooks and eight affiliate Tox IDs.

Affected products: Fortinet FortiOS/FortiProxy (CVE-2024-55591); Microsoft Defender Antivirus.

Indicators of Compromise

C2: 193.233.202[.]17
C2: 77.110.122[.]137
SHA256: f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8
Detection: Trojan:Win32/MpTamperBulkExcl.H

SOC Action: Confirm FortiOS/FortiProxy patch level for CVE-2024-55591 across all internet-facing instances; if unpatched, prioritise within 24 hours and pull authentication logs for the last 90 days. Alert on wevtutil cl Security, wevtutil cl System, wevtutil cl Application, and on PowerShell sessions invoking Set-MpPreference / Add-MpPreference -ExclusionPath from non-administrative accounts (T1562.001, T1070.001). Block the two listed C2 IPs at the perimeter and search EDR for the SHA256 hash.

3.4 “Patriot Bait” — AI-jailbroken solo actor runs five-year influence and crypto-fraud campaign

Source: Trend Micro (via AlienVault OTX)

Trend Micro detailed bandcampro, a solo Russian-speaking actor who operated a MAGA-themed Telegram channel (~17,000 subscribers) for five years and pivoted in September 2025 to AI-automated content, credential theft and a QAnon-styled “Quantum Financial System” chatbot used to run cryptocurrency pump-and-dump fraud. The actor jailbroke Google Gemini CLI by establishing an “authorised pentester” persona, then induced the assistant to persist that instruction in its GEMINI.md memory file so guardrails were progressively self-degraded across sessions. Non-English (Russian) prompting was used to defeat language-specific safety filters. Confirmed outcomes include 73 stolen Gemini API keys, 29 cracked WordPress admin accounts, one company infiltrated, and at least one crypto wallet drained. Telegram is cited as the distribution channel; per editorial policy the channel URL is withheld.

Affected sectors / products: WordPress site operators; Google Gemini API tenants; U.S. retail crypto investors.

Indicators of Compromise

C2 IP:    213.165.51[.]115
Hostname: c2.tralalarkefe[.]com
Hostname: catchall1.tralalarkefe[.]com
Hostname: payloads.tralalarkefe[.]com
Domain:   tralalarkefe[.]com
Domain:   bpfi[.]digital
Domain:   dzbank[.]capital
Domain:   indus[.]exchange
Domain:   induspayments[.]com
Domain:   indusx[.]tech
Domain:   vebrf[.]digital
SHA256:   981036cec38c6fd9796fc64a102100b97983f56b3482cc3e1f1610e14a1fae58
Tool:     GoToResolve (abused for T1021 - Remote Services)

SOC Action: Block all listed domains and the C2 IP at proxy/DNS; alert on outbound resolution of *.tralalarkefe[.]com and on inbound GoToResolve sessions not tied to an approved ticket. For WordPress fleets, rotate admin credentials and require WebAuthn or app-based MFA on /wp-admin. If your environment uses Gemini API or Gemini CLI, audit API-key issuance logs for unfamiliar tenants and review any GEMINI.md files in developer workstations for non-default instruction injections.

3.5 Middle East C2 sprawl: 1,350+ servers across 98 providers, STC hosts 72.4%

Source: AlienVault OTX

A regional infrastructure study (Feb–May 2026) mapped 1,350+ active C2 servers across 14 Middle Eastern countries and 98 hosting providers. Saudi Telecom Company (STC) hosted 981 nodes — 72.4% of the regional C2 footprint and the single largest national concentration globally identified in the study. The infrastructure supported IoT botnets (Hajime, Mozi, Mirai), offensive frameworks (Cobalt Strike, Sliver, Tactical RMM), espionage tooling tied to Eagle Werewolf and APT28, MaaS platforms, cryptomining (XMRig), and destructive operations including DYNOWIPER. Other notable providers: SERVERS TECH FZCO (UAE), OMC (IL), Türk Telekom (TR), Regxa (IQ). Reference tags include cve-2025-11953.

Affected sectors: Global — any organisation receiving traffic from STC, SERVERS TECH FZCO, OMC, Türk Telekom or Regxa ASNs is at elevated risk of opportunistic and targeted activity.

Indicators of Compromise

197.51.170[.]131
37.32.15[.]8
5.109.182[.]231
93.113.62[.]247
94.252.245[.]193

SOC Action: Geo-aware enrichment: tag inbound and outbound flows to the five listed IPs and to STC (AS39891, AS25019) as high-priority and surface them in SIEM with 30-day retention. Hunt for Cobalt Strike, Sliver and Tactical RMM beacon JA3/JA4 fingerprints to these ASNs (T1071.001, T1573). Verify EDR signatures for DYNOWIPER and confirm IRP coverage for destructive-wiper scenarios on critical Windows servers.

3.6 Cross-platform Node.js credential stealer targets browsers and wallet extensions

Source: SANS ISC

SANS ISC handler Xavier Mertens analysed a heavily obfuscated Node.js stealer (SHA256 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9) that runs cross-platform on Windows (via WSL), macOS and Linux. The wrapper uses obfuscator.io-style Base64 arrays with arithmetic decoders; the three embedded payloads are stored as plain-text Node.js once decoded. The primary payload steals credentials from 13 Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser) and enumerates wallet-extension IDs including MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn).

Affected products: Chromium-family browsers; MetaMask and other browser-based crypto wallets; WSL on developer workstations.

Indicators of Compromise

SHA256 (decoded): 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9
Artifact name:   extracted-decoded.js

SOC Action: Search EDR for Node.js processes (node.exe, node) spawned from user temp or download directories accessing AppData\Local\<browser>\User Data\Default\Login Data (T1003, T1078). Block the listed SHA256. For developer fleets, audit WSL distributions for unexpected npm install of unknown packages over the last 14 days and enforce npm package allowlisting.

3.7 Operational note — Law enforcement: First VPN dismantled

Source: AlienVault OTX

French and Dutch authorities, with Ukrainian assistance, dismantled “First VPN” — a no-logs service marketed to cybercriminals for traffic obfuscation. Servers, domains (including 1vpns[.]net) and physical premises were seized. TTPs in the underlying ecosystem include T1090 (Proxy), T1572 (Protocol Tunneling), T1573 (Encrypted Channel) and T1584.003 (Compromise Infrastructure: Virtual Private Server).

SOC Action: Add the 1vpns[.]net domain and any historical First VPN IP ranges to threat-intel feeds for retrospective hunts on the last 90 days of egress proxy logs — sessions to this service from corporate endpoints are a strong indicator of insider misuse or active compromise.

4. AI-Identified Correlation Trends

Risk	Trend	Supporting Evidence
🔴 CRITICAL	Exploitation of vulnerabilities in widely used technologies (Kubernetes, Rsync)	CVE-2026-45250 (FreeBSD 14.x LPE); CVE-2026-43617 (Rsync <3.4.3 authorization bypass)
🟠 HIGH	Ransomware-as-a-service expansion led by Qilin across multiple sectors	ROTO Immobilien, Snyder Packaging, Vernon & Ginsburg (Qilin/RansomLook, conf. 0.90)
🟠 HIGH	Sophisticated phishing leveraging AI and automated content	Patriot Bait (bandcampro / jailbroken Gemini); The Gentlemen defense-evasion leak
🟠 HIGH	Software supply-chain attacks targeting npm packages	Mini Shai-Hulud / TanStack npm; “Hacker Group Poisoning Open Source Code”
🟠 HIGH	Ransomware groups broadening into healthcare and education	sheppadviser.com.au (brain cipher); A-Sonic Logistic Solutions; Internal Medicine and Pediatrics of Cullman

5. Trending Entities (Pipeline-Wide)

Threat Actors

• Qilin (118 reports) — Top-trending RaaS operator; three new victim posts in this period; correlated at 0.90 with RansomLook
• Akira (64 reports) — Active ransomware actor; no new posts in window but sustained 30-day presence
• The Gentlemen (59 reports) — RaaS; new defense-evasion TTP analysis published (this brief, §3.3)
• TeamPCP (36 reports) — Npm/PyPI supply-chain poisoning actor; not in 24h window but central to correlation batch 137
• ShinyHunters (31 reports) — Data-extortion actor
• Inc Ransom (26 reports) — RaaS
• Safepay (19 reports) — RaaS
• Lockbit5 (19 reports) — Successor LockBit variant
• Everest (18 reports) — Data-leak extortion actor
• FulcrumSec (17 reports) — Active threat actor cluster

Malware Families

• RansomLook (139 reports) — Encryptor/leak-site tooling tied to Qilin and several pay-load brands; top pipeline-wide
• Akira ransomware (36 reports) — Continues steady weekly cadence
• Tox1 (33 reports) — Tox-protocol comms tooling tied to The Gentlemen affiliates
• Other1 (22 reports) — Generic affiliate tooling bucket linked to The Gentlemen
• Akira (20 reports) — Alternative naming variant
• Tox (17 reports) — Underlying Tox messenger client used by RaaS affiliates
• Qilin (16 reports) — Malware-entity records for the Qilin encryptor
• RaaS (14 reports) — Generic RaaS tagging
• The Gentlemen (13 reports) — Locker family
• Akira Ransomware (12 reports) — Naming variant

Note: cti_get_trending_entities returned no vulnerability entities for this window — CVE-level enrichment is reported via the correlation trends in §4.

6. Source Distribution

Source	Reports	URL	Notes
AlienVault (OTX)	4	link	Patriot Bait, Middle East C2, The Gentlemen evasion, First VPN takedown
RansomLook	3	link	Qilin leak-site monitoring (3 new victims)
SANS ISC	2	link	Cross-platform Node.js stealer; daily Stormcast
Krebs on Security	1	link	Kimwolf botmaster arrest
Recorded Future (The Record)	1	link	CISA KEV public nomination workflow
Wired Security	1	link	FTC “Active Listening” settlement (privacy/disinformation)

7. Consolidated Recommendations

• 🔴 IMMEDIATE: Patch Fortinet FortiOS/FortiProxy for CVE-2024-55591 if any internet-facing instance remains unpatched (cited as initial-access vector in The Gentlemen playbook, §3.3). Pull 90 days of authentication logs from those devices and review for anomalous admin sessions.
• 🟠 SHORT-TERM: Deploy hunts for the §3.3 (The Gentlemen), §3.4 (Patriot Bait) and §3.5 (Middle East C2) indicators across EDR, proxy and DNS. Specifically alert on wevtutil cl Security|System|Application from non-admin contexts and on Set-MpPreference/Add-MpPreference -ExclusionPath invocations (T1070.001, T1562.001).
• 🟠 SHORT-TERM: For organisations using AI developer tooling (Gemini CLI, Claude Code, Copilot, Cursor), implement governance around persistent memory files (e.g. GEMINI.md, CLAUDE.md). Treat them as code in source control, review on commit, and detect unauthorised injection of instructions that disable refusals or ethical guardrails — exactly the technique used by bandcampro in §3.4.
• 🟡 AWARENESS: Brief legal-sector and SMB stakeholders that Qilin has resumed high-tempo posting (§3.2). Verify backup immutability and tabletop a Qilin-style double-extortion scenario including matter/case-management database loss.
• 🟢 STRATEGIC: Capacity-plan DDoS defences for ≥30 Tbps volumetric events given the Kimwolf benchmark (§3.1); competitor botnets (Aisuru, JackSkid, Mossad) will fill the gap left by the takedown. Confirm carrier scrubbing tiers and BGP anycast failover paths with quarterly drills.
• 🟢 STRATEGIC: Engage with CISA’s new external nomination workflow for the Known Exploited Vulnerabilities catalog (see §2 INFO row); coordinated disclosure of exploited vulns through this channel can accelerate ecosystem-wide patch pressure.

---

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 12 reports processed across 2 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.