Major Stories of the Month
- Miasma Supply Chain Worm Industrializes Ecosystem Compromise
- A highly sophisticated, self-propagating credential stealer known as the "Miasma" worm executed a catastrophic supply chain compromise across multiple developer ecosystems.
- The attack systematically hijacked 73 Microsoft GitHub repositories, 471 PyPI/npm artifacts, and 32 Red Hat cloud services packages by manipulating CI/CD pipelines and utilizing malicious Python .pth startup hooks.
- The malware harvested GitHub tokens, npm registry access, and cloud credentials (AWS, GCP, Azure), while deploying advanced anti-analysis techniques, including fake LLM prompt-injection headers designed to disrupt AI-assisted security scanners.
- Oracle PeopleSoft Zero-Day Leads to Massive Education Breaches
- The threat actor ShinyHunters (UNC6240) exploited an unpatched authentication bypass zero-day (CVE-2026-35273) in Oracle PeopleSoft PeopleTools, enabling unauthenticated remote code execution.
- This mass exploitation campaign compromised over 100 organizations, predominantly targeting the higher education sector.
- Operating for approximately two weeks before an emergency patch was issued, the breach resulted in the theft of massive identity databases, including 454,600 student and staff records from the University of Nottingham.
- Cisco SD-WAN Zero-Day Cascade and Pre-Disclosure Exploitation
- Cisco's enterprise network infrastructure faced a relentless cascade of zero-day attacks, marking the seventh actively exploited Cisco SD-WAN vulnerability of 2026.
- The most critical flaw (CVE-2026-20245) allowed authenticated remote attackers to execute root-level commands via malicious CSV file uploads.
- Mandiant disclosed that threat actors had been actively exploiting this vulnerability in the wild to manipulate system password files for at least two months before the vendor's public disclosure, highlighting severe exposure windows for critical infrastructure.
Top Ransomware Groups
Note: Ransomware groups this month demonstrated significant operational maturity, deploying custom EDR evasion frameworks and leveraging novel command-and-control concealment techniques.
- The Gentlemen – The group deployed a highly sophisticated "GentleKiller" EDR termination framework capable of targeting over 400 security processes across 48 different products, enabling severe worm-like lateral movement. It impacted global sectors across 70 countries, including healthcare and manufacturing, with a total of 478 documented victims.
- ShinyHunters (UNC6240) – The rebranded group orchestrated massive extortion campaigns resulting in the theft of 2.6 million accounts from DentaQuest, 4.9 million accounts from Charter Communications, and over 450,000 university records using an Oracle PeopleSoft zero-day.
- Qilin – This highly active group exploited the Check Point VPN zero-day (CVE-2026-50751) to infiltrate networks a full month before a patch was available, enabling complete network infiltration across multiple global victims.
- INC Ransom – INC maintained high-volume aggressive targeting, claiming an operational milestone of over 830 total victims since 2023.
- Silent Ransom Group (Luna Moth) – This group escalated traditional digital extortion into physical realms by successfully deploying physical operatives impersonating IT staff to breach office locations and insert USB drives for data theft.
Linux / Cloud / Identity Attacks: Top Threats
These threats are prioritized based on their critical severity (CVSS scores), immediate widespread impact, and observed mass exploitation in enterprise environments.
- Check Point VPN Zero-Day Ransomware Exploitation (CVE-2026-50751)
- Type: Network Infrastructure / Identity
- Impact: A critical authentication bypass vulnerability in Check Point Remote Access VPN enables unauthenticated attackers to establish VPN sessions without valid passwords via deprecated IKEv1 protocol flaws.
- CVSS 9.3 / Statistics: Qilin ransomware affiliates exploited this zero-day in the wild for 32 days before a patch became available, forcing CISA to mandate emergency federal remediation. It grants immediate lateral movement capabilities into protected enterprise networks.
- Ivanti Sentry Maximum Severity RCE (CVE-2026-10520)
- Type: Cloud Infrastructure / Mobile Management
- Impact: A command injection vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges on Ivanti Sentry mobile gateway appliances.
- CVSS 10.0 / Statistics: Carrying the maximum possible severity score, this vulnerability was exploited in the wild within 24 hours of its disclosure, demonstrating an unprecedented compression in AI-accelerated vulnerability weaponization timelines.
- Linux "Fragnesia" CIFS Root Escalation (CVE-2026-46300)
- Type: Linux Operating System
- Impact: A privilege escalation vulnerability in the Linux kernel XFRM ESP-in-TCP subsystem that enables local attackers to completely manipulate the kernel page cache to achieve root access.
- CVSS 7.8 / Statistics: This 19-year-old flaw affects most major Linux distributions and represents a critical threat to Linux server infrastructure, containerized workloads, and hybrid environments, with proof-of-concept exploits readily available to the public.
Insights from Rubrik Zero Labs LLM Powered Advanced Analysis Systems
Top Threats Inside Backups: Our advanced analysis systems identify top and trending threats seen in the wild and compare that data with backup telemetry to detect stealthy malware. In this section we present the data for this month.
Beyond the Front Line
3.2% of prevalent threats are identified with high confidence as having bypassed front-line defenses. Behind that cohort stands a concentrated set of named adversaries—each with a distinct catalogue of tooling, each with the operational discipline to evade prevention layers long enough for their objectives to complete. 77.3% of named campaigns tied to the bypass cohort carry adversary attribution, i.e. a named operator stands behind the tooling. The cohort's footprint concentrates in technology, cybersecurity, and healthcare, but the tradecraft itself is sector-agnostic: credential abuse, lateral movement, and defense evasion primitives that exploit trust boundaries front-line detection is not built to see.
Evil Corp
| Industry | Share of cohort footprint |
|---|---|
| Technology | 64.3% |
| Cybersecurity | 10.7% |
| Healthcare | 8.9% |
Evil Corp is a financially-motivated cybercrime group known for large-scale banking fraud and ransomware operations. Four families from the Evil Corp catalogue surfaced in the bypass cohort.
- DOPPELPAYMER – Ransomware written in C that encrypts files stored locally, on network shares, and on removable devices, accounted for 2.3% of bypass-cohort alert activity.
- FAKEUPDATES – A downloader written in JavaScript that communicates via HTTP and writes payloads to disk for execution, represented 1.8% of bypass-cohort alert activity, and defenders moved to quarantine in 7.7% of environments encountering this tool.
- DANABOT - A backdoor written in Delphi often delivered via a dropper that decrypts and executes the main payload also accounted for 1.8% of bypass-cohort alert activity.
- VENOMRAT – A .NET-based backdoor that communicates using a custom binary protocol over TCP and can execute shell commands and download plugins accounted for 0.4% of bypass-cohort alert activity.
Lazarus
| Industry | Share of cohort footprint |
|---|---|
| Technology | 100% |
Lazarus is a North Korean state-sponsored advanced persistent threat group known for financially-motivated operations and espionage campaigns. Three families from the Lazarus catalogue surfaced in the bypass cohort.
- HANGMAN – Also tracked as Conti, Hoplight, Lazarus, and Nukesped, this variant is capable of uploading and downloading files, process and file system management, gathering system information, and updating its configuration. It represented 1.0% of bypass-cohort alert activity.
- LATEWIRE – Also tracked as Apost, Conti, Nukesped, and Nukesped Trojan, this downloader is written in C++ and downloads shellcode from the C&C and executes it, accounting for 0.3% of bypass-cohort alert activity.
- DARKSKY – Also tracked as BKDR, Conti, Joanap, and Joanap Worm, DARKSKY uses brute-force authentication attacks to propagate via Windows SMB shares and sends log data back to the configured command and control server, representing 0.1% of bypass-cohort alert activity.
Gentlemen
| Industry | Share of cohort footprint |
|---|---|
| Cybersecurity | 42.9% |
| Professional Services | 28.6% |
| Telecommunications | 14.3% |
Gentlemen is a cybercrime group known for proxy and tunneling infrastructure that enables ransomware activity, lateral movement and command-and-control persistence. SYSTEMBC, a tunneler written in C that retrieves proxy-related commands from a command-and-control server using a custom binary protocol, represented 0.9% of bypass-cohort alert activity.

Sector composition of the high-confidence bypass cohort, shown as share of cohort-wide environment footprint.
Ransomware
Ransomware families made up 14.3% of identified threats this period, surfacing seven distinct ransomware families across the dataset. EGREGOR dominated the chart with 55.9% of ransomware activity, followed by SODINOKIBI at 1.5% and WANNACRY at 1.1%. Notably, NEMTY.NEFILIM—attributed to the Nefilim threat actor through a named campaign first reported in March 2020—appeared as two variants within the same period, a signal that distinguishes it from opportunistic tooling despite its low activity share.
Cybersecurity environments absorbed 65% of the period's ransomware footprint, a concentration driven primarily by EGREGOR's alert volume but consistent across multiple families; security-focused organizations surface and report activity through their own telemetry, which likely inflates their share relative to less-instrumented industries. Technology environments accounted for the remaining 34%, spanning software vendors, managed service providers, and infrastructure operators where operational disruption carries direct revenue consequences.


Zero Labs blogs & intelligence: