← All threat briefs
Threat Brief

Weekly Situation Report — 5/25/26

Key takeaways

  • Nightmare Eclipse disclosed “MiniPlasma,” a Windows local privilege escalation vulnerability
  • A public exploit emerged for the DirtyDecrypt Linux root escalation vulnerability
  • Microsoft warned of an actively exploited Exchange zero-day flaw
  • FlowerStorm malware uses KrakVM virtual machine framework for anti-forensics
  • GitHub was compromised by TeamPCP; stolen data allegedly sold by LAPSUS$

1. Nightmare Eclipse Discloses another LPE Dubbed ‘MiniPlasma’

Summary

Security researcher Nightmare Eclipse released a local privilege escalation exploit called ‘MiniPlasma’ targeting Windows. It is the sixth vulnerability disclosed since April.

Category

Critical Vulnerabilities

Industry

Technology, Multiple

Analyst comments

Nightmare Eclipse released an exploit targeting CVE-2020-17103, a Windows privilege escalation vulnerability affecting the Cloud Filter driver. The flaw allows registry manipulation through undocumented APIs, potentially enabling system code execution. The original Google Project Zero proof-of-concept remains functional, suggesting the vulnerability was never fully remediated or was reintroduced in updates.

Testing showed unsuccessful exploitation on Windows 10 systems, but successful attacks on fully patched Windows 11 systems as of May 2026. Code comparisons between the 2020 and current exploits reveal minimal differences, primarily a registry key change from “DEMODEMO” to “Volatile Environment.” This suggests incomplete Microsoft mitigation across versions.

No known in-the-wild exploitation has been identified, though public availability of the proof-of-concept will likely enable adoption by state-backed actors and ransomware operators.

Actionable guidance

No patch currently exists. Organizations should monitor registry modifications at these locations:

Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\CloudFiles\BlockedApps\*
Computer\HKEY_CURRENT_USER\Volatile Environment

Until patches ship, detection is the most effective defense.

2. Exploit Available for New DirtyDecrypt Linux Root Escalation Flaw

Summary

A recently patched Linux kernel vulnerability named DirtyDecrypt allows local privilege escalation to root access via proof-of-concept exploit. The issue affects specific Linux distributions.

Category

Critical Vulnerabilities

Industry

Education, Technology, Public Administration and Government

Analyst comments

The DirtyDecrypt vulnerability exists in the Linux kernel’s rxgk module (CONFIG_RXGK), which supports the Andrew File Systems (AFS) common in educational institutions. Successful exploitation requires CONFIG_RXGK enablement, limiting exposure to distributions like Fedora, Arch Linux, and openSUSE Tumbleweed.

AFS prevalence in universities increases education sector vulnerability likelihood. Organizations outside academic and large institutional environments may deprioritize this threat. The vulnerability may see post-exploitation success but is unlikely to impact cloud-heavy environments.

Affected distributions include:

  • Fedora (including Rawhide and Workstation)
  • Arch Linux
  • openSUSE Tumbleweed
  • Systems using mainline kernel PPAs
  • ELRepo kernel-ml on RHEL/CentOS Stream

Actionable guidance

Apply distribution-specific patches via official websites. If Dirty Frag or Fragnesia mitigations were previously applied, protection likely exists. Otherwise, disable these modules from loading:

Esp4
Esp6
Rxrpc

3. Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks

Summary

Microsoft disclosed CVE-2026-42897, a high-severity spoofing vulnerability affecting Exchange Server versions. The flaw enables arbitrary code execution through cross-site scripting in Outlook on the web. The Exchange Emergency Mitigation Service (EEMS) provides interim protection until official patches release.

Category

Critical Vulnerabilities

Industry

Technology, Financial and Fintech, Public Sector and Government Administration

Analyst comments

CVE-2026-42897 affects Exchange Server 2016, 2019, and Subscription Edition. While patches remain unavailable, EEMS can automatically mitigate on-premises deployments. No weaponized proof-of-concept has been widely released or discussed in underground forums.

The vulnerability relates to input validation and XSS attacks via specially crafted emails, likely stemming from missing or improperly implemented Content Security Policy headers. Internet Explorer and Edge in IE compatibility mode lack CSP header support, potentially expanding the threat landscape beyond nation-state actors to include financially motivated groups.

Vulnerable versions include:

  • Microsoft Exchange Server Subscription Edition RTM
  • Microsoft Exchange Server 2019 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 23

Actionable guidance

Administrators can manually apply mitigations using the Exchange on-premises Mitigation Tool (EOMT), though user reports indicate potential issues with OWA print calendar functionality and inline image display.

4. FlowerStorm Uses KrakVM for Anti-Forensics

Summary

FlowerStorm, a Phishing-As-A-Service attack kit, integrated KrakVM, an open-source JavaScript virtual machine, to obfuscate phishing campaigns. The framework targets various sectors with complex credential harvesting and MFA interception capabilities.

Category

Phishing

Industry

Public Sector and Government Administration, Logistics and Shipping, Retail

Analyst comments

FlowerStorm, active since mid-2024, has employed large-scale campaigns featuring MFA interception. In April 2026, researchers identified campaigns leveraging KrakVM to deliver FlowerStorm payloads. Phishing emails impersonated urgent communications like voicemails or invoices, containing KrakVM-encoded HTML attachments. Opening triggered credential harvesting, with campaigns targeting local government, logistics, retail, communications, and real estate sectors using German domain names mimicking legitimate businesses.

Recent analysis revealed many FlowerStorm samples no longer use KrakVM as originally described, with the latest KrakVM-based sample identified April 23rd. Samples use Cloudflare services and Turnstile, with eval elements blocking Burp-identified user agents and restricting specific keystrokes to prevent security testing.

Evidence suggests a potential shift away from KrakVM tactics or reflects individual affiliate preferences. Limited variation appeared in recent samples.

Actionable guidance

Attack chain samples commonly redirect users to *.myqcloud[.]com resources serving malicious bootstrap.min.js payloads. Block this domain and monitor for references to “krak” or “krakvm” alongside heavily obfuscated bytecode to identify PhaaS kit activity.

5. GitHub Compromised by TeamPCP, Data Being Sold by LAPSUS$

Summary

GitHub experienced a breach attributed to TeamPCP, which exploited a malicious VS Code extension called Nx Console. The campaign enabled theft of private code repositories through developer credential and CI/CD pipeline secret exploitation.

Category

Supply Chain Risk

Industry

Technology, Multiple

Analyst comments

GitHub suffered a breach through a compromised Nx Console VS Code extension version 18.95.0, installed by a GitHub employee, resulting in theft of 4,000 private code repositories. The malicious extension harvested GitHub tokens, AWS credentials, and npm registry tokens while exfiltrating data via HTTPS, the GitHub API, and DNS.

Exposure window: May 18, 2026, 12:30-13:09 UTC

Actionable guidance

Developers and organizations with the malicious plugin version installed during the exposure window should audit systems for malicious code or compromise indicators. While immediate impact remains unlikely for most repository owners, stolen data may fuel future exploitation against GitHub, repositories, or dependent organizations.

Maintaining external backups of hosted projects reduces data loss risk. Regular Software Bill of Materials audits help identify malicious or compromised dependencies introduced through supply chain or direct vectors.

More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026
Talk to an expert