Weekly Situation Report : 5/11/26

EXECUTIVE SUMMARY

This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.

KEY TAKEAWAYS

• A critical buffer overflow vulnerability in PAN-OS is being actively exploited to compromise affected firewall devices.
• DAEMON Tools Lite was trojanized in a supply-chain attack to distribute a hidden backdoor to users.
• The CloudZ remote access trojan may be stealing one-time passcodes by abusing a malicious Pheno plugin.
• Educational technology company Instructure has reported a cyber incident, with the ShinyHunters group claiming responsibility.
• The PCPJack cloud-targeting worm steals credentials while also blocking competing TeamPCP malware infections.

1. Critical Buffer-Overflow Vulnerability in PAN-OS Exploited in the Wild

SUMMARY

On May 6th, 2026, Palo Alto Networks published a critical security advisory for a buffer overflow vulnerability (CVE-2026-0300) in PAN-OS software, affecting specific versions of PA-Series and VM-Series firewalls. This allows unauthenticated attackers to execute arbitrary code with root privileges. Reports indicate this vulnerability has been exploited since April.

Category

Critical Vulnerabilities

Industry

Technology, Public Sector and Government Administration, Financial and Fintech

Sources

https://security.paloaltonetworks.com/CVE-2026-0300

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqbiCAC

https://www.cert.europa.eu/publications/security-advisories/2026-006/

https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html

https://www.cisa.gov/news-events/alerts/2026/05/06/cisa-adds-one-known-exploited-vulnerability-catalog

ANALYST COMMENTS

On June 5, 2026, Palo Alto Networks published a security advisory for a critical vulnerability (CVE-2026-0300) in PAN-OS software, which could allow unauthenticated attackers to execute arbitrary code with root privileges through a buffer overflow in the User-ID Authentication Portal/ Captive Portal. This vulnerability affects various versions of PA-Series and VM-Series firewalls, with a CVSS score of 9.3, indicating high severity. External reporting indicates that this vulnerability has seen limited exploitation over the past month starting in April.

ACTIONABLE GUIDANCE

There is currently no patch available, however the vendor has indicated that a fix is expected before May 13th. Until then, access to the affected interface should be restricted to internal hosts only in order to reduce the exposed attack surface. As the vulnerability is a buffer overflow that is targeting the User-ID Authentication Portal /Captive Portal, the attacker will likely need to send an unusually large amount of data via a request to the login portal endpoint. Defenders should monitor for abnormal or excessive POST requests to /php/login.php, especially requests containing large payloads or unusual alphanumeric patterns. Threat hunting activities should also focus on identifying repeated requests to the endpoint, unexpected source IP addresses, spikes in request size, or other anomalous authentication portal activity that may indicate exploitation attempts. The following versions are known to be affected:

 12.1.4 and up to (excluding)12.1.4-h5
 12.1.0 and up to (excluding)12.1.7
 11.2.4 and up to (excluding)11.2.4-h17
 11.2.7 and up to (excluding)11.2.7-h13
 11.2.10 and up to (excluding)11.2.10-h6
 11.2.0 and up to (excluding)11.2.12
 11.1.4 and up to (excluding)11.1.4-h33
 11.1.6 and up to (excluding)11.1.6-h32
 11.1.7 and up to (excluding)11.1.7-h6
 11.1.10 and up to (excluding)11.1.10-h25
 11.1.13 and up to (excluding)11.1.13-h5
 11.1.0 and up to (excluding)11.1.15
 10.2.7 and up to (excluding)10.2.7-h34
 10.2.10 and up to (excluding)10.2.10-h36
 10.2.13 and up to (excluding)10.2.13-h21
 10.2.16 and up to (excluding)10.2.16-h7
 10.2.18 and up to (excluding)10.2.18-h6

2. DAEMON Tools Lite Trojanized in Supply-Chain Attack to Deploy Backdoor

SUMMARY

Hackers compromised DAEMON Tools software installers, delivering a backdoor to thousands globally beginning on April 8th. A second stage involved deploying malware to high-value organizations in specific countries, highlighting a sophisticated, ongoing supply-chain attack with likely ties to Chinese threat activity. As of May 6th, the software vendor has acknowledged that the malicious version is no longer available.

Category

Supply Chain Risk

Industry

Multiple

Sources

https://securelist.com/tr/daemon-tools-backdoor/119654/

https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/

https://www.pcmag.com/news/remember-daemon-tools-it-was-hacked-to-serve-windows-malware

https://www.reddit.com/r/programming/comments/1t4aiw5/popular_daemon_tools_software_infected_supply/

https://old.reddit.com/r/software/comments/1ilm32c/just_purchased_daemon_tools_and_its_full_of_what/

ANALYST COMMENTS

Hackers have trojanized installers for DAEMON Tools distributed through the official website, delivering a backdoor to thousands of systems since April 8th. The activity appears to be a targeted supply-chain attack focused on high-value targets including retail, scientific, government, and manufacturing sectors across more than 100 countries. The compromised software versions range from 12.5.0.2421 to 12.5.0.2434, affecting specific binaries like DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial malware steals system information for profiling, and some systems receive a second-stage payload consisting of a lightweight backdoor.

We analyzed several available samples of the malware used and made heavy use of sleep calls to evade detection, which has resulted in malware sandboxes showing limited detection of the malware. The infected packages are primarily espionage focused based on the primary discovery functionality and the effort taken for stealth. Based on vendor reports and our own research for additional verification, the following IoCs are associated with the malware:

# Versions compromised
9ccd769624de98eeeb12714ff1707ec4f5bf196d (12.5.0.2421)
50d47adb6dd45215c7cb4c68bae28b129ca09645 (12.5.0.2422)
0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 (12.5.0.2423)
28b72576d67ae21d9587d782942628ea46dcc870 (12.5.0.2424)
46b90bf370e60d61075d3472828fdc0b85ab0492 (12.5.0.2430)
6325179f442e5b1a716580cd70dea644ac9ecd18 (12.5.0.2431)
bd8fbb5e6842df8683163adbd6a36136164eac58 (12.5.0.2433)
15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 (12.5.0.2434)

# hashes of Modified DiscSoftBusServiceLite.exe
524d2d92909eef80c406e87a0fc37d7bb4dadc14
427f1728682ebc7ffe3300fef67d0e3cb6b62948
8e7eb0f5ac60dd3b4a9474d2544348c3bda48045
00e2df8f42d14072e4385e500d4669ec783aa517
aea55e42c4436236278e5692d3dcbcbe5fe6ce0b
0456e2f5f56ec8ed16078941248e7cbba9f1c8eb
9a09ad7b7e9ff7a465aa1150541e231189911afb
8d435918d304fc38d54b104a13f2e33e8e598c82
64462f751788f529c1eb09023b26a47792ecdc54

# Network traffic
172.67.222.146
update.daemontools[.]cc -AS13335 CLOUDFLARENET - likely file loader
env-check.daemontools[.]cc - Primary C2 - AS13335 CLOUDFLARENET
*.daemontools[.]cc (the official domain is daemon-tools.cc)

Multiple reports note that the malware campaign is highly targeted. Additional payloads are only deployed after the victim system is profiled and determined to be of interest to the threat actor. Based on current reports, the following industry sectors were the primary recipients of the second-stage malware:

• Retail
• Manufacturing
• Government and public administration
• Science/ Academia

Reports indicate that only a limited number of organizations, primarily within the noted sectors and regions such as Russia and Thailand, received the second stage backdoor payload. However, given the alignment with known Chinese strategic interests, additional targeting beyond currently identified victims is likely, particularly across regions such as LATAM, South America, the United States, and Southeast Asia.

DAEMON Tools is primarily considered a legacy software product that has largely been phased out due to native OS support for formats such as .iso. However, the software still provides support for a wider range of image formats and continues to maintain an active user base. Current usage is largely concentrated among consumers interested in gaming, retro-technology, or environments that rely on legacy software/hardware.

ACTIONABLE GUIDANCE

Blocking the known typosquatted domains and associated IPv4 addresses should be the initial step to prevent additional communication with the malware’s C2 servers. Organizations using DAEMON Tools within their environment should also threat hunt for connections to the identified malicious domains, as well as the known hashes and files associated with the trojanized binaries, to identify potential compromise. 

Based on current reports, organizations outside the previously identified sectors and regions are likely at lower risk. Organizations and users that have not installed the Lite version of the tool between April 8th and May 7th are unlikely to be affected. The second stage payload uses PowerShell cmdlets which can be prevented by restricting the use of PowerShell within the environment for high risk sectors and regions.

3. CloudZ RAT Steals OTP Messages Using Pheno Plugin

SUMMARY

Researchers discovered an ongoing campaign since January 2026, where an attacker used the CloudZ RAT and a new plugin called Pheno to exploit the Microsoft Phone Link application. This was used to intercept sensitive data like SMS and OTPs, while also evading detection by executing malicious functions in system memory.

Category

Threat Actor Activities

Industry

Multiple

Sources

https://blog.talosintelligence.com/cloudz-pheno-infostealer/

https://www.reddit.com/r/cybersecurity/comments/1t4gwe5/cloudz_malware_abuses_microsoft_phone_link_to/

Internal OSec Research

ANALYST COMMENTS

Researchers uncovered an ongoing campaign active since January 2026 involving the CloudZ RAT and a new plugin named Pheno, which targets victims credentials and OTPs using the Microsoft Phone Link application that is currently linked with a phone. The CloudZ RAT employs dynamic execution in system memory and checks to avoid detection, while the Pheno plugin scans for Phone Link processes to intercept sensitive mobile data like SMS and OTPs. The attack begins with a fake ScreenConnect update executable that drops a .NET loader, which then deploys the CloudZ RAT and Pheno plugin. The RAT utilizes sophisticated evasion techniques, including timing checks and environment profiling, to avoid detection and establish a persistent presence on the victim's machine via scheduled tasks.

# Network traffic and domains

*.hellohiall.workers[.]dev
round-cherry-4418.hellohiall.workers.dev

One of the more notable aspects of the malware is its use of the Windows Phone Link application to determine if a phone is linked with the current Windows environment in order to help bypass MFA controls. The Pheno plugin is downloaded via curl commands from the associated Cloudflare domains used (*.hellohiall.workers[.]dev). If the plugin detects a potential link with the application, it will write a file (phonelink-<computer_name>.txt) into the following folders:

# Phone link status written to phonelink-<computer_name>.txt to the folders:

C:\programdata\Microsoft\feedback\cm 
%TEMP%\Microsoft\feedback\cm

ACTIONABLE GUIDANCE

The malware primarily functions as an infostealer and is designed to harvest user credentials. Initial mitigation efforts should include blocking the known C2 infrastructure, along with the additional suspected IP addresses noted above. Users who link their desktop with mobile devices through Windows Phone Link are at a higher risk of compromise and MFA bypass attacks, as the malware appears capable of identifying linked devices to obtain SMS and OTP notifications. The loader will primarily use PowerShell to establish itself and LOLBAS regasm.exe to initiate the rest of the attack chain. Restricting PowerShell execution for non IT users can help reduce the available attack surface, particularly in environments where PowerShell access is not operationally required. Defenders should also review systems for suspicious or unknown scheduled tasks (the malware sample analyzed created task \Microsoft\Windows\SystemWindowsApis) that might indicate a successful compromise. Additional mitigations include restricting execution of downloaded .exe binaries that have Mark of the Web applied and limiting software installation privileges to administrators and approved users. These controls can help reduce the likelihood of successful malware execution and persistence.

4. Educational Company Instructure Reports Cyber Incident, Attack Claimed by ShinyHunters

SUMMARY

A cyber attack on educational technology company Instructure, orchestrated by the cybercriminal group ShinyHunters, resulted in the theft of user data from over 9,000 schools.

Category

Confirmed Breach

Industry

Technology, Education

Sources

https://therecord.media/infrastructure-education-company-canvas-incident

https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/

https://www.silentpush.com/blog/slsh-alert/

ANALYST COMMENTS

Instructure, the company behind the learning platform Canvas, experienced a cyber incident involving unauthorized access to user information including names, email addresses, student ID numbers, and user messages. According to the company, financial and government documents were not impacted. The incident was contained by revoking credentials and deploying security patches, however these remediation efforts also resulted in the temporary disruption to some customer tools and services. The ShinyHunters cybercriminal group claimed responsibility, stating they stole 3.65 TB + of data from over 9,000 schools. The group has been linked to repeated targeting of educational institutions for the past two years.

The group is known for extensively reusing information obtained from previous breaches, and any exposed user or credential information associated with this incident may later be leveraged for downstream targeting activities. The threat actors have historically favored larger, recognizable entities and brands for follow on exploitation. Within the education sector, organizations with large endowments, significant revenue, or strong ties to educational technology services are likely to face increased targeting risk.

Analysis of the group’s most recent campaigns, particularly those involving the financial sector, shows repeated references to Salesforce environments. This suggests that Salesforce may represent both a potential vector of compromise and a priority target for the group, aligning with recent vendor reporting and industry observations. The group is also known to use SSO phishing and vishing tactics directly against targeted organizations, as well as against third party support providers such as technology and outsourcing firms. These operations likely leverage off-the-shelf phishing kits being sold on underground forums which obfuscates the groups primary infrastructure.

ACTIONABLE GUIDANCE

Organizations within the education sector, particularly those with high valuations, strong brand recognition, or access to downstream customers and users, are at elevated risk of targeting by this group. The threat actors primarily rely on social engineering tactics, including vishing and lookalike phishing domains that commonly impersonate technical support portals or enterprise SSO platforms. Previous reporting indicates a preference for targeting Okta related authentication workflows.

Affected organizations should proactively rotate credentials, secrets, and authentication tokens, and operate under the assumption that sensitive information contained within private communications may have been exposed. Organizations should also monitor for newly registered domains that contain their organization’s name or close variations designed to impersonate legitimate branding, as these can serve as strong indicators of staging activity ahead of a targeted attack. Similar monitoring should also extend to critical vendors, partners, and service providers that the organization relies upon, as these relationships may also be leveraged as part of follow on targeting efforts.

5. PCPJack Cloud Targeting Worm Steal Credentials Blocks TeamPCP Malware

SUMMARY

A new cloud-focused worm called “PCPJack” that targets cloud infrastructure to spread rapidly across cloud environments, steal credentials, and establish persistence at scale has been identified. The malware also includes logic to evict another known malware associated with the threat actor group TeamPCP.

Category

Threat Actor Activities

Industry

Multiple

Sources

https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/

https://www.darkreading.com/cloud-security/teampcp-malware-pcpjack-steals-cloud-secrets

Internal OSec Research

ANALYST COMMENTS

“PCPJack,” a fast-moving cloud worm that targets exposed cloud and web servers to gain unauthorized access and spread across environments. Once inside, the malware steals credentials, installs persistence mechanisms, and attempts to evict competing attackers (TeamPCP) to maintain exclusive control over compromised systems. Researchers observed automated lateral movement and large-scale credential harvesting, likely for resale and future exploitation.

Analysis of a copy of the malware revealed that the bootstrap.sh script is not obfuscated with sections clearly marked. It uses an S3 bucket for serving the various malware payloads, in addition to listing out blocked IP addresses that are assumed to be the infrastructure used by the malware.

The malware establishes persistence through multiple mechanisms depending on the level of access obtained. When root privileges are available, it creates a systemd service named sys-monitor.service. In environments where elevated privileges are not obtained, the malware instead creates cron jobs to execute the Python files monitor.py and worm.py

ACTIONABLE GUIDANCE

Ensure that cloud environments are appropriately hardened to reduce the risk of compromise and lateral movement. This includes enforcing the use of IMDSv2, ensuring users and roles adhere to least privilege principles through strict RBAC policies and requiring MFA for all users throughout the cloud environment. 

Sensitive cloud assets and systems containing critical information should be heavily restricted, with public internet exposure minimized wherever possible to reduce the available attack surface. 

Blocking of communication channels such as Telegram will also ensure that further communication over Telegram C2 channels cannot be conducted. If compromise is suspected, defenders should investigate not only associated network communications but also local persistence mechanisms. The malware creates cron jobs or systemd service units that relaunch the malware through bootstrap.sh. As a result, reviewing these locations may reveal artifacts indicating that the malware has executed or successfully established persistence on a compromised system.

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS