Edition: 27 May 2026 — Morning Brief (Revised)

Iran's IRGC Used Active Conflict as Cover to Debut AI-Assisted Malware and a New Delivery Vector

When the U.S. launched Operation Epic Fury against Iran in late February 2026, most analysts expected Iranian cyber actors to go quiet. That's not what happened. IRGC-affiliated Nimbus Manticore (UNC1549) ran three distinct campaign waves between February and April 2026, impersonating aviation firms and software providers across the U.S., Europe, and the Middle East. In what Check Point Research described as the actor's first observed use of SEO poisoning as a delivery method, the group registered dozens of domains mimicking Oracle's SQL Developer; at the time of analysis, the fraudulent site ranked highly on Bing and DuckDuckGo for related search terms. The campaign introduced a previously undocumented backdoor Check Point named MiniFast, retiring the MiniJunk family used through 2025. MiniFast is a 64-bit Windows DLL with full RAT capability — shell execution, file transfer, scheduled-task persistence — communicating over JSON while spoofing Chrome browser traffic. Researchers noted coding characteristics sometimes associated with AI-assisted development — including excessive error handling around trivial API calls, verbose and repetitive function naming, and modular code organization disproportionate to the implant's overall complexity — though these indicators are consistent with, rather than conclusive of, AI-assisted authorship. Attribution: Check Point Research, May 2026. Security Affairs + 3

Watch for: New MiniFast C2 infrastructure or MiniJunk V2 variants appearing in aviation, defense-industrial, and telecom environments — the SEO poisoning delivery is novel for this actor and suggests a widening initial-access surface.

Sources: Check Point Research, May 2026; Infosecurity Magazine, May 26, 2026; GBHackers, May 2026; Security Affairs, May 26, 2026.

MuddyWater Spent a Week Inside a Major South Korean Electronics Maker — Signed SentinelOne and Fortemedia Binaries Were the Key

Symantec and Carbon Black's Threat Hunter Team have publicly linked MuddyWater to a Q1 2026 campaign targeting at least nine organizations across nine countries on four continents — sectors include industrial and electronics manufacturing, education, public sector, financial services, and professional services. One confirmed victim is a major South Korean electronics manufacturer, where attackers maintained observed activity for approximately a week in February 2026. The execution chain relied on DLL sideloading using legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to load malicious DLLs, blending activity into normal endpoint telemetry. A concurrent campaign — attributed by Gambit Security to Iran's Ministry of Intelligence and Security (MOIS) rather than IRGC — hit U.S., Israeli, Saudi, and Turkish targets in late March and early April 2026, with at least two U.S. victims also subjected to destructive operations including partition deletion. The parallel operational tempo across MOIS- and IRGC-linked actors during the same period may reflect broader strategic alignment or parallel tasking priorities; available public evidence is insufficient to confirm operational coordination between the two programs, and that inference should be treated as analytical projection rather than confirmed finding. The Hacker News + 2

Watch for: Endpoint telemetry showing fmapp.exe or sentinelmemoryscanner.exe spawning unexpected child processes or loading non-standard DLLs from user-writable paths.

Sources: Broadcom / Symantec Threat Hunter Team, May 2026; The Hacker News, May 26, 2026; Gambit Security via Fyself News, May 26, 2026.

Microsoft's Own Code-Signing Service Was Weaponized at Scale for Over a Year

Microsoft's Digital Crimes Unit disclosed and disrupted a malware-signing-as-a-service operation it tracks as Fox Tempest, which abused Azure Artifact Signing to generate fraudulent short-lived certificates — making malware appear legitimately signed to both users and operating systems. The actor created more than 1,000 certificates and hundreds of Azure tenants and subscriptions over the course of the operation. Signed payloads were used across campaigns involving Oyster, Lumma Stealer, Vidar, and the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations. Microsoft seized the signspace[.]cloud domain and took hundreds of VMs offline under the operation codenamed OpFauxSign. Court documents unsealed in the Southern District of New York show Microsoft used a cooperative source to purchase and test the service between February and March 2026, and documented Fox Tempest attempting to migrate customers to a different code-signing platform as countermeasures were applied. The operational implication: the operation significantly weakens the reliability of code-signing as a standalone trust indicator for software distributed through Fox Tempest's infrastructure during the campaign window (May 2025 – May 2026). That caveat applies to certificates tied to the identified signing chains — not to all signed software in that period. Bleeping Computer + 2

Watch for: Fox Tempest's confirmed migration to a substitute signing service — Microsoft stated the pivot is in progress. Hunt for recent certificate chains anchored to low-reputation or newly-issued intermediate authorities in environments where INC, Qilin, or Akira affiliates have previously been present.

Sources: Microsoft Security Blog / Microsoft DCU, May 19, 2026; BleepingComputer, May 27, 2026; The Hacker News, May 2026.

SharePoint CVE-2026-45659: Deserialization RCE Patched, No PoC Yet — But the History Here Is Ugly

Microsoft patched CVE-2026-45659 in the May 2026 Patch Tuesday release — a high-severity deserialization-of-untrusted-data RCE in SharePoint Server affecting the Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 (build 16.0.5552.1002). CVSS score is 8.8. An authenticated attacker with minimum Site Member permissions can achieve remote code execution with no user interaction and low attack complexity, meaning repeatable success against vulnerable instances per Microsoft's own advisory language. No public PoC exists as of this writing and Microsoft rates exploitation as "less likely," but context is relevant: SharePoint has a documented history of deserialization flaws weaponized by nation-state actors, ransomware operators, and initial access brokers, and last month's SharePoint spoofing CVE (CVE-2026-32201, CVSS 6.5) was actively exploited in the wild before patches were broadly applied. On-premise SharePoint environments — common in government, legal, and financial sectors — carry the material exposure here; cloud-hosted SharePoint Online is not affected. Historically, authenticated low-privilege SharePoint vulnerabilities have tended to see rapid operationalization once PoC code becomes available. Help Net SecurityHelp Net Security

Watch for: PoC publication or initial access broker listings referencing an authenticated SharePoint foothold — the low-privilege authentication barrier is meaningful friction only in the absence of working exploit code.

Sources: Help Net Security, May 26, 2026; The Hacker News, May 26, 2026; Microsoft MSRC Advisory, May 2026.

Instructure Reportedly Paid the Ransom After ShinyHunters Hacked Canvas Twice in Two Weeks

ShinyHunters compromised Instructure's Canvas LMS on April 25, 2026, exploiting a vulnerability in the Free-For-Teacher service and claiming exfiltration of 3.65 TB of data across approximately 275 million records from 8,809 educational institutions. Wikipedia's incident page describes it as the largest educational security breach on record by global scope, though that characterization has not been independently confirmed by a named primary security research organization and should be read as a widely repeated characterization rather than verified benchmark. After Instructure characterized the incident as "resolved" on May 6, ShinyHunters defaced Canvas login portals at roughly 330 institutions the following day, messaging that the company had "tried security patches" instead of negotiating, and initiating direct school-by-school extortion with a new deadline. Inside Higher Ed reported that Instructure subsequently paid, with the company stating the hackers had returned compromised data belonging to approximately 275 million users across more than 8,800 institutions — though ransom-payment reporting at this stage typically relies partially on threat actor claims, and Instructure's own public statements have not used the word "ransom." The architectural root cause per Rescana: the Free-For-Teacher onboarding program permitted educator account creation without institutional verification, creating weak trust boundaries between FFT and full institutional tenants sharing the same underlying multi-tenant infrastructure. Halcyon + 3

Watch for: Follow-on phishing and credential-stuffing campaigns targeting students and faculty — the combination of names, email addresses, student IDs, and private messages represents a high-quality targeting corpus regardless of whether full data destruction was honored.

Sources: Halcyon, May 2026; The Register, May 12, 2026; Inside Higher Ed, May 11, 2026; Rescana, May 2026; Malwarebytes, May 2026.

Verizon DBIR 2026: Exploitation Overtakes Credentials as #1 Breach Vector for the First Time in 19 Years

Verizon's 2026 DBIR — covering 31,000 incidents including 22,000 confirmed breaches, nearly double last year's 12,195 — finds vulnerability exploitation now accounts for 31% of initial access vectors, displacing credential abuse (13%) for the first time in the report's 19-year history. Ransomware was present in 48% of confirmed breaches, up from 44%. The headline numbers are accurate but the coverage framing somewhat flattens the picture: exploitation surged 55% year over year, but when identity-related vectors are aggregated — phishing at 16% plus credential abuse at 16% on an adjusted basis, accounting for a newly-tracked pretexting category — the two classes are statistically near-tied rather than exploitation clearly dominant. The more structurally damaging finding: only 26% of CISA KEV-listed critical vulnerabilities were fully remediated in 2025, down from 38% the prior year, while the median time to resolve vulnerabilities rose to 43 days from 32. Third-party and supply chain breaches now account for 48% of all incidents, up 60% over the prior period. The findings suggest organizations may benefit from rebalancing investment toward vulnerability management relative to identity controls — though the identity picture has not materially improved either. SecurityWeek + 2

Watch for: Organizations treating the "exploitation beat credentials" headline as license to deprioritize phishing and MFA investment — the data does not support that reading.

Sources: Verizon 2026 DBIR, released May 19-20, 2026; SecurityWeek, May 2026; Push Security analysis, May 2026; Industrial Cyber, May 2026.

Crimenetwork Relaunched Within Days of Its Own Takedown. BKA Just Shut It Down Again.

Crimenetwork — the largest German-language darknet marketplace, operating since 2012 with 100,000+ registered users — was seized by BKA and ZIT in December 2024. Within days, a new operator rebuilt an entirely new technical infrastructure under the same name. The second iteration attracted 22,000 users and over 100 vendors, generating an estimated €3.6 million in revenue before German authorities shut it down again in May 2026, arresting the suspected 35-year-old German operator at his residence in Mallorca under a European Arrest Warrant executed by Spanish National Police. Authorities seized approximately €194,000 in assets and obtained extensive user and transaction data expected to fuel further investigations. The original platform's first administrator was sentenced in March 2026 to seven years and ten months, with €10 million in proceeds ordered confiscated. The velocity of the relaunch — days, not months — is the relevant signal: platform disruption and admin arrest doesn't interrupt the surrounding criminal ecosystem, which carries both the technical capacity and the customer demand to reconstitute quickly under new management. Bleeping Computer + 2

Watch for: A third iteration or migration of the Crimenetwork vendor base to established competitor platforms — seized transaction data will likely generate follow-on arrests, which may push displaced vendors toward more operationally secure alternatives with stricter vetting.

Sources: BKA / ZIT announcement, May 8, 2026; BleepingComputer, May 10, 2026; Help Net Security, May 11, 2026.

India's CERT-In Just Made 12-Hour Patching an Official Expectation. Nobody Else Has Gone This Far.

CERT-In published a 38-page blueprint on May 25, 2026 titled "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure," establishing an indicative 12-hour expectation for organizations to patch known exploited vulnerabilities on internet-facing and "crown-jewel" systems where feasible. The tiered framework beyond that threshold: one day for critical externally exposed flaws, three days for critical internal vulnerabilities on high-value systems, five days for high-severity issues. The guidance also addresses AI deployment security directly — prompt injection, model theft, training-data poisoning, and autonomous agent governance. The "where feasible" qualifier matters legally, but the normative signal is clear: the framework places significant pressure on legacy patch-management timelines for internet-facing critical systems, and effectively positions the traditional 14–30 day cycle as inadequate for that exposure tier. Whether peer bodies respond in kind is speculative — CISA and ENISA both operate under different statutory frameworks — but this document will likely surface as a reasonableness reference in breach litigation and regulatory negotiations well beyond India's borders. GBHackersInfosecurity Magazine

Watch for: CISA or ENISA formal response or guidance updates; Indian financial sector and government entities face the most immediate compliance exposure, but the benchmark will travel.

Sources: CERT-In, "Blueprint for Reducing Exposure," May 25, 2026; The Hacker News, May 26, 2026; Infosecurity Magazine, May 26, 2026; GBHackers, May 26, 2026.

Ransomware Is Quietly Dropping Encryption and Going Straight to Extortion

Kaspersky's 2026 ransomware trend report documents two structural shifts in the ecosystem: newer families are adopting post-quantum cryptography ciphers, and as ransom payments decline, some groups are pivoting to encryptionless extortion — exfiltrating data without ever deploying an encryptor. Verizon's DBIR corroborates the payment-decline signal: the median ransom paid has dropped below $140,000, with only 31% of ransomware victims paying at all. The strategic implication is operationally significant: encryptionless extortion renders backup-and-restore capabilities insufficient as a standalone defensive posture, shifts leverage entirely to data sensitivity rather than operational disruption, and compresses the dwell time operators need to achieve their objective. Groups using this model don't require weeks of lateral movement — targeted exfiltration from a high-value system can satisfy the extortion predicate in hours. Traditional ransomware IOC sets built around file-encryption behavior will not surface these intrusions until after exfiltration is complete. SecurelistSecurityWeek

Watch for: Affiliate tooling that skips the encryption stage entirely — and a corresponding shift in ransomware group negotiation dynamics as victims lose the "we have backups" counter-leverage.

Sources: Kaspersky Securelist, May 12, 2026; Verizon 2026 DBIR, May 2026.

ShinyHunters Domain Went Dark on May 11. Possible Law Enforcement Action Not Yet Confirmed.

[DEVELOPING SIGNAL] ShinyHunters' operational domain, shinyhunte.rs, went offline on May 11, 2026, generating speculation about a law enforcement seizure potentially involving the FBI. No official law enforcement statement attributing the outage to a seizure has been published as of this writing. Confirmation would require a DOJ press release, unsealed court filing, or named law enforcement attribution. Temporal proximity to the Crimenetwork takedown and the Canvas ransom payment is noted — but concurrent timing alone is weak evidence of connection and should not be treated as corroboration. Alternative explanations include voluntary operational security rotation, infrastructure migration, or hosting-provider action. What is observable: the domain remains offline and the group has not publicly acknowledged or explained the outage. SC Media

Watch for: DOJ or FBI announcement; alternatively, shinyhunte.rs reappearing on new infrastructure, which would indicate the group is intact and rotating rather than disrupted — a distinction with direct implications for ongoing Canvas-related extortion risk at affected institutions.

Sources: SC Media, May 2026 (citing ShinyHunters domain status). Law enforcement causation unconfirmed; treat as developing signal pending official attribution.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost... Buy us a coffee! https://bordercybergroup.com/#/portal/support