The first half of May was relatively routine overall, with ransomware activity continuing to heavily impact small businesses, which accounted for 79.06% of victims. Construction, retail, and financial services emerged as the most targeted sectors, while the United States remained the primary victim location at 45.08%. One notable development was the sudden emergence of Bavacai as a new ransomware-as-a-service (RaaS) operation, rapidly entering the top five ransomware actors after posting roughly 20 victims on May 6 before going quiet for the remainder of the reporting period.
Report Links
Download Threat Brief For May 1-15 2026
Byer-Nichols Threat Brief Podcast May 1-15 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 17.88% | 1 | 4 |
| The Gentlemen | 13.73% | 2 | 2 |
| INC Ransom | 5.44% | 3 | 6 |
| Akira | 5.44% | 7 | 3 |
| Bavacai | 4.40% | na | na |
Qilin surged to the top spot again in early May, continuing its high-volume double-extortion hits, while The Gentlemen stayed close behind with a steady stream of opportunistic breaches and fast leak-site turnarounds. INC Ransom kept up pressure on healthcare and professional services, and Akira resurfaced with renewed targeting of mid-market firms after a brief lull. Newcomer Bavacai drew attention with unusually noisy data-theft-first intrusions, making this period notable for both persistence from established crews and experimentation from emerging ones.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Construction | 14.77% | 5 | 5 -> 1 |
| Retail | 14.51% | 4 | 4 -> 2 |
| Financial Services | 14.25% | 3 | same |
| Technology | 13.21% | 2 | 2 -> 4 |
| Manufacturing | 12.18% | 1 | 1 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 45.08% | 1 | same |
| Canada | 4.15% | 3 | 3 -> 2 |
| UK | 3.63% | 2 | 2 -> 3 |
| Italy | 2.85% | 4 | new |
| Australia | 2.85% | 5 | same |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 79.06% | 71.12% | -30.96% |
| Mid-Market (501-5000) | 14.92% | 20.16% | -25.99% |
| Large Enterprise (5000+) | 6.02% | 8.72% | +11.16% |
Trending Adversaries
CORDIAL SPIDER, HeartlessSoul, OceanLotus, ScarCruft, SNARKY SPIDER, and UAT-8302 all leaned into stealthy credential theft, mobile-focused espionage, and supply-chain abuse this period, with OceanLotus standing out as the most concerning thanks to its polished developer-ecosystem compromises and long-term persistence. Several groups pushed cleaner loaders, tighter C2 discipline, and more social-engineering-driven delivery, while ScarCruft and HeartlessSoul expanded mobile surveillance tooling. The common thread is quieter, data-centric operations that blend into normal traffic, making early detection harder and forcing defenders to double down on identity controls and telemetry depth.
- CORDIAL SPIDER
- HeartlessSoul
- OceanLotus
- ScarCruft
- SNARKY SPIDER
- UAT-8302
Trending & Actively Exploited Vulnerabilities
Attackers heavily targeted enterprise infrastructure and edge technologies this period, with vulnerabilities impacting PAN-OS, Cisco SD-WAN, Linux Kernel, MOVEit Automation, and Microsoft products. Multiple Linux "Dirty Frag" vulnerabilities appearing simultaneously indicates increased focus on privilege escalation and infrastructure compromise.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2026-0300 | Palo Alto Networks | PAN-OS |
| CVE-2026-20182 | Cisco | Catalyst SD-WAN |
| CVE-2026-22679 | Weaver | E-cology |
| CVE-2026-31431 | Linux | Kernel |
| CVE-2026-42208 | BerriAI | LiteLLM |
| CVE-2026-42897 | Microsoft | Microsoft |
| CVE-2026-43284 | Linux | Kernel (Dirty Frag) |
| CVE-2026-43500 | Linux | Kernel (Dirty Frag) |
| CVE-2026-4670 | Progress Software | MOVEit Automation |
| CVE-2026-6973 | Ivanti | Endpoint Manager Mobile (EPMM) |
Trending Malware
| Trending Malware | Details |
|---|---|
| TCLBANKER | The TCLBANKER banking trojan is a fast-evolving Brazilian threat that spreads through trojanized Logitech installers and a built-in worm that abuses WhatsApp and Outlook contact lists. Once active, it uses DLL side-loading, anti-VM checks, and encrypted payload staging to stay hidden. It monitors browser activity for dozens of financial and crypto sites, then activates a WebSocket C2 channel for credential theft, screen streaming, and real-time social-engineering overlays. Its worming behavior gives it unusually rapid lateral reach, making it a high-risk threat for both consumers and enterprise environments. |
| Beagle Backdoor | The Beagle Backdoor is a newly observed Windows backdoor delivered through a fake Claude AI website distributed via malvertising. The campaign uses search-ad abuse to lure victims into downloading a trojanized installer that deploys the backdoor. Once installed, Beagle establishes persistence, collects system metadata, and opens a C2 channel that supports follow-on payload delivery. Its use of AI-themed lures and paid-ad distribution shows how threat actors are adapting social-engineering tactics to current trends. |
| BirdCall | BirdCall is an Android malware family attributed to the ScarCruft APT group, delivered through a malicious gaming platform app. The malware abuses Android's accessibility services to capture keystrokes, screen content, and messaging data while maintaining a low profile. It communicates with attacker infrastructure using encrypted channels and modular payloads, allowing operators to expand capabilities post-infection. BirdCall's focus on mobile espionage makes it a meaningful risk for high-value individuals and organizations in ScarCruft's typical targeting regions. |
| CloudZ | CloudZ is an infostealer linked to the Pheno cybercrime group, designed to harvest credentials, browser data, crypto-wallet information, and system details. It uses a lightweight loader and a modular architecture that lets operators update capabilities without redeploying the full malware. CloudZ communicates with its C2 using a custom protocol and employs evasion tactics such as anti-analysis checks and selective execution. Its broad credential-harvesting scope makes it a strong enabler for account takeover, fraud, and follow-on intrusions. |
| PCPJack | PCPJack is a cloud-focused worm that recently hijacked the infrastructure of the TeamPCP hacker group. It spreads through exposed cloud services and weakly secured credentials, then deploys modules for reconnaissance, lateral movement, and data theft. PCPJack also repurposes the victim infrastructure for further propagation, effectively turning compromised systems into part of its distribution network. Its ability to weaponize attacker-controlled servers highlights the growing risk of malware that targets cloud-native environments. |
| ZiChatBot | ZiChatBot is a Python-based malware distributed through malicious PyPI packages in a campaign suspected to be linked to the OceanLotus (APT32) threat group. The packages masquerade as legitimate chat-related libraries but contain obfuscated code that downloads a second-stage payload. ZiChatBot collects system information, establishes persistence, and opens a C2 channel for espionage-focused operations. The campaign underscores how APT actors increasingly abuse open-source ecosystems to reach developers and enterprise build pipelines. |
Top News
- New Bluekit phishing service includes an AI assistant, 40 templates
- 76% of All Crypto Stolen in 2026 Is Now in North Korea
- Canvas login portals hacked in mass ShinyHunters extortion campaign
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor
- Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk
- New Linux 'Dirty Frag' zero-day gives root on all major distros
- Trellix source code breach claimed by RansomHouse hackers
- US ransomware negotiators get 4 years in prison over BlackCat attacks, Karakurt extortion gang 'cold case' negotiator gets 8.5 years in prison
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital