Activity remained relatively routine overall, though a few ransomware groups saw notable movement. DragonForce returned to the top five most active ransomware operators after another surge in victim postings, continuing its pattern of alternating between quiet periods and sudden spikes in activity. RALord (Nova) also broke into the top five for the first time after posting an unusually high number of victims compared to its typical volume. On the vulnerability front, CISA added more than 15 new Known Exploited Vulnerabilities (KEVs), highlighting the continued pace at which actively exploited flaws are being identified and tracked.
Report Links
Download Threat Brief For May 16-31 2026
Byer-Nichols Threat Brief Podcast May 16-31 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| DragonForce | 13.61% | 12 | 4 |
| Qilin | 11.54% | 1 | 1 |
| The Gentlemen | 7.40% | 2 | 2 |
| RALord (Nova) | 7.10% | 45 | 29 |
| Akira | 5.33% | 4 | 7 |
DragonForce emerged as the most active ransomware group during the period, followed by Qilin and The Gentlemen. RALord (Nova) made a notable appearance in the top rankings, while Akira remained a consistent threat actor.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Manufacturing | 15.68% | 5 | 5 -> 1 |
| Technology | 13.91% | 4 | 4 -> 2 |
| Construction | 13.02% | 1 | 1 -> 3 |
| Retail | 11.54% | 2 | 2 -> 4 |
| Financial Services | 11.54% | 3 | 3 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 40.83% | 1 | same |
| Germany | 5.03% | new | new |
| Canada | 4.73% | 3 | same |
| UK | 4.44% | 3 | 3 -> 4 |
| Spain | 4.14% | new | new |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 82.79% | 79.06% | +4.72% |
| Mid-Market (501-5000) | 13.06% | 14.92% | -12.47% |
| Large Enterprise (5000+) | 4.15% | 6.02% | -31.06% |
Trending Adversaries
Threat activity remained diverse this period, with groups including Bling Libra, Chatty Spider, Cloud Atlas, Screening Serpens, Secret Blizzard, and Webworm continuing to employ a mix of social engineering, credential theft, espionage, and network intrusion tactics. Their ongoing operations highlight the persistent risk posed by both financially motivated cybercriminals and state-linked threat actors targeting organizations across multiple sectors.
- Bling Libra
- Chatty Spider
- Cloud Atlas
- Screening Serpens
- Secret Blizzard
- Webworm
Trending & Actively Exploited Vulnerabilities
Actively exploited vulnerabilities impacted widely used enterprise technologies including PAN-OS, Microsoft Defender, Apex One, Drupal, and Langflow. The diversity of affected platforms underscores the importance of timely patching across security, infrastructure, and application environments.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2025-34291 | Langflow | Langflow |
| CVE-2026-0257 | Palo Alto Networks | PAN-OS |
| CVE-2026-34926 | Trend Micro | Apex One |
| CVE-2026-41091 | Microsoft | Defender |
| CVE-2026-45321 | TanStack | TanStack |
| CVE-2026-45498 | Microsoft | Defender |
| CVE-2026-48027 | Nx | Nx Console |
| CVE-2026-48172 | LiteSpeed | cPanel Plugin |
| CVE-2026-8398 | Daemon | Daemon Tools Lite |
| CVE-2026-9082 | Drupal | Core |
Trending Malware
| Trending Malware | Details |
|---|---|
| EchoCreep | EchoCreep is a custom backdoor used by the China‑aligned Webworm APT, designed to blend into normal traffic by using Discord channels for command‑and‑control. Once deployed, it supports remote command execution, file upload/download, and runtime reporting, with each victim mapped to a dedicated Discord channel for long‑term tracking. Its operators typically gain initial access by exploiting exposed web services or misconfigurations before dropping proxy tools and tunneling utilities. The use of a mainstream collaboration platform makes EchoCreep difficult to detect in enterprise environments. |
| GraphWorm | GraphWorm is a Go‑based backdoor that abuses the Microsoft Graph API and OneDrive for stealthy C2, making its traffic nearly indistinguishable from legitimate Microsoft 365 activity. It creates a unique OneDrive folder per victim and uses encrypted, base64‑encoded communications to receive tasks, run commands, and exfiltrate results. The malware persists via registry Run keys and supports a wide range of operator actions, including process execution, file transfer, and reverse‑shell‑style interactions. Its cloud‑native design significantly complicates network‑based detection. |
| PHANTOMPULSE | PHANTOMPULSE is a cross‑platform RAT delivered through malicious Obsidian shared vaults, abusing community plugins to execute code automatically when a victim opens the vault. It uses blockchain‑based C2 resolution, pulling XOR‑encoded instructions from Ethereum and related chains, and includes fallback channels such as Telegram. The Windows variant is deployed via an in‑memory reflective loader, while macOS infections rely on an obfuscated AppleScript chain. Its stealthy use of trusted productivity tools and cloud‑synced configurations makes it a high‑risk supply‑chain‑style threat. |
| Showboat | Showboat is a Linux post‑exploitation framework used by multiple China‑aligned threat clusters, including Calypso, to maintain long‑term access inside telecom networks. It provides remote shells, file transfer, process hiding, and SOCKS5 proxying, enabling attackers to pivot deeper into internal infrastructure. Active since at least 2022, it has been deployed against telecom providers in the Middle East and Southeast Asia. Its modular design and stealthy persistence make it a durable foothold for espionage operations. |
| SHub Reaper | SHub Reaper is a macOS infostealer/backdoor that impersonates Apple, Google, and Microsoft prompts to trick users into running malicious AppleScript payloads. It bypasses Apple's Terminal‑based protections by abusing the applescript:// handler to preload hidden scripts in Script Editor, then steals credentials, browser data, crypto wallets, and sensitive documents. The malware persists via LaunchAgents disguised as legitimate vendor files and employs anti‑analysis checks to evade detection. Its multi‑stage impersonation chain lowers user suspicion and increases infection success. |
| TamperedChef | TamperedChef is a malvertising‑driven infostealer campaign that distributes trojanized PDF editors and other productivity tools signed with legitimate‑looking certificates. The malware often remains dormant for weeks before activating to harvest browser credentials, cookies, and other sensitive data, while maintaining persistence through registry autoruns. Installers mimic legitimate software workflows, including EULA prompts and functional decoy apps, helping them evade automated analysis. Its long dwell time and credible appearance make it particularly dangerous for enterprise environments. |
Top News
- CISA Exposes Secrets, Credentials in 'Private' Repo
- Dutch govt disrupts malware botnet with 17 million infected devices
- Fake FIFA sites target soccer fans looking for World Cup tickets to steal money and data
- Google API Keys Remain Active After Deletion
- Grafana says stolen GitHub token let hackers steal codebase
- Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026
- Microsoft rejects critical Azure vulnerability report, no CVE issued
- Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital