Data / Tool
Open the risk workbench
Search records, inspect source links, compare priority, export capped samples, and check source freshness before deciding what deserves deeper review.
AhnLab Details May 2026 Korean APT Campaigns Using LNK Files and Living-off-the-Land Techniques
AhnLab’s May 2026 report identifies spear phishing with malicious LNK files as the dominant APT infection vector in South Korea, detailing six attack types that abuse PowerShell, curl.exe, and legitimate Windows tools to deploy info-stealers, keyloggers, and backdoors via GitHub and Google Drive, while also noting CHM and JSE-based variants using regsvr32 and certutil for evasion.
DirtyClone Linux Kernel Flaw Enables Root Escalation via Cloned Network Packets
CVE-2026-43503 (CVSS 8.8) allows local users to gain root by corrupting file-backed memory through cloned network packets, exploiting a missing shared-frag flag in kernel packet handling. The flaw affects multi-tenant systems where unprivileged namespaces are enabled, including CI runners and Kubernetes clusters. A patch was merged in Linux v7.1-rc5 on May 21, 2026.
CISA KEV Addition of PTC Windchill RCE Flaw Exposes Gaps in Enterprise Patch Timelines
CISA’s inclusion of CVE-2026-12569 in the KEV catalog confirms active exploitation of a critical deserialization flaw in PTC Windchill PDMlink and FlexPLM, with attackers deploying JSP web shells for persistence. Despite patches released the prior week, continued threat activity highlights systemic delays in enterprise patch deployment and detection coverage for specialized PLM systems.
Cisco Unified CM Exploit Analysis: CVE-2026-20230 File-Write Flaw Drives Federal Patch Mandate
Active exploitation of CVE-2026-20230, a critical SSRF vulnerability in Cisco Unified CM enabling unauthenticated file writes and potential root access via the WebDialer service, has prompted CISA to add the flaw to its KEV catalog with a June 28, 2026 deadline for federal agencies. Despite WebDialer being disabled by default, misconfigurations in enterprise deployments are exposing systems to attack, highlighting the critical need for configuration validation alongside patching.
CISA Alert: Active Exploitation of Critical Lantronix EDS5000 Flaw Demands Immediate Patching
CISA has warned of active exploitation of CVE-2025-67038, a critical code injection vulnerability in Lantronix EDS5000 Series devices, requiring Federal Civilian Executive Branch agencies to apply patches by June 26, 2026. The flaw allows unauthenticated remote command execution with root privileges via the HTTP RPC module, posing significant risks to network integrity and device security.
Research Digest: Explainable ML Framework Reveals Moral Condemnation as Dominant Tactic in Korean Foreign Influence Operations
A two-decade analysis of 112 million South Korean news comments identifies 23,998 accounts showing coordinated manipulation behavior, with moral condemnation of domestic political figures driving higher engagement than direct foreign narrative promotion, informing platform defense prioritization.
Cordyceps CI/CD Flaw Reveals Systemic Trust Boundary Failures in Open-Source Build Pipelines
Novee Security’s discovery of the Cordyceps CI/CD flaw exposes a widespread misconfiguration in GitHub Actions workflows where excessive permissions granted to pull requests enable unauthenticated attackers to hijack build systems, steal credentials, and compromise software supply chains across major technology organizations, highlighting critical gaps in trust boundary enforcement in automated development environments.
Operation Endgame Disrupts Amadey and StealC Malware Infrastructure, Recovers 27 Million Credentials
A coordinated international law enforcement operation, conducted between June 15–19, 2026, dismantled the criminal infrastructure supporting the Amadey and StealC malware-as-a-service networks, recovering 27 million stolen credentials, identifying and restricting $47 million in cryptocurrency assets, seizing 326 servers and 142 domains, and severing control over 18,000+ infected computers identified by Microsoft telemetry. The takedown targeted the initial access ‘assembly line’ used to launch ransomware, financial fraud, and critical infrastructure attacks across Belgium, Canada, Denmark, France, Germany, the Netherlands, the UK, and the US.
May 2026 APT Trends Highlight Developer Ecosystem and Runtime Exploitation as Key Attack Vectors
ASEC’s May 2026 APT report identifies supply chain, developer environment, and runtime abuse as dominant trends, with Lazarus exploiting Git hooks and CI/CD pipelines, Famous Chollima poisoning npm/Packagist branches, and MuddyWater leveraging Microsoft Teams and Quick Assist for credential theft. Groups like Gamaredon and UAC-0010 abused WinRAR CVE-2025-8088 against Ukrainian entities, while Chinese APTs targeted Azerbaijani energy firms via Exchange zero-days. The report underscores credential and session theft, cryptocurrency wallet targeting, and persistent remote access as common objectives across government, defense, diplomacy, energy, education, and telecom sectors.
A Practical Workflow for Monitoring Singapore CSA advisories for SaaS and managed-service risk
A Practical Workflow for Monitoring Singapore CSA advisories for SaaS and managed-service risk helps security, cloud, and supplier-risk teams keep an East Asia cyber or AI-risk signal under review when there is no fresh publish-ready news item. It explains how to preserve the original link, separate visible evidence from assumptions, and route unclear findings without inventing unsupported claims.