Home Analyst Brief

Analyst Brief

Analyst Brief — 2026-05-27

This page is the output of cyber_threat_pipeline/analysis; the data behind it is the brief_input mart (regenerated weekly by dbt). When a second provider is configured, the side-by-side comparison appears here automatically.

Claude (Anthropic) — claude-sonnet-4-6

Threat Intelligence Brief — Week of 2026-05-27

Headline

A sweeping wave of supply chain compromises, AI-platform impersonation campaigns, and ClickFix infrastructure evolution dominated the past seven days, with credential theft and infostealer delivery emerging as the period's defining cross-cutting objectives.

Emerging Threats

  • Supply Chain & Developer Ecosystem Attacks (Critical Volume): The most densely clustered theme this week. Multiple pulses — Popular node-ipc npm Package Infected with Credential Stealer, Latest PyPi Compromise, Mini Shai Hulud (targeting @antv and TanStack npm packages), Laravel Lang Compromised with RCE Backdoor Across 700+ Versions, and Inside a Tor Backed Supply Chain Worm — collectively describe a sustained, multi-ecosystem campaign targeting npm, PyPI, GitHub Actions, and CI/CD pipelines. Tactics include maintainer account takeover, DNS exfiltration, OIDC token abuse, and worm-style propagation.

  • ClickFix Infrastructure Maturation: Three distinct pulses (The Evolution of ClickFix, Ghost CMS Mass Compromised via CVE-2026-26980, Beyond PowerShell: Analyzing the Multi-Action ClickFix Variant) document ClickFix advancing from cleartext PowerShell delivery to server-side polymorphism, fake CAPTCHA pages, and mass CMS exploitation. The Ghost CMS pulse introduces a newly tracked CVE (CVE-2026-26980), suggesting active zero-day exploitation feeding this distribution network.

  • APT Activity — Iran, China, DPRK, and Eastern Europe: Tracking Iranian APT Screening Serpens' 2026 Espionage Campaigns and Fast and Furious — Nimbus Manticore Operations describe overlapping Iranian actors using AppDomainManager hijacking against US, Israeli, and Gulf targets. GopherWhisper and APT Targets Azerbaijani Oil and Gas Industry (FamousSparrow/Earth Estries) extend China-aligned activity into Mongolia and the energy sector. Void Dokkaebi continues DPRK fake-job-interview lure operations targeting developers. Eastern European cyberespionage (Fresh mischief and digital shenanigans) leverages CVE-2023-38831 against Polish and Ukrainian government entities.

  • AI Platform Abuse & Social Engineering: SEO poisoning campaign leverages Gemini and Claude Code impersonation and AMOS Stealer delivered via Cursor AI agent session represent a notable tactical shift — threat actors are weaponising developer trust in AI tooling to deliver infostealers via fileless PowerShell and AppleScript, specifically targeting developer credentials and cryptocurrency wallets.

  • Event-Driven Fraud — FIFA World Cup 2026: The GHOST STADIUM Score pulse documents a phishing-as-a-service operation exploiting World Cup ticket demand across six nations (US, Argentina, Brazil, Canada, Colombia, Mexico), combining credential phishing, Facebook ad exploitation, and cryptocurrency fraud ahead of the tournament.

Corpus-Level Shifts

  • Tag spike on supply chain attack (9 pulses) and ClickFix (5 pulses): Both tags are disproportionately represented relative to a 61-pulse corpus, suggesting coordinated researcher focus or genuine campaign clustering — either interpretation warrants elevated monitoring of developer toolchains and browser-based social engineering lures.

  • Broadening geographic targeting: While the United States remains the top targeted country (11 pulses), this week introduced significant coverage of Azerbaijan (energy sector), Mongolia (China-aligned APT), Indonesia (banking trojan MaaS), and a six-nation fraud campaign tied to the World Cup — indicating threat actors are actively expanding operational geography beyond traditional Western targets.

  • Dominance of domain/hostname indicators (4,810 of 6,102 active indicators, ~79%): The single largest pulse — The Evolution of ClickFix — contributes 4,500 indicators alone, heavily skewing the corpus toward network-layer observables and potentially masking the relative significance of the 590 SHA256 hashes and 36 CVEs also present this week.

Analyst Caveats

  • Attribution confidence is unverified: Pulse tags such as "China-aligned," "Iran nexus," and "DPRK-nexus" reflect community or vendor assessments ingested into OTX without standardised confidence scoring. Overlapping TTPs across nation-state clusters (e.g., AppDomainManager hijacking appearing in both Iranian and Chinese-attributed pulses) make definitive attribution unreliable from this corpus alone.

  • Victim impact and dwell time are unknown: OTX pulses document indicators and TTPs at time of publication, not at time of initial compromise. Several pulses (e.g., Malicious Artifacts Found in Official KICS Docker Repository, Laravel Lang Compromised) describe long-running or multi-version compromises; the true exposure window, victim count, and whether defenders have successfully remediated cannot be inferred from indicator metadata alone.

Prompt context

Show the prompt sent to every model 
You are a threat-intelligence analyst. Produce a concise brief on the current
      state of the AlienVault OTX corpus, focusing on **emerging threats from the
      last 7 days**.

      ## Corpus context (as of 2026-05-27 19:12:33.279373+00:00)
      - Total pulses:                 61
      - Total indicators:             6,102
      - Active indicators:            6,102  (active = not expired AND not dropped from its pulse)
      - Expired indicators:           0
      - Top 5 indicator types:        domain: 3773, hostname: 1037, FileHash-SHA256: 590, FileHash-MD5: 287, FileHash-SHA1: 263
      - Top 5 targeted countries:     United States of America: 11, Poland: 3, Brazil: 3, Thailand: 3, South Africa: 2
      - Top 5 tags:                   credential theft: 13, supply chain attack: 9, infostealer: 6, clickfix: 5, social engineering: 5
      - Top 5 targeted industries:    Technology: 14, Finance: 14, Government: 11, Healthcare: 6, Education: 6

      ## Emerging in the last 7 days
      Indicator types newly seen:     domain: 3773, hostname: 1037, FileHash-SHA256: 590, FileHash-MD5: 287, FileHash-SHA1: 263, URL: 68, IPv4: 48, CVE: 36
      New pulses (first_seen_at within 7d):
        - [WHITE] The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament (id=6a16d67df4a69d07c59516be, indicators=60, first_seen=2026-05-27T17:50:30.919123+00:00)
    tags: ticket fraud, cryptocurrency fraud, ghost stadium, credential phishing, facebook advertising exploitation, fifa world cup 2026, phishing-as-a-service
    countries: United States of America, Argentina, Brazil, Canada, Colombia, Mexico
- [WHITE] From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities (id=6a1634fbefeffa7f0c6a52f5, indicators=27, first_seen=2026-05-27T17:50:30.919123+00:00)
    tags: process hollowing, cryptojacking, seo poisoning, screenconnect abuse, gpu mining, simplerunpe, dll sideloading
    countries: —
- [WHITE] Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data (id=6a15ba258c1acc516e08c0fd, indicators=12, first_seen=2026-05-27T17:50:30.919123+00:00)
    tags: phishing, cryptocurrency wallets, purelogs, process hollowing
    countries: —
- [WHITE] Extortion in the Enterprise: Defending Against BlackFile Attacks (id=69ef8ab862c07db686ca4572, indicators=0, first_seen=2026-05-27T17:50:30.919123+00:00)
    tags: blackfile, data exfiltration, saas attacks, unc6671, extortion, cordial spider, the com, credential theft, vishing
    countries: —
- [WHITE] Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet (id=6a15ba2632bd7e246e9c1250, indicators=17, first_seen=2026-05-27T17:50:30.919123+00:00)
    tags: infostealer, blockchain c&c, clickfix, etherhiding, sectoprat, clearfake, bnb smart chain, acrstealer
    countries: Switzerland
- [WHITE] SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer (id=6a0f06681c6ea37a99ec7d21, indicators=54, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: fileless powershell, infostealer, ai platform impersonation, developer targeting, supply chain risk, typosquatting, seo poisoning, credential theft
    countries: United States of America, United Kingdom of Great Britain and Northern Ireland
- [WHITE] Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict (id=6a141fcbde28865faa897cb4, indicators=50, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: operation epic fury, minifast, minijunk, seo poisoning, nimbus manticore, appdomain hijacking
    countries: United States of America, Australia, Saudi Arabia, Israel, United Arab Emirates
- [WHITE] Fresh mischief and digital shenanigans (id=6a0e803c81c123ee6cf7066a, indicators=40, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: belarus, ukraine, cobalt strike, cve-2023-38831, cyberespionage, cve-2024-42009, eastern europe, governmental targeting, spearphishing, picassoloader
    countries: Lithuania, Poland, Ukraine
- [WHITE] Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks (id=6a0f06676dfe8431915ed38a, indicators=33, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: sql injection, cloaking, installer.dll, notepadplusplus.dll, clickfix, ghost cms, information stealer, mass compromise, utilifysetup.exe, cve-2026-26980, fakecaptcha
    countries: —
- [WHITE] Malicious Campaign Deploying AdaptixC2 Beacon and VS Code via Trojanized SumatraPDF (id=69e9d8ba4c0b0df25b764711, indicators=29, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: sumatrapdf, cobaltstrike, adaptixc2 beacon, entryshell, toshis, tropic trooper, chinese targets, cobaltstrike beacon, toshis loader, adaptixc2, github c2
    countries: —
- [WHITE] RemotePE: The Lazarus RAT that lives in memory (id=6a1447f25db6bc082d5093cb, indicators=28, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: poolrat, pondrat, dpapiloader, themeforestrat, hellsgate, remotepeloader, remotepe
    countries: —
- [WHITE] New NGate variant hides in a trojanized NFC payment app (id=69e7a6a0bb463e49c9b7572e, indicators=24, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: handypay trojanization, brazil targeting, ngate, fake lottery, nfc relay, ai-generated code, pin theft, phantomcard, payment card fraud
    countries: Brazil
- [WHITE] GopherWhisper: A burrow full of malware (id=69ea2ebe8c3499b065ec22a7, indicators=24, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: gopherwhisper, laxgopher, ratgopher, boxoffriends, go-based backdoors, jabgopher, china-aligned apt, frienddelivery
    countries: Mongolia
- [WHITE] TwizAdmin -- Multi-Stage Crypto Clipper, Infostealer & Ransomware Operation (id=69e8c1fb96869b14e2c565a2, indicators=23, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: crypto clipper, twizadmin, multi-platform, russian-speaking, infostealer, crpx0, maas, ransomware, cryptocurrency theft
    countries: —
- [WHITE] DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers (id=69ea29a2df2a3f26872b6e15, indicators=22, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: castleloader, deno runtime, caddy proxy, tsundere botnet
    countries: United States of America, Russian Federation
- [WHITE] Android Trojan Abuses Commercial Rooting Tool and Steals Private Information (id=6a123f4adef80b0c4d8ccd35, indicators=22, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: rooting, rootnik, android, app promotion, wifi credentials, information theft
    countries: United States of America, Lebanon, Malaysia, Taiwan, Thailand
- [WHITE] Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns (id=6a109360ffcb2c8229a150c7, indicators=20, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: minijunk v2, screening serpens, appdomainmanager hijacking, iran nexus
    countries: United States of America, Israel, United Arab Emirates
- [WHITE] One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign (id=6a0f8f3596d6a5268e168a10, indicators=19, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: cryptocurrency fraud, maga community, credential theft, wordpress compromise, gotoresolve, telegram channel, qanon targeting, information operation, jailbroken gemini, ai-assisted
    countries: United States of America
- [WHITE] Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions (id=69e9526908d4b6c7e9c97fed, indicators=19, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: docker hub poisoning, github actions, mcpaddon.js, credential theft, npm propagation, ci/cd compromise, canister worm, checkmarx kics, vs code extension, supply chain compromise
    countries: —
- [WHITE] PureLogs: Delivery via PawsRunner Steganography (id=6a0f272cd9c82db936e6a249, indicators=17, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: PureLogs, PawsRunner, steganography, infostealer, phishing, .NET, credential theft, cryptocurrency wallets
    countries: —
- [WHITE] Infostealer Campaign Using Trading App as Lure (id=6a0d9718bf383fbc0b89ec6c, indicators=17, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: infostealer, cryptocurrency, trading app lure, GitLab exfiltration, MoonPeak, XenoRAT, code signing abuse, DPRK-nexus
    countries: —
- [WHITE] Mach-O Man Malware: What CISOs Need to Know (id=69e82714e5cf2d1fb9fe1b0a, indicators=16, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: mach-o man, browser stealing, pylangghostrat, social engineering, macos, mach-o binaries, telegram exfiltration, credential theft, clickfix, fintech targeting
    countries: —
- [WHITE] AMOS Stealer delivered via Cursor AI agent session (id=69ec44ff58f20f2cb01e0a1c, indicators=15, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: cryptocurrency theft, social engineering, amos stealer, ai agent exploitation, cursor, applescript, credential harvesting, persistent implant
    countries: —
- [WHITE] Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure (id=6a0db1f45208b8cf1b2b1571, indicators=11, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: spear-phishing, dll sideloading, in-memory execution, education sector targeting, social engineering, chinese academia, cobalt strike, anti-debugging
    countries: China
- [WHITE] Inside Banana RAT: From Build Server to Banking Fraud (id=6a0ce3af84b924ad15e27920, indicators=11, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: fastapi, pix qr interception, mekotio, grandoreiro, brazilian banking trojan, guildma, tetrade, powershell, financial fraud, casbaneiro, banana rat, chavecloak, polymorphic payload
    countries: Brazil
- [WHITE] APT Targets Azerbaijani Oil and Gas Industry (id=6a0d96aadcfeadab9eea10d0, indicators=11, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: FamousSparrow, Earth Estries, Deed RAT, Terndoor, DLL sideloading, Azerbaijan, energy sector, Chinese APT, Exchange exploitation
    countries: Azerbaijan
- [WHITE] Same packet, different magic: Hits India's banking sector and Korea geopolitics (id=69e827168edcf67707285b4e, indicators=11, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: espionage, chm files, backdoor, south korea diplomacy, lotuslite, dll sideloading, india banking, javascript loader
    countries: United States of America, British Indian Ocean Territory, India
- [WHITE] From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence (id=6a10949191ce7d3c3f2f8105, indicators=10, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: confluence exploitation, kerberos relay, credential theft
    countries: —
- [WHITE] Popular node-ipc npm Package Infected with Credential Stealer (id=6a0d970e99916e7e7e17c893, indicators=10, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: supply chain attack, npm package compromise, credential stealer, DNS exfiltration, maintainer account takeover, developer secrets harvesting, node-ipc compromise
    countries: —
- [WHITE] macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections (id=69e6db546f646b9818b7bf0d, indicators=9, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: clickfix, macos, session hijacking, credential harvesting, cryptocurrency wallet theft, applescript, social engineering, browser data exfiltration, infostealer
    countries: —
- [WHITE] Latest PyPi Compromise (id=6a0ce3b0ad791179648c47b0, indicators=9, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: durabletask, github secrets, kubernetes lateral movement, rope.pyz, managed.pyz, supply chain attack, password manager, credential theft, transformers.pyz, aws ssm propagation, pypi compromise
    countries: —
- [WHITE] 9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities (id=6a0ca36a3571d3fbd4cd92bc, indicators=9, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: kinsing, cve-2022-47945, androxgh0st, rondodox, cve-2024-4577, php vulnerability, phpunit, cve-2021-41773, sysrv, cve-2017-9841, web application security, mass scanning, botnet campaigns, remote code execution, kashmirblack
    countries: —
- [WHITE] Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft (id=6a0e3751a23f1487cbb26ac5, indicators=8, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: supply chain attack, npm, credential theft, obfuscation, privilege escalation, github actions, ci/cd, data exfiltration
    countries: —
- [WHITE] RTF Exploit Installs RAT: uWarrior (id=69eb45ce7c704d3df21996a2, indicators=7, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: rtf exploitation, ctos rat, uwarrior
    countries: —
- [WHITE] Token Bingo: Don't Let Your Code be the Winner (id=69ecc3226a3aeb6f5b7202e3, indicators=7, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: credential theft, oauth abuse, token theft, kali365, microsoft 365, inbox rules, device code phishing, phishing-as-a-service
    countries: —
- [WHITE] New burrowing techniques (id=6a0df33ecc667be61a0a9608, indicators=7, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: wormfrp, github staging, discord c&c, cloud infrastructure, wormsocket, apt, china-aligned, mcrat, chainworm, proxy tools, vulnerability scanning, smuxproxy, trochilus, echocreep, cve-2017-7692, microsoft graph api, graphworm
    countries: Belgium, Czechia, Hungary, Italy, Nigeria, Poland, Serbia, South Africa, Spain
- [WHITE] Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor (id=6a0d278a6320921cb57f8b69, indicators=6, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: dynamic dns, c2 channel, supply chain attack, decimal library, dns backdoor, init function, typosquatting, go ecosystem
    countries: —
- [WHITE] Exposing Fox Tempest: A malware-signing service operation (id=6a0ca3690196d40952527b96, indicators=6, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: azure abuse, akira, code-signing certificates, msaas, oyster, vidar, ransomware enabler, lumma stealer, oyster backdoor, blackbyte, qilin, malware-signing-as-a-service, rhysida, inc, vanilla tempest
    countries: United States of America, British Indian Ocean Territory, China, France, India
- [WHITE] Uncovering a Global Android Carrier Billing Fraud Campaign (id=6a0e37bba2c6b50f5bf38278, indicators=6, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: android, telegram exfiltration, otp interception, webview manipulation, sms retriever api, premium sms, carrier billing fraud, southeast asia
    countries: Croatia, Malaysia, Romania, Thailand
- [WHITE] Untangling a Linux Incident With an OpenAI Twist (Part 2) (id=69e95245cf3877ded3870cff, indicators=5, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: cryptominer, repocket, botnet, linux compromise, multiple threat actors, credential harvesting, systemd-logind, dnser, ai-assisted remediation, earnfm, fkkkf, cve-2025-55182, xmrig, fh8a7d7m, data exfiltration, react2shell
    countries: —
- [WHITE] Tracking TamperedChef Clusters via Certificate and Code Reuse (id=6a0dae41682ec38e55d1aa12, indicators=5, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: gocookmate, cl-cri-1089, swiftnav, cl-unk-1090, docuflex, tamperedchef, pdfpilot, information stealers, trojanized productivity software, zipmakerpro, appsuite pdf, justaskjacky, shinypdf, pdfprime, screensrecorder, code-signing abuse, rocketpdfpro, rapidoc, manualzpdf, evilai, justconvertfiles, crystalpdf, gifsmakerpro, manualreaderpro, onezip, fileease, malvertising campaigns, calendaromatic
    countries: —
- [WHITE] Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers (id=6a0f8f36422c8adb515a9804, indicators=5, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: netsupport rat, termite, telecommunications, asyncrat, soullessrat, bulletproof hosting, middle east, offensive frameworks, phexia, phorpiex, xmrig, twizt, dynowiper, echogather, maas platforms, c2 infrastructure, tactical rmm, lockbit black, gophish, hajime, espionage campaigns, sliver, prism x, iot botnets, hellsuchecker, aquilarat, cobalt strike, cve-2025-11953, acunetix, mirai, keitaro, mozi, rondodox
    countries: —
- [WHITE] The Gentleman Ransomware | Defense Evasion TTPs Uncovered (id=6a0f8f34dd916c38a643df30, indicators=4, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: ransomware-as-a-service, scheduled tasks, trojan:win32/mptamperbulkexcl.h, defense evasion, cve-2024-55591, socks proxy, powershell, qilin, the gentlemen, event log clearing, rdp compromise, microsoft defender tampering
    countries: —
- [WHITE] Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories (id=69e7690744c08ddc410e543f, indicators=4, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: dev#popper rat, omnistealer, git history tampering, vs code exploitation, worm propagation, supply chain attack, fake job interview, blockchain infrastructure, invisibleferret, repository poisoning, north korea, developer targeting, beavertail, ottercookie
    countries: —
- [WHITE] Laravel Lang Compromised with RCE Backdoor Across 700+ Versions (id=6a1187d92cdbfd79095008cd, indicators=3, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: developer compromise, rce backdoor, laravel, supply chain attack, information stealer
    countries: —
- [WHITE] Cybercriminal VPN Dismantled in Crackdown (id=6a0f8f33ccaf530ec98bd8ae, indicators=3, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: takedown, law enforcement operation, ransomware operators, data theft, cybercrime forums, fraud operations, europol, first vpn
    countries: —
- [WHITE] The Worm That Keeps on Digging: Latest Wave (id=6a0c5b666ccb232590e33087, indicators=3, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: npm packages, supply chain attack, github actions, credential theft, cicd compromise, vscode extension, backdoor persistence, developer environments
    countries: —
- [WHITE] AI-augmented threat actor accesses FortiGate devices at scale (id=69e7a3cf924f430e51c91879, indicators=3, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: russian-speaking actor, ai-augmented attacks, mimikatz, cve-2023-27532, backup infrastructure targeting, vpn exploitation, active directory compromise, cve-2024-40711, meterpreter, fortigate, dcsync, credential abuse, cve-2019-7192
    countries: —
- [WHITE] Nightmare-Eclipse Tooling Seen in Real-World Intrusion (id=69e68c661e82c96759b91265, indicators=2, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: undefend, beigeburrow, nightmare-eclipse, cve-2026-33825, redsun, windows defender bypass, bluehammer, fortigate vpn, privilege escalation
    countries: —
- [WHITE] Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability (id=6a140384686e44f07358066d, indicators=2, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: zero-day exploitation, bluebeam, viewstate deserialization, cobalt strike, bluebeam web shell
    countries: Japan
- [WHITE] Unmasking DPRK Cyber Threat Actors: Fake IT Worker Infrastructure (id=69e991a518634e661de0c8eb, indicators=2, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: dprk, astrill vpn, vpn infrastructure, freelance platforms, fake it workers, cryptocurrency fraud, residential proxies, sanctions evasion
    countries: United States of America, Latvia
- [WHITE] Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time (id=6a0dae059daacd856b07a97f, indicators=2, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: aiqianjin, chang'an sleepless night, chinese-speaking forums, exchange market, data brokers, facebook 2021 leak, dark web marketplaces, lead data, telegram channels
    countries: —
- [WHITE] Mini Shai-Hulud Hits TanStack npm Packages (id=6a0f2710f906b2452e3b84d4, indicators=1, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: Mini Shai-Hulud, TanStack, npm, supply chain attack, credential theft, GitHub Actions, OIDC token, PyPI
    countries: —
- [WHITE] Inside a Tor Backed Supply Chain Worm (id=6a0d970b3015e77563f4a9fa, indicators=1, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: typosquatting, npm, supply chain attack, Tor C2, credential theft, cryptomining, privilege escalation, worm propagation
    countries: —
- [WHITE] Beyond PowerShell: Analyzing the Multi-Action ClickFix Variant (id=69e991829321a6135dcd0a13, indicators=1, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: scheduled task, social engineering, clickfix, cmdkey, unc path, lolbins, remote dll, regsvr32
    countries: —
- [WHITE] The Evolution of ClickFix: From Cleartext to Server Side Polymorphism (id=6a0d971608b49dfc89267777, indicators=4500, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: ClickFix, server-side polymorphism, fake CAPTCHA, PowerShell, DeerStealer, Vidar, InfoStealer, fileless execution, XOR encryption, Base64 obfuscation
    countries: —
- [WHITE] Politicians to Ditch Signal for Homegrown Apps (id=6a0ec4bc3bab6cd24d3d05be, indicators=0, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: fast16, phishing attacks, sovereign messaging, encrypted communications, diplomatic security, european governments, stuxnet, signal, matrix protocol, whatsapp
    countries: United States of America, Belgium, France, Germany, Poland, United Kingdom of Great Britain and Northern Ireland
- [WHITE] Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis (id=69e8c2ea19756cc9d2899dea, indicators=566, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: cmstplua-uac-bypass, azure-trusted-signing, cryptor-as-a-service, dll-sideloading, etw-patching, amsi-bypass, screenconnect, fudcrypt
    countries: —
- [WHITE] Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload (id=6a105530af26afbd3752ab81, indicators=114, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: vbcloud, netsupport rat, powershower, reversesocks, phantomheart, valleyrat, powercloud, cloud atlas
    countries: Belarus, Russian Federation
- [WHITE] Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia (id=6a0daa32ac6609fbd06d30ae, indicators=88, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: GoldFactory, Gigabud.RAT, MMRat, Taotie, Indonesia, banking trojan, phishing, vishing, MaaS, brand abuse
    countries: Indonesia, Peru, Philippines, South Africa, Thailand
- [WHITE] Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise (id=6a0e3753562a6e67c9d9aac4, indicators=62, first_seen=2026-05-27T03:55:33.502302+00:00)
    tags: metro4shell, cve-2025-49844, cve-2022-0543, peer-to-peer, redis exploitation, cve-2025-11953, ransomware, p2pinfect, cryptomining, botnet, kubernetes
    countries: —

      ## What to produce
      Write a 250-400-word brief with:
      1. **Headline** (one sentence on the week's most notable signal).
      2. **Emerging threats** (3-5 bullets on the new pulses — group by theme: ransomware,
         phishing, APT, supply chain, etc. — and cite pulse names).
      3. **Corpus-level shifts** (1-3 bullets on changes from the stable picture: a
         newly-targeted country, a TLP-distribution shift, a tag spike).
      4. **Analyst caveats** (1-2 bullets on what this data can NOT tell us:
         attribution confidence, victim impact, dwell time, sampling bias from OTX
         subscriptions).

      Use markdown. Do not invent indicators, pulse names, or numbers — work strictly
      from what's above.