| New Threats Detection Added | • HookedWing |
| New Threat Protection | 79 |
| Newly Detected Threats | 7 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
HookedWing | ||||||||||||||||||||||||
|
HookedWing is a 4-year long operation run by an unknown Threat Actor which targets various business sectors such as Public Administration, Energy and Critical Infrastructure. The initial compromise chosen by the threat actor is phishing email designed for the victims. Phishing email has been designed to imitate Google, Microsoft, and GitHub.
Over 20 C2 domains and 100 distributed domains have been used; this includes infrastructure setup by the threat actor and systems that have been compromised by the threat actor to add malicious functions. This allows the threat actors to trick users into providing valid credentials to malicious web forms.
|
|||||||||||||||||||||||||
|
Threat Protected:
|
02 | ||||||||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||||||||
|
Class Type:
|
Credential-Theft | ||||||||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||||||||
Known Exploited Vulnerabilities (Week 4 - May 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-4th-week-of-may-2026/664.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
9.8
|
Unauthenticated SQLi - Drupal Core contains an SQL injection vulnerability within the JSON API that affects sites using PostgreSQL and can allow an unauthenticated remote attacker to extract information from the database. The information extracted from the database may assist an attacker in conducting further attacks against the system.
|
Check vendor advisory for affected versions.
|
|||
|
8.8
|
Information Disclosure - Langflow contains a vulnerability that can allow an unauthenticated remote attacker to obtain credentials and achieve code execution on the system upon visiting a specially crafted webpage. This vulnerability occurs due to an overly permissive CORS and cookie misconfiguration which can result in credentials being shared with an attacker-controlled system, these credentials can then be used by an attacker to execute code via authenticated endpoints.
|
<= 1.2.9
|
1.3.0
|
||
|
6.7
|
Directory Traversal - Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that can allow an authenticated local attacker to modify server configuration which can result in code execution on deployed agents.
|
<= 14.0.0.14081
|
14.0.0.17079
|
||
|
9.8
|
Buffer Overflow - Microsoft Windows contains a buffer overflow within the Windows Server Service that can allow an attacker to execute code via a specially crafted RPC request.
|
Check vendor advisory for affected products and versions.
|
|||
|
8.8
|
Remote Code Execution - Microsoft DirectX contains a vulnerability within the QuickTime Movie Parser Filter that can allow an unauthenticated remote attacker to execute arbitrary code upon opening a specially crafted QuickTime media file.
|
Check vendor advisory for affected products and versions.
|
|||
|
8.8
|
Remote Code Execution - Adobe Acrobat and Reader contains a heap-based buffer overflow vulnerability that can allow an unauthenticated remote attacker to execute arbitrary code upon opening a specially crafted PDF file.
|
7.0 - 7.1.3
8.0 - 8.1.6 9.0 - 9.1.3 |
7.1.4
8.1.7 9.2 |
||
|
8.8
|
Remote Code Execution - Microsoft Internet Explorer contains a use-after-free vulnerability that can allow an unauthenticated remote attacker to execute code on the system upon accessing a specially crafted web page.
|
Check vendor advisory for affected products and versions.
|
|||
|
8.8
|
Remote Code Execution - Microsoft Internet Explorer contains a use-after-free vulnerability within the Peer Objects component that can allow an unauthenticated remote attacker to execute arbitrary code upon opening a specially crafted web page.
|
Check vendor advisory for affected products and versions.
|
|||
|
7.8
|
Privilege Escalation - Microsoft Defender contains a privilege escalation vulnerability that can allow an authenticated attacker to elevate to SYSTEM level privileges.
|
<= 1.1.26030.3008
|
1.1.26040.8
|
||
|
4
|
Denial of Service - Microsoft Defender contains a denial-of-service vulnerability that can allow an authenticated attacker with standard user privileges to prevent Defender from updating malware signatures.
|
<= 4.18.26030.3011
|
4.18.26040.7
|
||
Updated Malware Signature (Week 4 - May 2026)
|
Threat
|
Description | |
|
NetSupport Rat
|
NetSupport Rat is a Remote Access Tool capable of avoiding EDR while maintaining persistence and performing data exfiltration.
It also has info stealer capabilities. |
Ransomware Report |
|
|
The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period. Ransomware Hits Last WeekRansomware activity this week was led by Qilin (11.7%), making it the most active threat group during the reporting period. Nova (9.94%) and Lockbit5 (8.77%) also demonstrated strong operational presence, continuing to maintain high attack volumes across multiple sectors and regions. Other major contributors included SafePay and Titan (5.26% each), followed closely by DragonForce and Stormous (4.09% each). These groups maintained steady campaign execution, indicating sustained affiliate activity and continued operational maturity. Mid-tier activity was observed from The Gentlemen (3.51%), while Akira, Eraleign (APT73), and Coinbase Cartel (2.92% each) remained consistently active. Groups such as Chaos, M3rx, Pear, and Payload (2.34% each) also contributed moderate levels of ransomware operations during the week. Several actors including Lamashtu, Bavacai, Inc Ransom, Nightspire, Krybit, and secondary Qilin activity (1.75% each) maintained smaller but recurring campaign activity. Lower-volume operations were observed from CMD Organisation, Beast, Ailock, Anubis, secondary Pear activity, and Nova secondary activity (1.17% each). Minimal or isolated incidents were linked to Termite, Exitium, Rhysida, Brain Cipher, Triple X, Spy Corporate, secondary Inc Ransom activity, secondary DragonForce activity, and secondary Bavacai activity (0.58% each), indicating either niche targeting or limited operational scale during this reporting period. |
BAVACAI Ransomware
THREAT ACTOR DESCRIPTION
Family and Technical Classification
BAVACAI is a ransomware variant belonging to the MedusaLocker ransomware family, identified through examination of a malware sample submitted to a malware analysis platform. It was confirmed as part of this family by five independent antivirus vendors.
BAVACAI encrypts files on the victim's systems and exfiltrates data from the network, then demands a ransom in exchange for decryption and to prevent publication of the stolen data. The ransom note (WHATS_HAPPEND.txt) states that exfiltrated data will be published within 72 hours unless the victim makes contact.
Analysis of the BAVACAI malware sample identifies exposed RDP services exploited via brute force against weak or reused credentials as the primary known attack vector for this ransomware family
TACTICS, TECHNIQUES, AND PROCEDURES (TTPs)
Attribution Framework
All TTPs in this section use one of two status labels: CONFIRMED: Directly evidenced from BAVACAI malware sample analysis or from BAVACAI-specific ransomware tracking data. ATTRIBUTED: Sourced from threat intelligence reporting on BARADAI, a MedusaLocker-family variant confirmed to share the same Data Leak Site and operator infrastructure as BAVACAI. These TTPs are attributed to the same operator cluster with moderate confidence and have not been independently confirmed from BAVACAI binary analysis.
|
Phase
|
Technique ID
|
Technique Name
|
Observed Behaviour
|
|
Initial Access
|
T1190
|
Exploit Public-Facing Application (RDP)
|
Exposed RDP services exploited via brute force against weak or reused credentials. Confirmed as the primary known initial access vector for this ransomware family.
|
|
T1566
|
Phishing / Malicious Attachment
|
Phishing emails with malicious attachments, Office macros, disguised PDFs, archives, installers, pirated software, and fake software updates documented as distribution methods.
|
|
|
T1078
|
Valid Accounts
|
58.3% of victims had prior infostealer domain compromise - confirming pre-obtained credentials as an active access enabler.
|
|
|
Privilege Escalation
|
T1134.004
|
Access Token Manip.: Parent PID Spoofing
|
Confirmed BAVACAI TTP from ransomware tracking intelligence.
|
|
Collection / Exfil
|
T1048
|
Exfiltration over Alternative Protocol
|
Data exfiltrated to attacker-controlled Tor fileserver before local encryption. Tor fileserver address referenced directly in ransom note.
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
.BAVACAI extension appended to all encrypted files. WHATS_HAPPEND.txt ransom note dropped post-encryption. Encryption algorithm not specified in available BAVACAI-specific analysis.
|
|
Execution
|
T1059.003
|
Windows Command Shell
|
cmd.exe used for scripted execution of infection and control commands, including service termination (taskkill, net stop).
|
|
T1129
|
Shared Modules
|
Leverages shared Windows modules and system libraries.
|
|
|
Persistence
|
T1547.001
|
Registry Run Keys / Startup Folder
|
Autorun established via CurrentVersion\Run registry keys. Note: a separate BAVACAI-specific registry key is confirmed (see IOC section).
|
|
T1112
|
Modify Registry
|
HKCU\SOFTWARE paths used for config/state storage; Internet Settings and policy keys modified.
|
|
|
T1542.003
|
Pre-OS Boot: Bootkit
|
Bootkit capability identified. Not independently confirmed from BAVACAI binary analysis.
|
|
|
Privilege Escalation
|
T1055
|
Process Injection
|
Code injected into legitimate running processes to escalate privileges.
|
|
T1134
|
Access Token Manipulation
|
Access token manipulation to assume elevated privileges.
|
Attack Chain Summary
Phase 1 - Initial Access: RDP brute force on exposed endpoints with weak/reused credentials (T1190) or phishing/malicious attachments (T1566). Pre-obtained infostealer credentials also used (T1078; 58.3% co-infection rate).
Phase 2 - Execution & Discovery: cmd.exe orchestrates infection workflow. System, file, registry, and software discovery profiles the victim environment. Application window discovery identifies processes requiring termination
Phase 3 - Privilege Escalation: Parent PID spoofing (T1134.004) directly confirmed]. Process injection (T1055) and access token manipulation (T1134) attributed from related operator cluster analysis.
Phase 4 - Persistence: Registry Run Key persistence (CurrentVersion\Run) attributed. HKLM\SOFTWARE\PAIDMEMES\{PUBLIC,PRIVATE} is a directly confirmed BAVACAI registry IOC.
Phase 5 - Defence Evasion: Binary packing, sandbox detection, hidden window execution, rootkit, file permission modification, and indicator removal collectively defeat endpoint security controls.
Phase 6 - Pre-Encryption Service Disruption: taskkill/net stop commands terminate SQL Server and enterprise services to release file locks. Windows Restart Manager API used to unlock additional files.
Phase 7 - Data Exfiltration: Victim data exfiltrated to attacker-controlled Tor fileserver before local encryption begins. 72-hour countdown to DLS publication communicated to victim on first contact.
Phase 8 - Encryption & Ransom Note: .BAVACAI extension appended. WHATS_HAPPEND.txt dropped. Victim contacted via nhuvgh@outlook.com and Tox. Encryption algorithm not specified in available BAVACAI-specific analysis.
Phase 9 - Anti-Forensics: Temporary files, scripts, and forensic artifacts deleted post-execution.
Sigma Detection Rule (Attributed - Related Operator Cluster)
The following Sigma rule was published in threat intelligence reporting on BARADAI and is attributed to the shared BAVACAI/BARADAI operator cluster. It targets process injection activity via the Windows Sysnative folder (T1055 - Privilege Escalation).
title: Process Creation Using Sysnative Folder tags: attack.privilege-escalation, attack.stealth, attack.t1055 logsource: { category: process_creation, product: windows } detection: selection: - CommandLine|contains: ":\Windows\Sysnative\" - Image|contains: ":\Windows\Sysnative\" condition: selection and not filter_main_* and not filter_optional_* level: medium
MITIGATION - CRYSTAL EYE 5.5 CONTROLS
- Block or strictly restrict inbound RDP (TCP 3389) via CE Advanced Firewall Zone rules to authorised management IPs only.
- 58.3% of Bavacai victims had prior infostealer domain compromise [2]. CESOC dark web monitoring should actively track managed client domain credential exposure.
- CE MDR endpoint telemetry detects parent PID spoofing anomalies. Escalate immediately to CESOC on detection.
- CE IDPS rules should alert on taskkill.exe or net.exe commands targeting SQL Server services (MSSQL*, SQLAgent, SQLBrowser) outside approved maintenance windows.
- CE ForceField and CE MDR provide behavioural ransomware blocking - mass file rename events and .BAVACAI extension creation trigger immediate alerts.
INDICATORS OF COMPROMISE (IOCs)
All IOCs below are sourced from and validated against the referenced intelligence sources indicates direct evidence from BAVACAI-specific malware analysis or ransomware tracking data. ATTRIBUTED indicates evidence from the related BARADAI operator cluster.
File Hash
|
Type
|
Indicator
|
Description
|
|
SHA256
|
86b4d075d5bd0c49cbb21fd4393578/
9b6612a2165273cc158dd0607b68941d04
|
BAVACAI ransomware binary - Win64 PE. Confirmed by five independent AV vendors.
|
Network / Operator Contact Indicators
|
Type
|
Indicator
|
|
Tor Onion
|
t33zoj4qwv455fog7qnb2azi5xcdxkixughmmduzbw2rtdgryqfbh6id.onion
|
|
Email
|
nhuvgh@outlook.com
|
|
Tox ID
|
7C564920870C0D33535D2012ECDDE389FE25BAF7AF427DD584EE39C04AF8CF024F8BFA93D8DB
|
Host-Based Indicators (Confirmed - BAVACAI-Specific)
|
Type
|
Indicator
|
Description
|
|
File Extension
|
.BAVACAI
|
Appended to all files encrypted by BAVACAI ransomware.
|
|
Ransom Note
|
WHATS_HAPPEND.txt
|
Ransom note filename dropped post-encryption.
|
|
Registry Key
|
HKLM\SOFTWARE\PAIDMEMES\{PUBLIC,PRIVATE}
|
Confirmed BAVACAI-specific registry key from ransomware tracking IOC data.
|
Host-Based Indicators (Attributed - Related Operator Cluster)
|
Type
|
Indicator
|
|
Registry Key
|
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
Registry Path
|
HKCU\SOFTWARE\[config subpath]
|
|
Ransom Note (alt)
|
read_to_decrypt_files.html
|
|
Process activity
|
taskkill.exe / net.exe targeting MSSQL* services
|
|
API activity
|
Windows Restart Manager API
|
AV Detection Names (Confirmed - VirusTotal, BAVACAI SHA256)
|
Type
|
Indicator
|
|
AV Signature
|
Win64:MalwareX-gen [Ransom]
|
|
AV Signature
|
Gen:Variant.Cerbu.264176
|
|
AV Signature
|
Win64/Filecoder.MedusaLocker.A Trojan
|
|
AV Signature
|
HEUR:Trojan-Ransom.Win32.Generic
|
|
AV Signature
|
Ransom:Win64/MedusaLocker.YAA!MTB
|
Worldwide Ransomware Victims
Ransomware activity this week remained heavily concentrated in the United States (33.33%), which continued to dominate the global threat landscape by a significant margin. The sustained focus on US-based organisations reflects the country’s large enterprise ecosystem, critical infrastructure exposure, and high-value extortion opportunities.
The United Kingdom (5.85%) and Germany (5.26%) followed as the next most impacted regions, while Australia and Canada (4.68% each) also experienced elevated ransomware activity. These figures reinforce the continued targeting of economically mature and digitally dependent nations.
Moderate activity levels were observed in Singapore (4.09%), followed by Spain, Mexico, and France (2.92% each). Countries including Brazil and Indonesia (2.34% each) also reported recurring ransomware incidents, indicating broader operational reach across both developed and emerging economies.
Additional activity was distributed across Italy, Taiwan, Austria, Thailand, and Poland (1.75% each), while India, Malaysia, Chile, Philippines, Argentina, Ireland, and Malta (1.17% each) experienced lower but consistent ransomware exposure.
Isolated incidents were reported across a wide range of countries and territories including Isle of Man, Lebanon, Vietnam, South Africa, Switzerland, Turkey, Egypt, Bulgaria, Peru, Dominican Republic, Norway, Hong Kong, Tunisia, Japan, North Macedonia, Bangladesh, and Panama (0.58% each). This demonstrates the continued global reach of ransomware operations, even in regions with comparatively low attack volumes.
Industry-wide Ransomware Impact
Ransomware activity this week remained heavily concentrated across the Manufacturing sector (11.11%), which continued to dominate the industry threat landscape by a significant margin. The sustained targeting of manufacturing organisations reflects their operational technology exposure, supply chain dependencies, and high-pressure recovery timelines that make them attractive extortion targets.
Business Services (8.19%) and Healthcare (7.02%) followed as the next most impacted sectors, with Construction (7.02%) recording an equally elevated rate of incidents. These figures underscore the continued targeting of industries with broad digital footprints, sensitive data holdings, and low tolerance for operational disruption.
Retail (4.68%) and both Hospitality and Legal Services (4.09% each) experienced notable ransomware activity, reflecting ongoing adversarial interest in customer-facing industries that handle significant volumes of personal and financial data.
Moderate activity levels were observed across Education (3.51%), Transportation (2.92%), and Agriculture (2.92%), followed by IT, Professional Services (2.34% each), and Electronics, Government, Media, Real Estate, and Industrial (1.75% each).
Lower but consistent ransomware exposure was recorded across Insurance, Federal, Architecture, Finance, IT Services, Consulting, Software, Automotive, Maritime, Industrial Machinery, Wholesale Distribution, and Telecommunications (1.17% each).
