| New Threats Detection Added | • Nightmare Eclipse |
| New Threat Protection | 86 |
| Newly Detected Threats | 7 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
Nightmare Eclipse | |||||||||||||||||||||
|
Over a period of 7 weeks, a Security Research known as “Nightmare Eclipse” released 6 zero-day vulnerabilities for the Windows Operating System. These vulnerabilities as well as the accompanying exploits or proof-of-concepts were published to the researchers GitHub account, and consisted of local privilege escalation vulnerabilities, denial-of-service in Windows Defender and a BitLocker bypass.
The vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities Catalog, indicating that they have been identified to be actively exploited by threat actors.
The researcher has further announced that they intend to release additional vulnerabilities in June and July 2026.
Timeline of Events
Vulnerabilities Overview Table
|
||||||||||||||||||||||
Known Exploited Vulnerabilities (Week 5 - May 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-5th-week-of-may-2026/665.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
9.1
|
Authentication Bypass - Palo Alto Networks PAN-OS contains an authentication bypass vulnerability within the GlobalProtect portal and gateway that can allow an attacker to bypass security restrictions and establish a VPN connection with the appliance. This vulnerability affects the authentication override cookie feature and if a public key is known it can allow an attacker to forge a cookie for an administrative user.
|
Check vendor advisory for affected versions.
|
|
||
|
9.8
|
Embedded Malicious Code - NX Console contains embedded malicious code within the VS Code extension that could allow an attacker to gain access to the system and to exfiltrate credentials to an attacker controlled server. The malicious extension (v18.95.0) was published to the Visual Studio and OpenVSX Marketplaces and was available to download between 12:30-13:09 UTC on 18/05/2026, and supported macOS, Linux and Windows operating systems. This attack has been attributed to a recent supply chain attack against TanStack.
|
v18.95.0
|
v18.100.0
|
||
|
9.6
|
Embedded Malicious Code - TanStack contains an unspecified vulnerability that allowed malicious packages to be published to the npm registry. 84 malicious versions were published as a part of this attack which resulted in 42 separate @tanstack packages to be infected with credential harvesting malware. This supply chain attack was attributed to TeamPCP via their Mini Shai-Hulud worm.
|
Check vendor advisory for affected plugins and versions
|
|
||
|
9.8
|
Embedded Malicious Code - Daemon Tools contains embedded malicious code within the official installation packages distributed via the legitimate vendors website, and is a result of supply chain attack against the vendors build environment. The compromised Daemon Tools Lite Windows packages versions 12.5.0.2421 through to 12.5.0.2434 contain information stealers and a backdoor which can provide an attacker remote access to the affected systems.
|
12.5.0.2421-12.5.0.2434
|
12.6.0.2445
|
||
|
9.8
|
Privilege Escalation - LiteSpeed cPanel Plugin contains a privilege escalation that can allow an authenticated remote attacker to execute arbitrary code with root level privileges.
|
<= 2.4.6 (cPanel)
<= 5.2.9 (WHM) |
2.4.6
5.3.0.0 |
Updated Malware Signature (Week 5 - May 2026)
|
Threat
|
Description | |
| XWorm | A Remote Access Trojan (RAT) and malware loader that's commonly used in cyberattacks to give attackers full remote control over a victim's system. It's part of a growing trend of commercialised malware sold or rented on dark web forums, often under the guise of a “legitimate tool.” |
Ransomware Report |
|
|
The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period. Ransomware Hits Last WeekRansomware activity this week was dominated by DragonForce (22.75%), making it the most active threat group by a considerable margin. The group's strong presence highlights continued aggressive operations and a growing impact across multiple sectors and regions. The Gentlemen (8.98%) and Qilin (8.38%) emerged as the next most active actors, maintaining significant campaign activity throughout the reporting period. Nova and Akira (6.59% each) also demonstrated sustained operational momentum, reinforcing their position among the most active ransomware groups. Other notable contributors included Everest (5.39%), while Inc Ransom and Nightspire (4.19% each) maintained moderate activity levels. Play (3.59%) continued to operate steadily, reflecting ongoing affiliate-driven campaigns. Mid-tier activity was observed from Krybit, ShinyHunters, and Space Bears (2.99% each), while SafePay and Bavacai (2.4% each) maintained a smaller but consistent presence. Groups such as Coinbase Cartel, Bravox, CMD Organisation, and Chaos (1.8% each) contributed additional activity across the threat landscape. Lower-volume operations were attributed to Worldleaks, Eraleign (APT73), Ailock, and Lamashtu (1.2% each). Meanwhile, Leaknet, Stormous, Rhysida, M3rx, Genesis, and Termite (0.6% each) reported isolated or minimal activity during the reporting period. |
DragonForce Ransomware
DragonForce first emerged as a ransomware operation in August 2023, with its first victim published on a public Data Leak Site (DLS) on 13 December 2023. Some open-source reporting links the group's origins to a Malaysian-based hacktivist collective known as DragonForce Malaysia, which was active from 2021 and pivoted toward financially motivated operations; however, no confirmed identity link has been established, and this connection remains disputed. Initial operations used a ransomware binary built from the leaked LockBit 3.0 (Black) builder.
As of 23 August 2025, the group launched a "data analysis service" providing affiliates with extortion call scripts, letters to management, pseudo-legal analysis reports, and data audit summaries. Fees for this service range from 0% to 23% of ransom payments and is marketed to affiliates targeting organisations with annual revenue of at least USD 15 million.
DragonForce operates three active Tor-based portals:
- DragonForce:
z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
- DragonForce Recovery (Negotiation): 3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
- DragonForce | Leaks (File Server): dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion
The affiliate panel additionally features a "Constructor" module for scheduling data publication, a data analysis service portal, and a RansomBay service for managing customised payloads across different environments.
TACTICS, TECHNIQUES, AND PROCEDURES (TTPs)
|
Phase
|
Technique ID
|
Technique Name
|
Observed Behaviour
|
|
Initial Access
|
T1566.001
|
Phishing: Spearphishing Attachment
|
Phishing emails with malicious attachments, macros, or links deploy ransomware payloads. Social engineering increases success rates. [3][6]
|
|
T1190
|
Exploit Public-Facing Application
|
Confirmed exploitation of CVE-2021-44228 (Log4Shell), CVE-2023-46805 (Ivanti), and CVE-2024-57726/57727/57728 (SimpleHelp RMM). SimpleHelp exploitation targeting MSPs and downstream customers confirmed. [3][6][11]
|
|
|
Execution
|
T1059.001
|
PowerShell
|
PowerShell scripts used for execution; commands concealed in registry keys for silent startup execution in some campaigns. [6]
|
|
T1059.003
|
Windows Command Shell
|
cmd.exe used to orchestrate infection workflow including service termination, reconnaissance, and payload execution. [3][4]
|
|
|
T1106
|
Native API
|
CreateProcessA Windows API call used to spawn ransomware process post-deployment. Confirmed in emulation analysis of DragonForce binaries. [5]
|
|
|
T1204.002
|
User Execution: Malicious File
|
Confirmed in ransomware tracking data - user execution required in initial delivery chain. [1]
|
|
|
Persistence
|
T1053.005
|
Scheduled Task / Job
|
Scheduled tasks used to maintain persistence across reboots. Malicious code embedded in registry keys for scheduled execution. [6]
|
|
T1547.001
|
Registry Run Keys / Startup Folder
|
PowerShell commands hidden in registry keys for startup execution. [6]
|
|
|
Privilege Escalation
|
T1068
|
Exploitation for Privilege Escalation (BYOVD)
|
BYOVD technique deployed via Truesight.sys (primary) and RentDrv.sys (fallback) drivers - both signed but vulnerable - to gain kernel-level access and disable EDR/AV processes. Confirmed specifically in Conti V3 variant. [4][5]
|
|
T1055
|
Process Injection
|
Code injection into legitimate processes to elevate privileges and evade endpoint monitoring. SYSTEM impersonation and access token manipulation observed. [2]
|
|
|
T1134
|
Access Token Manipulation
|
SYSTEM impersonation used to access protected files and disable security services. [2]
|
|
|
Credential Access
|
T1003.001
|
OS Credential Dumping: LSASS
|
Mimikatz used to dump LSASS memory and extract credentials for lateral movement. Confirmed as a standard tool in DragonForce operations. [4][5]
|
|
T1552.001
|
Credentials in Files
|
Credentials extracted from plaintext files discovered during post-compromise file discovery phase. [3]
|
|
|
Discovery
|
T1046
|
Network Service Discovery
|
SoftPerfect NetScan (confirmed), Advanced IP Scanner (confirmed), and PingCastle (confirmed) used for internal network mapping and service enumeration. [1][4][5]
|
|
T1087.002
|
Account Discovery: Domain Accounts
|
ADFind used to enumerate Active Directory accounts, groups, and domain structure. [2][3]
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
RDP used for interactive lateral traversal across victim networks. Confirmed in a September 2023 incident. [2]
|
|
T1021.002
|
Remote Services: SMB / Windows Admin Shares
|
File encryption deployed across network via SMB protocol in manufacturing sector incident, with 8-day dwell period before encryption. [3]
|
|
|
T1210
|
Exploitation of Remote Services (SimpleHelp)
|
CVE-2024-57726 (privilege escalation), CVE-2024-57727 (path traversal), CVE-2024-57728 (arbitrary file upload/RCE) exploited for lateral movement through MSP-managed environments. [6]
|
|
|
Defence Evasion
|
T1562.001
|
Impair Defences: Disable or Modify Tools
|
Confirmed in ransomware tracking data. BYOVD (Truesight.sys/RentDrv.sys) used at kernel level to terminate EDR/AV processes silently. [1][4][5]
|
|
T1070.001
|
Indicator Removal: Clear Windows Event Logs
|
Windows Event Logs cleared post-encryption to hinder forensic investigation. Confirmed in DragonForce incident analysis. [1][4]
|
|
|
T1070.004
|
Indicator Removal: File Deletion
|
Confirmed in ransomware tracking data - temporary files and artifacts deleted post-execution. [1]
|
|
|
Collection
|
T1005
|
Data from Local System
|
Data collected from local drives and network shares before encryption commences. [2][3]
|
|
Exfiltration
|
T1048
|
Exfiltration Over Alternative Protocol
|
Stolen data transmitted via SFTP, WebDAV, or uploaded directly to MEGA cloud storage or the DragonForce DLS prior to encryption. [2]
|
|
Impact
|
T1657
|
Financial Extortion
|
Post-negotiation pressure tactics include partial data release, data analysis service extortion scripts, draft letters to management, and pseudo-legal advisory materials generated by the group's paid data analysis service. [3]
|
Attack Chain Summary
Phase 1 - Initial Access Phishing with malicious attachments/links (T1566.001); exploitation of public-facing applications including Log4Shell, Ivanti, and SimpleHelp RMM vulnerabilities (T1190); valid accounts from compromised credentials (T1078); and RDP brute force (T1133).
Phase 2 - Execution PowerShell and cmd.exe used to orchestrate infection. CreateProcessA API spawns ransomware process. User execution required in phishing delivery chain.
Phase 3 - Discovery SoftPerfect NetScan, Advanced IP Scanner, PingCastle for network mapping. ADFind for Active Directory enumeration. File/directory traversal identifies encryption targets.
Phase 4 - Credential Access Mimikatz used to dump LSASS credentials. Plaintext files searched for stored credentials to enable lateral movement.
Phase 5 - Lateral Movement Interactive RDP traversal, SMB-based file encryption propagation, PsExec for remote execution, WMI for remote command execution. 8-day dwell period observed between initial access and encryption in one confirmed manufacturing sector incident. SimpleHelp vulnerabilities used in MSP environments for downstream pivots.
Phase 6 - Persistence SystemBC backdoor for persistent C2 (CONFIRMED). Scheduled tasks and registry Run Keys for reboot persistence (ATTRIBUTED).
Phase 7 - Defence Evasion BYOVD (Truesight.sys primary, RentDrv.sys fallback) terminates EDR/AV at kernel level silently. DLL hijacking and file masquerading.
Phase 8 - Data Collection & Exfiltration Data collected from local drives and network shares. Exfiltrated via SFTP, WebDAV, MEGA, or directly to DragonForce DLS before local encryption begins.
Phase 9 - Impact ChaCha8/AES-256/RSA encryption applied to all accessible files on Windows, Linux, ESXi, BSD, and NAS. Shadow copies deleted via wmic.exe. Windows Event Logs cleared post-encryption. Ransom note [rand].README.txt or readme.xt dropped. Extension .dragonforce_encrypted appended.
Phase 10 - Post-Negotiation Extortion Group's data analysis service generates extortion scripts, management letters, and pseudo-legal reports to pressure payment. Partial data release is used as additional leverage for high-value victims.
INDICATORS OF COMPROMISE (IOCs)
File Hash (Confirmed Sample)
|
Type
|
Indicator
|
|
SHA256
|
410db536a57c511b0ccac2639e0eb3320f303fc5c90242379ab43364c51ef321
|
Network / Infrastructure Indicators
|
Type
|
Indicator
|
|
Tor Onion
|
z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
|
|
Tor Onion
|
3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
|
|
Tor Onion
|
dragonforxxbp3awc7mzs5dkswrua3znqyx5roefmi4smjrsdi22xwqd.onion
|
|
Tor Onion
|
dszmdx3jr7vggdaf2c5k4qunt4mxclelhgbtjlgewlkmlnfpsnsg3sad.onion
|
Host-Based Indicators - Files
|
Type
|
Indicator
|
|
File Extension
|
.dragonforce_encrypted
|
|
Ransom Note
|
[rand].README.txt
|
|
Ransom Note
|
readme.xt
|
|
Driver
|
Truesight.sys
|
|
Driver
|
RentDrv.sys
|
Host-Based Indicators - Behavioural
|
Type
|
Indicator
|
|
Mutex
|
hsfjuukjzloqu28oajh727190
|
|
Command
|
wmic.exe shadowcopy delete
|
|
Behaviour
|
Windows Event Log clearing post-encryption
|
|
Tool
|
Mimikatz
|
|
Tool
|
SoftPerfect NetScan
|
|
Tool
|
Advanced IP Scanner
|
|
Tool
|
PingCastle
|
|
Tool
|
ADFind
|
|
Tool
|
SystemBC
|
|
Tool
|
Cobalt Strike
|
|
Tool
|
PsExec
|
Exploited Vulnerabilities
|
Type
|
Indicator
|
|
CVE
|
CVE-2021-44228 (CVSS 10.0)
|
|
CVE
|
CVE-2023-46805 (CVSS 8.2)
|
|
CVE
|
CVE-2024-57726 (CVSS 9.9)
|
|
CVE
|
CVE-2024-57727 (CVSS 7.5)
|
|
CVE
|
CVE-2024-57728 (CVSS 7.2)
|
MITIGATION - CRYSTAL EYE 5.5
All Crystal Eye 5.5 controls referenced below are documented at https://docs.redpiranha.net/5.5/
- Block exploitation of confirmed DragonForce CVEs: add CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 (SimpleHelp) and CVE-2021-44228 (Log4Shell) to CE IDPS virtual patching rulesets.
- Some of the DragonForce victims had prior infostealer domain compromise CESOC dark web monitoring should actively track managed client domain credential exposure.
Worldwide Ransomware Victims
Ransomware activity this week remained heavily concentrated in the United States (43.71%), which accounted for nearly half of all reported incidents. The continued dominance of the U.S. highlights its attractiveness to ransomware operators due to its large concentration of enterprises, critical infrastructure, and high-value targets.
Canada (5.99%), along with Australia and Germany (5.39% each), experienced the next highest levels of activity, demonstrating continued ransomware pressure across North America, Europe, and the Asia-Pacific region. The United Kingdom (4.19%) also remained a significant target, reflecting persistent attacks against mature digital economies.
Moderate activity was observed in the Netherlands (3.59%) and Spain (2.99%), while Italy, Turkey, and Mexico (2.4% each) recorded notable levels of ransomware incidents. These countries continue to face consistent targeting from both established ransomware groups and emerging threat actors.
Additional activity was distributed across France, Thailand, Switzerland, Argentina, and Colombia (1.8% each). Countries including Indonesia, Egypt, Japan, and Austria (1.2% each) experienced lower but recurring ransomware activity, indicating broad geographic reach across multiple regions.
Isolated incidents were reported in Vietnam, China, Brazil, New Zealand, Ireland, Poland, United Arab Emirates, Ivory Coast, Singapore, Israel, Kuwait, Hungary, and Malaysia (0.6% each). While representing a small proportion of overall incidents, these cases demonstrate the global nature of ransomware campaigns and the ability of threat actors to target organisations across diverse geographic locations.
Industry-wide Ransomware Impact
Ransomware activity this week was heavily concentrated in Manufacturing (17.37%) and Business Services (13.17%), making them the most targeted sectors during the reporting period. These industries continue to attract ransomware operators due to their critical business functions, extensive supply chains, and the significant financial impact associated with operational disruption.
The Retail sector (11.38%) also experienced substantial activity, reflecting ongoing targeting of organisations that manage large customer bases and transactional systems. Construction (6.59%) maintained elevated exposure, while Healthcare and Hospitality (5.39% each) remained attractive targets due to their reliance on continuous operations and the sensitivity of the data they manage.
Moderate ransomware activity was observed across Education (4.79%), as well as Law Firms and Energy (4.19% each). These sectors continue to face persistent threats because of valuable intellectual property, confidential information, and critical service delivery requirements.
Additional activity was distributed across Transportation (3.59%), while Federal, Organisations, and Insurance (2.99% each) recorded lower but consistent levels of ransomware incidents. IT, Finance, Media & Internet, and Architecture (2.4% each) also experienced ongoing targeting, demonstrating the broad reach of ransomware campaigns across both public and private sectors.
Lower-volume activity was observed within Consumer Services (1.8%), and Agriculture, Real Estate, and Electronics (1.2% each), indicating opportunistic attacks rather than concentrated campaign activity.
