If one theme tied the week of 18 May together, it was the weaponisation of trust. Attackers abused a cloud provider's storage to smuggle out stolen data, paid to forge the digital signatures that operating systems rely on to tell good software from bad, and turned the endpoint-protection agent itself into the foothold. Below is our own read of the most significant activity, seeded by the Issue 266 weekly from Chinese threat-intelligence firm ThreatBook (微步在线) and independently verified against the primary reporting cited throughout. Disclosure: ThreatBook's Flocks SecOps platform is a first-party listing in our AI directory; this brief is editorial, not promotional.
A state-backed run at Malaysia's government
The most consequential regional story is an espionage operation that researchers at Oasis Security attribute to a state-backed actor and that targeted multiple Malaysian government organisations plus at least one private enterprise. Per Hackread's reporting on the Oasis findings, the operators ran bespoke Python tooling built per target and — the detail that elevates this above commodity intrusion — left behind previously unpublished source for a C# Cobalt-Strike-style beacon generator and a Python command-and-control server that match no public framework. That is build-it-yourself tradecraft, not an off-the-shelf kit.
Two choices stand out. First, the crew hosted its infrastructure on a Microsoft Azure virtual machine in the Malaysia West region — operating physically close to the targets to blend with normal traffic and shave latency. Second, as GBHackers detailed, exfiltration ran through an attacker-controlled Cloudflare storage endpoint, so stolen files left victim networks looking like ordinary, encrypted cloud uploads. Investigators recovered dumped SAM, SECURITY and SYSTEM registry hives and an NTDS.dit Active Directory database — the raw material for offline credential cracking — and found a live PHP web shell (health.php) still answering on a government-associated server at the time of analysis. For ASEAN defenders the lesson is blunt: "trusted" SaaS egress (Cloudflare, Azure, the rest) is now a primary exfiltration channel, and outbound-traffic baselining matters as much as perimeter filtering.
Microsoft pulls the plug on a malware-signing business
On 19 May, Microsoft unsealed a civil action that dismantled Fox Tempest, a "malware-signing-as-a-service" operation. As BleepingComputer reported, the takedown — driven by Microsoft's Digital Crimes Unit and granted three days after a 5 May filing — seized the signspace.cloud domain, suspended roughly 1,000 customer accounts, revoked more than 1,000 code-signing certificates and pulled down hundreds of virtual machines hosted at Cloudzy.
The mechanics are the interesting part. Fox Tempest used stolen US and Canadian identities to clear the identity-verification step on Microsoft's Artifact Signing service, then minted certificates valid for only 72 hours — short enough that revocation telemetry never caught up before the signed binaries had spread. According to Information Security Media Group, customers paid between $5,000 and $9,500 per signing job, and Microsoft named the Vanilla Tempest ransomware crew as a co-conspirator — the group that pushed fake Microsoft Teams installers to drop the Oyster backdoor and stage Rhysida ransomware, with the wider service feeding Akira, INC, Qilin and BlackByte operations and earlier ransomware against Seattle-Tacoma International Airport, hospitals and schools. Code-signing is a trust anchor; this is what it looks like when that anchor is quietly rented out.
When the guard is the target
Two vulnerability stories from the week share an uncomfortable shape: the security control is the attack surface.
On 20 May, CISA added two actively exploited Microsoft Defender flaws to its Known Exploited Vulnerabilities catalog, setting a 3 June remediation deadline for federal agencies. CISA's alert and Help Net Security describe CVE-2026-41091 CVSS 7.8 High, a Malware Protection Engine link-resolution flaw that hands a local attacker SYSTEM-level control, and CVE-2026-45498 CVSS 4.0 Medium, a denial-of-service that simply switches Defender off — clearing the way for whatever runs next. Fixes ship in Defender Antimalware Platform builds 1.1.26040.8 and 4.18.26040.7, which update silently for most estates but need verification on locked-down or shared-login machines.
The same day, Microsoft published a pre-patch mitigation for CVE-2026-45585 CVSS 6.8 Medium, a BitLocker bypass nicknamed "YellowKey." Per The Hacker News, a researcher published a working proof-of-concept as a zero-day — outside coordinated-disclosure norms — that needs only brief physical access and native Windows functionality to read a protected drive. BleepingComputer notes it affects Windows 11 (24H2, 25H2, 26H1) and Server 2025. Until a patch lands, Microsoft's guidance is to remove the offending entry from the WinRE boot configuration and to move encrypted endpoints from TPM-only to TPM+PIN — a control every laptop fleet handling sensitive data should already be enforcing.
| Vulnerability | Product | Type | Severity | Action |
|---|---|---|---|---|
| CVE-2026-41091 | Microsoft Defender | Privilege escalation → SYSTEM | CVSS 7.8 | Exploited; in KEV. Patch by 3 Jun |
| CVE-2026-45498 | Microsoft Defender | Denial of service (disable) | CVSS 4.0 | Exploited; in KEV. Patch by 3 Jun |
| CVE-2026-45585 | Windows BitLocker | Encryption bypass (physical) | CVSS 6.8 | Public PoC. Mitigate (TPM+PIN); await patch |
Pyongyang's four-lane phishing run
North Korea's Kimsuky ran four spear-phishing campaigns in parallel, each tuned to a different audience, in research disclosed by Logpresso. As GBHackers summarised, the targets were corporate recruiters (résumé and business-card decoys), cryptocurrency investors and developers (a fake Solana-themed security tool), defence officials and military attachés (competition documents), and public-sector and graduate-school administrators (training paperwork). The delivery was consistent: weaponised .lnk and .jse files masquerading as PDFs, a decoy document shown to the victim while a second payload established persistence, then PowerShell — or a certutil-decoded DLL run via rundll32.
The tradecraft worth flagging is the C2. Kimsuky leaned on VS Code tunnels authenticated through GitHub OAuth, plus GitHub's raw API and Microsoft's CDN, to make command-and-control look like a developer's normal traffic — and the loaders moved within minutes to disable User Account Control and add Defender exclusions while posing as OneDrive or Intel tasks. Living-off-trusted-services is now the default for state phishing, and signature-based mail and network controls quietly miss most of it.
Tap-to-fraud, and a 4.6-million-card giveaway
Two financial-crime items show how quickly the fraud toolchain is maturing. First, Cleafy's threat-intel team documented two new Android malware families, DevilNFC and NFCMultiPay, running NFC-relay attacks against banking customers in Europe and Latin America. In Cleafy's analysis, the victim's phone reads their own card's NFC data and relays it in real time to a device the fraudster holds at a POS terminal or ATM; both families harvest the card PIN as a core step. DevilNFC locks the handset in Android Kiosk Mode behind a fake bank screen (its operators show Spanish-language traces), while NFCMultiPay implements the whole relay in pure Java with no root requirement (with Brazilian-Portuguese markers). Cleafy assesses that both carry fingerprints of AI-assisted development — over-engineered phishing templates, LLM-style emoji-formatted logging — a reminder that generative tooling is lowering the bar for independent malware authors.
Second, the carding shop B1ack's Stash dumped roughly 4.6 million stolen payment cards for free. Per SOCRadar, the operators pulled some 8 million CVV2 records from sale as "punishment" for vendors reselling the shop's cards elsewhere, then published 4.6 million of them — full card numbers, expiry, CVV2, cardholder names, billing addresses, emails, phone numbers and IPs. After de-duplication an estimated 4.3 million are net-new and usable. US cardholders dominate at roughly 70%, followed by Canada, the UK, France and Malaysia — a free, regionally relevant feedstock for card-not-present fraud and for far more convincing follow-on phishing.
The ransomware tempo
The dark-web name-and-shame cadence stayed relentless. Leak-site monitoring through the week recorded fresh "victim" postings from Nightspire (against Vantage Energy), SafePay, Nova, the "payload" crew — which named a Singapore-registered industrial supplier — and TheGentlemen, which listed a Colombian YMCA. Treat these as claims: a listing signals intent and asserted access, not a confirmed, fully verified breach, and several named organisations had not publicly acknowledged anything. (One leak-site item, the retailer Robinsons, we covered in our 25 May supply-chain brief and won't re-litigate here.)
Underneath the noise, the structural shift is the move toward operational technology. Industrial-security vendor Shieldworkz, whose figures are vendor-stated and await independent benchmarking, reports OT/ICS-directed ransomware up roughly 47% year-on-year in 2026, with energy and manufacturing absorbing the most — the lineage that runs from Colonial Pipeline (2021) and Norsk Hydro (2019) through to today. The recurring failure mode is unchanged: internet-exposed remote access without multi-factor authentication, and flat paths from IT into OT.
Note: This is defensive threat reporting for awareness and patch-prioritisation — not a how-to. No exploit code or proof-of-concept is reproduced here.
View author profile → · Editorial policy
