June 1, 2026 Emerging Threats Weekly

kroll logo
Kroll
Jun 1, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:42 [VULNERABILITY] Ghost CMS Flaw Abused to Turn 700+ sites into ClickFix Delivery Nodes
Attackers are actively exploiting CVE-2026-26980 (CVSS score of 9.4), a critical SQL injection vulnerability in Ghost CMS, to compromise unpatched instances and repurpose them for downstream malware delivery.

03:00 [THREAT ACTOR] Muddywater Expands Dll Side-Loading Espionage Across Nine Countries
In Q1 2026, MuddyWater, also tracked as Seedworm, conducted a broad espionage campaign across nine countries and four continents. Reported victims included a South Korean electronics manufacturer, industrial manufacturing firms, educational institutions, public-sector entities, financial services organizations, professional services firms and Middle East aviation-related infrastructure.

05:06 [THREAT ACTOR] Nimbus Manticore Adds SEO Poisoning And New Backdoors to Iran-Linked Operations
Iran aligned actor Nimbus Manticore resurfaced between February and April, targeting aviation and software organizations across the U.S., Europe and the Middle East. Reporting from multiple sources ties the activity to three campaign waves aligned with periods of heightened regional tension.

07:52 [VULNERABILITY] Pan OS Globalprotect Auth Bypass Exploited for VPN Access Using Forged Cookies
Following disclosure on May 13, 2026, CVE 2026 0257, an authentication bypass affecting PAN OS and Prisma Access, is now under active exploitation. The vulnerability allows unauthenticated attackers to establish VPN access through the GlobalProtect gateway when specific configurations are present.

10:38 [MALWARE] Lazarus Deploys Memory-only Remotepe Against Crypto and Banking Targets
Lazarus-linked operations have been observed using a fileless remote access trojan, RemotePE, in campaigns against banks and cryptocurrency firms.

12:38 [PHISHING] Operation Dragon Whistle Targets Universities with Double-Extension Lures And Cobalt Strike
Recent reports have flagged Operation Dragon Whistle, a phishing campaign that specifically targets universities. The attackers use institution-themed lures tied to mandatory physical testing notices.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.