May 11, 2026 Emerging Threats Weekly

kroll logo
Kroll
May 11, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:40 [CAMPAIGN] Canvas Security Incident
Canvas, the learning management system operated by Instructure and widely used by schools, universities, and other education providers, is the subject of an ongoing cyber extortion campaign. Public reporting attributes the activity to SHINYHUNTERS, a data-extortion group that has claimed access to large volumes of Canvas-related user data.

02:54 [PHISHING] Code-of-Conduct AiTM Campaign Hit 35,000 Users Across 13,000 Organizations
Microsoft reported a coordinated, multi-stage phishing campaign that targeted more than 35,000 users across 13,000 organizations in 26 countries between April14 and 16, with 92% of observed activity affecting U.S.-based victims.

04:33 [VULNERABILITY] “Copy Fail” Linux Privilege-Escalation Bug Added to KEV Amid Active Exploitation
CISA has added CVE-2026-31431, dubbed Copy Fail, to its known exploited vulnerabilities (KEV) catalogue, confirming real-world exploitation within 24 hours of disclosure. The Linux local privilege-escalation vulnerability affects every mainstream kernel built since 2017 and allows authenticated local users to escalate to root access.

06:38 [THREAT ACTOR] China-Nexus UAT-8302 Expanded Government Targeting Across South America and Southeastern Europe
Cisco Talos disclosed UAT 8302 as a China nexus advanced persistent threat group that has been targeting government entities in South America since late 2024. The activity expanded in 2025 to include government agencies in southeastern Europe.

08:34 [CAMPAIGN] VENOMOUS#HELPER Phishing Used Legitimate RMM Tools for Durable Remote Access
Securonix reports that the ongoing VENOMOUS#HELPER campaign has affected more than 80 organizations, most of them in the U.S. The operation appears to use phishing as the entry point and legitimate remote monitoring and management software as the persistence mechanism.

10:38 [VULNERABILITY] Ollama Windows Auto-Updater Flaws Can Be Chained into Persistent Code Execution
Striga research describes two vulnerabilities in Ollama’s Windows auto-updater that can be chained to plant a persistent executable that runs on every login. These issues are tracked as CVE-2026-42248 and CVE-2026-42249 and affect Ollama’s Windows desktop update path.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.