Cyber Risk Brief: 27 May 2026

Disclaimer:This brief is governance commentary for leadership and risk teams, not incident notification, public attribution, legal advice, or quantitative risk analysis. Threat prioritization, framework mappings, attribution, and risk-zone groupings are informational only. Validate all technical claims against vendor advisories and internal telemetry before operational response.

Threat Intelligence Summary

T1 and T2 are simultaneous active exploitation events, an IRGC nation-state campaign across aviation and software sectors, and a CVSS 9.1 zero-day with Mandiant-confirmed breach. T3 and T4 are criminal threats requiring architectural control changes, not patches.

Critical

IRGC

No CVE · Nimbus Manticore · UNC1549 · Operation Epic Fury

Nimbus Manticore runs three confirmed campaign waves (Feb–Apr 2026): AppDomain hijacking → trojanized Zoom → SEO-poisoned SQL Developer download. AI-assisted MiniFast backdoor. Targets aviation, defense, software, oil & gas across US, EU, and Middle East.

T1574.014 AppDomainManager · T1574.002 DLL side-load · getsqldeveloper[.]com · NO_PATCH

SecurityWeek ↗Follow T1

Critical

9.1

CVE-2026-5426 · CVSS 9.1 CISA-ADP · zero-day · Mandiant

KnowledgeDeliver zero-day actively exploited, hardcoded ASP.NET machineKey enables unauthenticated RCE across all deployments before Feb 24 2026, deploying Godzilla web shells and org-specific Cobalt Strike BEACON.

ViewState deserialization · BLUEBEAM web shell · IIS / w3wp.exe · Japan · IMMEDIATE

SecurityWeek ↗Follow T2

High

0 countries

No CVE · GTIG · PhaaS · OTP interception · MFA bypass

Chinese-language PhaaS platforms bypass MFA via real-time OTP interception, AI-generated clone pages, and RCS/iMessage delivery, monetizing via digital wallet provisioning of stolen payment cards.

Darcula PhaaS · UNC5814 · YY Lai Yu · FIDO2/WebAuthn required · 400+ Japan templates

Infosecurity Magazine ↗Follow T3

High

BREACH

No CVE · BTMOB MaaS · Android RAT · ESET

BTMOB Android RAT sold for $5,000 lifetime license, no-code APK builder, fake app store delivery, Accessibility Services abuse for full device takeover. 15 samples in 2 weeks indicates rapid mutation defeating signature detection.

SpySolr · MaaS · Brazil · Argentina · phishing · MDM enforcement required

InfoSecurity Magazine ↗Follow T4

Nimbus Manticore, Operation Epic Fury: strategic context

Three confirmed campaign waves from February through April 2026, AppDomain hijacking, trojanized Zoom installer, then SEO poisoning of developer searches. The pace of iteration is the signal: when an adversary pivots delivery vectors every six weeks during a live conflict, detection of one lure does not mean the threat is neutralized. Assess your exposure across phishing defenses, download-source governance, and HTTP/JSON C2 visibility simultaneously.

Threat Register: 27/05/2026

	Threat
T1	Nimbus Manticore (IRGC), Operation Epic Fury three-wave espionage campaign: MiniFast backdoor, AppDomain hijacking, trojanized Zoom, SEO-poisoned SQL Developer Check Point Research documented three confirmed Nimbus Manticore campaign waves from February through April 2026, aligned with the US-Iran conflict, in which the IRGC-affiliated group introduced AppDomain hijacking, a trojanized Zoom installer, and a newly documented AI-assisted backdoor called MiniFast. In February, career-themed phishing lured aviation-sector employees in Saudi Arabia and Australia to download a ZIP that triggered AppDomain hijacking to deploy MiniJunk V2. In March, a trojanized Zoom installer hijacked the Zoom scheduled task to load MiniFast via DLL side-loading, with valid SSL.com digital signatures abused for evasion. In April, the group deployed SEO poisoning for the first time, registering fake SQL Developer download domains (getsqldeveloper[.]com) that ranked on Bing and DuckDuckGo, delivering MiniFast to developers searching for legitimate Oracle tools. Targets span aviation, defense, software, oil and gas, and telecommunications organizations across the US, Europe, the Middle East, Saudi Arabia, and Australia. SecurityWeek ↗Check Point Research ↗InfoSecurity Magazine ↗SecurityAffairs ↗The Hacker News ↗	—	—	Critical	Post-incident
T2	CVE-2026-5426 KnowledgeDeliver ViewState deserialization zero-day, CVSS 9.1, Godzilla web shells, Cobalt Strike Threat actors exploited CVE-2026-5426 (CVSS 9.1 CISA-ADP), a hardcoded ASP.NET machineKey in KnowledgeDeliver LMS deployments before February 24, 2026, as a zero-day in ViewState deserialization attacks to deploy Godzilla web shells and Cobalt Strike backdoors. The vendor shipped an identical machineKey in all customer deployment templates, meaning any attacker who extracted it from one installation could forge malicious ViewState payloads against every internet-facing KnowledgeDeliver instance. Mandiant investigated a late-2025 breach where attackers used the exploit to inject malicious code, deploy an in-memory BLUEBEAM/Godzilla web shell within the w3wp.exe IIS worker process, modify JavaScript files to display fake security alerts, and ultimately infect workstations with Cobalt Strike BEACON encrypted with the victim organization's name, indicating a targeted actor with prior reconnaissance. All KnowledgeDeliver deployments before February 24, 2026 are affected, primarily organizations in Japan. SecurityWeek ↗The Hacker News ↗Google Cloud / Mandiant ↗BleepingComputer ↗NVD ↗	9.1	< 1%	Critical	Immediate
T3	Chinese-language PhaaS real-time OTP interception, MFA bypass via live admin panels, AI-generated pages, digital wallet tokenization across 119 countries Google Threat Intelligence Group analyzed a dozen active Chinese-language phishing-as-a-service (PhaaS) platforms that have shifted from static password harvesting to real-time credential interception, using live administration panels to capture one-time passcodes (OTPs) the instant victims submit them, bypassing MFA before tokens expire. Operators deliver phishing lures via encrypted messaging protocols (RCS and Apple iMessage) to bypass SMS carrier filters, and use AI-powered page generators (e.g., Darcula PhaaS linked to UNC5814) to create unique, template-free phishing pages that evade signature-based detection. Primary monetization is digital wallet provisioning: captured credentials and OTPs are used to provision victims' payment cards onto attacker-controlled devices, enabling high-value transactions and ATM withdrawals. The YY Lai Yu service targets Japan with 400+ localized templates across brands including Apple, PayPay, Amazon, and Rakuten, operating across 119 countries. GTIG recommends transitioning to FIDO2/WebAuthn infrastructure paired with risk-based device fingerprinting. Infosecurity Magazine ↗Google Cloud / GTIG ↗	—	—	High	Post-incident
T4	BTMOB Android RAT, no-code MaaS APK builder, Accessibility Services abuse, full device takeover via phishing BTMOB is an Android remote access trojan evolved from the SpySolr malware family, packaged as a malware-as-a-service (MaaS) platform with a no-code APK builder interface that lets buyers generate custom payloads and retool phishing lures for specific countries without writing code. ESET/WeLiveSecurity documented 15 samples in two weeks (February 2025), indicating rapid payload mutation that challenges signature-based detection. Distribution follows phishing-based social engineering: victims are directed to fake streaming or cryptocurrency sites, then to fake app stores prompting malicious APK installation. Once installed, BTMOB abuses Android Accessibility Services to escalate permissions without further user interaction, enabling screenshot capture, on-device activity recording, credential exfiltration, and full remote control. The service is sold for $5,000 lifetime license via Telegram, X, and Instagram, with active campaigns targeting Brazil, Argentina, and broader Latin America. InfoSecurity Magazine ↗WeLiveSecurity (ESET) ↗	—	—	High	Post-incident
Select a row for narrative, affected systems, remediation, and sources.

Threat Actor Profiling

Threats	Actor	Sectors	MITRE tradecraft	Kill chain
T1	Nimbus Manticore (aka UNC1549 / Smoke Sandstorm), IRGC-affiliated, espionage	Aviation, Defense, Software Development, Oil & Gas, Telecommunications	T1566.002T1204.002T1574.014T1574.002T1071.001	Initial access via career-themed phishing links to fake hiring portals or SEO-poisoned Bing/DuckDuckGo results surfacing counterfeit SQL Developer download site → Execution via victim running benign-looking installer or executable → AppDomain hijacking and DLL side-loading to load MiniJunk V2 or MiniFast under trusted processes (Microsoft-signed binaries, Zoom installer) → C2 via HTTP/JSON masquerading as Chrome browser traffic → Reconnaissance, command execution, persistence via scheduled tasks, and data exfiltration.
T2	Unattributed targeted threat actor, pre-breach reconnaissance confirmed	Education & Learning Management, Enterprise Technology, Japan-based organizations	T1190T1059T1505.003T1071.001T1105T1552.001	Initial access via CVE-2026-5426 ViewState deserialization using known hardcoded machineKey → OS-level RCE under w3wp.exe → Persistence via BLUEBEAM/Godzilla in-memory web shell → Privilege escalation via icacls granting Everyone full access to web directory → JavaScript tampering injecting fake security alert → Ingress transfer of Cobalt Strike BEACON to victim workstations → Encrypted C2 from Cobalt Strike backdoor.
T3	Chinese-language PhaaS operators (UNC5814 / Darcula PhaaS, YY Lai Yu service), financially motivated	Financial Services, Payments & Digital Wallets, Consumer Technology, Retail Banking	T1566.002T1056.003T1111T1583.001	Resource development (domain registration, AI-powered page generation via Darcula PhaaS cloning HTML/CSS/JS of legitimate portals, live admin panel setup) → Initial access via RCS/iMessage phishing to cloned login portals → Credential and OTP capture via live admin panel before token expiry, bypassing MFA entirely → Monetization via digital wallet provisioning of captured payment card credentials on attacker-controlled devices. ATLAS: AI page generators produce unique phishing pages designed to evade ML-based detection (AML.T0043 Craft Adversarial Data).
T4	Unattributed BTMOB MaaS sellers, financially motivated criminal operators	Financial Services, Cryptocurrency, Consumer Mobile, Latin America Regional	T1566.002T1548T1113T1071T1552	Operators configure BTMOB no-code APK builder with country-specific lures (Brazil streaming, Argentina tax/customs impersonation) → Victims directed via phishing to fake app stores → Victim installs malicious APK → BTMOB abuses Android Accessibility Services to escalate permissions without further user interaction → Persistent remote access: screenshot capture, on-device recording, credential exfiltration, full remote control → Operators sell access for $5,000 lifetime license via Telegram.

▶Table methodology & sourcing notes

T3 (Chinese PhaaS), ATLAS AML.T0043 (Craft Adversarial Data) applies in addition to ATT&CK techniques. AI-powered page generators (Darcula PhaaS) produce unique phishing pages designed to evade ML-based detection systems. ATLAS scope applies because AI is used as part of the attack delivery chain to generate adversarial content, not because an AI system is targeted. The technique is noted in the kill chain column.
T2 (CVE-2026-5426 KnowledgeDeliver), techniques map the Mandiant-documented breach confirmed in source reporting. T1552.001 (Credentials In Files) maps the hardcoded machineKey stored in web.config, the structural root cause enabling unauthenticated RCE across all customer deployments.
T4 (BTMOB), techniques are mobile-specific (Android). T1548 (Abuse Elevation Control Mechanism) maps Accessibility Services abuse; T1113 (Screen Capture) maps screenshot and on-device recording capability. T1059.003 (Windows Command Shell) is excluded, BTMOB is Android-only malware.

Control Deficiency & Framework Mapping

Threat	Control gaps	ISO 27001	NIST CSF 2.0	CIS Controls	Privacy Act / PIPEDA	ITSG-33	OSFI B-13	ISO 42001
T1Nimbus Manticore (IRGC), Operation Epic Fury three-wave espionage campaign: MiniFast backdoor, AppDomain hijacking, trojanized Zoom, SEO-poisoned SQL Developer	Inadequate controls around recruitment and career-site workflows, allowing highly tailored phishing and fake hiring portals impersonating aviation and software employers to reach staff without strong verification or user training. Weak download-source governance and browser controls, enabling users to retrieve installers such as SQL Developer and Zoom from SEO-poisoned domains rather than verified vendor sources with hash validation. Insufficient endpoint hardening and telemetry to detect or block AppDomain hijacking and DLL side-loading of malicious DLLs alongside legitimate Windows and Zoom executables. Limited network monitoring and threat-hunting for HTTP/JSON C2 traffic that mimics normal browser behavior, reducing the chance of detecting MiniFast and MiniJunk beaconing and tasking. Incomplete threat-intelligence integration and IR playbooks for IRGC-linked APT activity, leaving aviation and software organizations slow to incorporate new IoCs, domains, and TTPs from Nimbus Manticore reporting.	A.5.7, A.5.10, A.8.7, A.8.16	GV.RM-01, ID.RA-01, PR.AT-01, DE.CM-01	CIS 9, CIS 10, CIS 13	—	AU-6, SI-7, AC-4	B-13 Governance, B-13 Access Control, B-13 Third-Party Risk	—
T2CVE-2026-5426 KnowledgeDeliver ViewState deserialization zero-day, CVSS 9.1, Godzilla web shells, Cobalt Strike	Vendor deployment template security failure: standardized web.config with hardcoded machineKey shipped to all customers, making the shared secret extractable from any single installation. Inadequate cryptographic key management: identical pre-shared secrets across independent customer environments with no mechanism for per-deployment secret rotation. Insufficient file integrity monitoring for .js, .aspx, and .config files in the web root, allowing JavaScript tampering and web shell deployment to go undetected. Lack of ASP.NET Event ID 1316 monitoring for ViewState verification failures, which would surface exploitation attempts before successful compromise. No w3wp.exe child process monitoring for suspicious cmd.exe and PowerShell spawning indicative of web shell command execution. Absence of user-agent string anomaly detection for the concatenated identifiers used by BLUEBEAM/Godzilla C2 traffic.	A.8.8, A.8.9, A.8.16	PR.PS-02, DE.CM-01, GV.RM-01, ID.RA-01	CIS 7, CIS 12, CIS 13	—	SI-2, RA-5, AU-6	B-13 Patch Mgmt, B-13 Vulnerability Management, B-13 Governance	—
T3Chinese-language PhaaS real-time OTP interception, MFA bypass via live admin panels, AI-generated pages, digital wallet tokenization across 119 countries	Over-reliance on OTP-based MFA for high-value transactions and consumer-facing services, despite demonstrated real-time interception vulnerabilities documented by GTIG across a dozen active PhaaS platforms. Insufficient device-level protections for RCS and iMessage phishing, as server-side carrier filtering is ineffective against encrypted messaging protocols used by these PhaaS operators. Lack of phishing-resistant authentication infrastructure (FIDO2/WebAuthn) for consumer-facing digital services and payment systems, leaving credentials technically weaponizable after capture. Inadequate risk-based verification and device fingerprinting during digital wallet provisioning, enabling attacker-controlled devices to successfully provision victim payment cards. Limited threat intelligence integration for Chinese-language PhaaS domains and AI-generated phishing pages, which evade signature-based detection and require behavioral or reputation-based blocking.	A.5.10, A.5.15, A.5.16, A.5.17, A.8.5, A.8.12	GV.RM-01, ID.RA-01, PR.AA-05, PR.DS-01, DE.CM-01	CIS 9, CIS 16	—	IA-2, IA-5, AU-6	B-13 Access Control, B-13 Governance	A.5.2
T4BTMOB Android RAT, no-code MaaS APK builder, Accessibility Services abuse, full device takeover via phishing	No enforced policy restricting Android app downloads to official stores (Google Play), allowing fake app store APK installation resulting in full device takeover. Insufficient mobile security software deployment on Android devices, treating mobile endpoints with less rigor than desktop systems despite equivalent data exposure risk. Inadequate user awareness training on phishing links and fake app store risks for mobile devices, leaving social engineering the primary attack path. Missing Android Accessibility Services monitoring for abnormal permission escalation across managed devices, allowing BTMOB to escalate privileges without further user interaction post-install. Lack of mobile device management (MDM) enforcement for corporate Android devices, leaving app installation policy unenforceable at the technical control layer.	A.5.10, A.5.15, A.8.7, A.8.16	PR.AT-01, PR.PS-01, DE.CM-01, GV.RM-01	CIS 9, CIS 10, CIS 13	—	MP-4, SC-28, AU-6	B-13 Access Control, B-13 Governance	—

Risk Triage

Threats are assigned to primary zones based on their dominant organizational risk characteristic. A threat may appear in a secondary zone when it presents a materially distinct compounding risk dimension.

Exposure Velocity

Active exploitation or weaponized campaigns with immediate organizational exposure if unaddressed.

T2CVE-2026-5426 KnowledgeDeliver zero-day, CVSS 9.1, actively exploited
Mandiant-confirmed breach with Godzilla web shell and org-specific Cobalt Strike BEACON. All deployments before Feb 24 2026 are vulnerable. Rotate machineKeys immediately, this is the only remediation path.
T1secondaryNimbus Manticore, three active campaign waves
IRGC actor iterating delivery vectors every six weeks during active conflict. Aviation, defense, software, and oil & gas organizations in the US, EU, and Middle East are active targets. IoC coverage is perishable.

Incident Pressure

Confirmed breach or active campaign with direct impact on organizations, users, or downstream victims.

T3Chinese PhaaS, real-time MFA bypass, active across 119 countries
Live credential interception and digital wallet tokenization confirmed by GTIG. OTP-based MFA is structurally insufficient. Organizations without FIDO2/WebAuthn on consumer-facing and high-value transaction systems are currently exposed.
T4secondaryBTMOB Android RAT, active Latin America campaigns, MaaS economics
$5,000 MaaS barrier lowers criminal access; 15 samples in two weeks indicates rapid mutation. A single employee installing a fake APK can compromise company data. Mobile MDM enforcement is the primary gap.

Governance & Control Gaps

Structural policy or programme deficiencies that enabled or amplified the incident, independent of the technical exploit.

T2Vendor cryptographic key management failure, ecosystem-wide
KnowledgeDeliver shipped identical hardcoded machineKey across all customer deployments. Extracting the key from any one installation enables unauthenticated RCE on every other internet-facing instance. Treat same-secret-across-tenants as a critical finding in third-party risk assessments.
T3OTP-based MFA now structurally insufficient, architectural response required
PhaaS platforms intercept OTPs in real time across a dozen active services. No awareness training or phishing banner blocks this; FIDO2/WebAuthn is the remediation path. Organizations without a migration roadmap have a standing governance gap.

Strategic Posture

Long-cycle or geopolitical threat intelligence requiring board-level awareness and threat intelligence programme updates.

T1IRGC Nimbus Manticore, active conflict-aligned espionage posture
Three confirmed waves in three months demonstrates sustained capability investment during active US-Iran conflict. Organizations in aviation, defense, software, oil & gas, and telecommunications should treat Nimbus Manticore as an institutionalized standing threat intelligence requirement, not a one-time campaign response.

Remediation Actions

Consolidated actions across all four threats, organized by time horizon. T-badges indicate which threat each action addresses.

0 – 24 hours

Immediate response

T2Rotate machineKeys immediately: generate a unique, cryptographically strong machineKey for each KnowledgeDeliver instance. This is the only control that invalidates the shared secret. Restrict LMS access to known organizational IP ranges.
T2Enable monitoring for Event ID 1316 (ViewState verification failed), w3wp.exe spawning cmd.exe or PowerShell, and file integrity changes to .js, .aspx, and .config files in the web root.
T1Block all Nimbus Manticore IoCs from Check Point Research (27 file hashes, 25 domains) at email gateway, web proxy, and endpoint layers. Ban getsqldeveloper[.]com and Zoom installer distribution domains at DNS and proxy.
T3Ingest known Chinese-language PhaaS domains into SIEM, email gateway, DNS sinkhole, and web proxy blocklists. Increase friction for digital wallet provisioning: add out-of-band verification steps until FIDO2/WebAuthn migration is complete.
T4Issue emergency guidance to all Android users: install apps only from Google Play. Block known BTMOB infrastructure IPs at corporate proxy and firewall. Deploy ESET detection names (Android/Agent.FQK, Android/Spy.Agent.EIJ) to endpoint protection platforms.

7 days

Short-term hardening

T2Conduct forensic investigation on any KnowledgeDeliver instance showing signs of exploitation: check for BLUEBEAM web shell artifacts, modified .js files, and Cobalt Strike persistence mechanisms. Validate JavaScript and ASPX files against known-good baselines.
T1Deploy detection for HTTP/JSON C2 patterns consistent with MiniFast beacons masquerading as Chrome. Conduct threat hunting for MiniJunk/MiniFast artifacts in aviation and software-related business units (malicious DLLs, scheduled tasks, unusual AppData package folders).
T3Initiate risk-based verification and device fingerprinting for digital wallet provisioning with issuing banks and payment processors. Deploy threat intelligence feeds for Chinese-language PhaaS domains; tune detection rules for RCS/iMessage phishing patterns.
T4Enforce MDM policy restricting app installations to official repositories on all corporate Android devices. Deploy mobile security software with the same rigor as desktop endpoint protection. Conduct targeted mobile phishing simulation covering fake app store and sideloading scenarios.

14 – 30 days

Programme remediation

T2Update KnowledgeDeliver to vendor-patched configurations (post-February 24, 2026 release). Formalize a cryptographic key rotation schedule for all deployment templates. Establish policy requiring vendor-supplied templates to be audited for hardcoded secrets before production deployment.
T1Update secure-development and software-acquisition policies to require hash validation and publisher signature verification for critical tools (IDE/DB clients, conferencing tools) before deployment to endpoints in high-risk teams.
T3Begin FIDO2/WebAuthn infrastructure migration for consumer-facing services and high-value transactions. Develop a phased rollout plan. Formally deprecate OTP-based MFA as an accepted control for critical transactions in updated authentication policy.
T4Implement Android Accessibility Services monitoring for abnormal permission escalation across managed devices. Review and update mobile security policies to formally mandate official app store downloads only.

Ongoing

Structural controls

T1Institutionalize a standing analytic requirement for IRGC-linked APT activity (including Nimbus Manticore) so that threat intelligence, control owners, and the SOC continuously track new TTPs, IoCs, and sector-specific targeting guidance from Check Point Research and peer vendors.
T2Establish a policy requiring vendor-supplied deployment templates to be audited for hardcoded secrets before production deployment. Treat identical pre-shared keys across multi-tenant environments as a critical finding in third-party risk assessments.
T3Treat OTP-based MFA insufficiency as a standing residual risk item until FIDO2/WebAuthn migration is complete across all consumer-facing and high-value transaction systems. Integrate Chinese-language PhaaS into formal phishing-simulation programmes.
T4Treat mobile device security as equal priority to desktop security in governance frameworks and risk assessments. Integrate BTMOB and similar MaaS threats into standing threat intelligence requirements for mobile security programmes.

Provenance

Intelligence Sources

SecurityWeek ↗Check Point Research ↗InfoSecurity Magazine ↗SecurityAffairs ↗The Hacker News ↗SecurityWeek ↗The Hacker News ↗Google Cloud / Mandiant ↗BleepingComputer ↗NVD ↗Infosecurity Magazine ↗Google Cloud / GTIG ↗InfoSecurity Magazine ↗WeLiveSecurity (ESET) ↗

Cadence

Published each weekday. Primary intelligence drawn from BleepingComputer, SecurityWeek, The Hacker News, The Record, KrebsOnSecurity, and researcher disclosures, supplemented by vendor advisories, CVE and NVD records, and MITRE ATT&CK frameworks. Use the Share button on any issue to join the distribution list.

Contact Sovereign GRC for risk advisory or a threat profile tailored to your environment

Get Your AI Governance Roadmap →