1,350 command-and-control servers across 98 Middle East infrastructure providers were active between February 1 and May 1, 2026 — and nearly three-quarters of that traffic sat on a single carrier's networks, Hunt.io reports.
Hunt.io's regional C2 map: concentrated, commodity, and noisy
Hunt.io's three-month survey found a sprawling C2 footprint in the Middle East: more than 1,350 C2 servers, spread across 98 infrastructure providers, with C2 infrastructure accounting for roughly 96.8% of observed malicious artifacts. Saudi Telecom Company (STC) alone hosted 981 of those servers, or 72.4% of the total. The dominant malware families were IoT-focused botnets — Hajime, Mozi, and Mirai — alongside offensive frameworks such as Tactical RMM, Cobalt Strike, and Sliver, underlining that the region's malicious activity remains heavily dependent on commoditized tooling and exposed hosting.
AKS privilege escalation: a near-total compromise from a Backup Contributor role
Security researcher Justin O'Leary reported a severe privilege escalation in Azure Backup for AKS that permitted an account assigned only the "Backup Contributor" Azure role — with zero Kubernetes permissions — to gain cluster-admin on any AKS cluster. The flaw carried a CVSS score of 9.9 and, according to the bulletin, was silently patched by Microsoft after the report; Microsoft initially rejected the submission as "AI-generated content." The vendor subsequently enforced additional validation checks that, the researcher said, were not present in March 2026. The issue does not have an assigned CVE in the bulletin.
Kali365, device-code phishing, and Vaultjacking: token theft and a six‑digit key
The FBI warned of a Phishing-as-a-Service platform called Kali365, first observed in April 2026, that specializes in stealing Microsoft 365 OAuth tokens and bypassing multi-factor authentication without intercepting credentials. Kali365 is distributed via Telegram and sold by subscription — from $250 for 30 days to $2,000 for a year — offering AI-generated lures, automated templates, and OAuth token capture. Arctic Wolf linked Kali365 to device code phishing campaigns that misuse Microsoft's legitimate device login flow to obtain access tokens; Barracuda reported more than 7 million device code attacks between March and April 2026, and Proofpoint warned of a corresponding spike.
Separately, PhishU described "Vaultjacking," a technique in which an adversary-in-the-middle page captures a victim's six-digit Google Password Manager PIN and session cookies. PhishU's Curtis Brazzell said that single PIN releases Google's Security Domain Secret — which decrypts every synced password and passkey on the account — enabling attackers to add a passkey for persistence and to unlock the entire vault from their infrastructure.
Supply chain and signed‑binary attacks: DAEMON Tools added to KEV; signed RVTools MSI spreads RAT
CISA added the DAEMON Tools supply chain compromise to its Known Exploited Vulnerabilities (KEV) catalog under CVE-2026-8398, requiring fixes for Federal Civilian Executive Branch agencies by May 30, 2026. The vendor (AVB Disc Soft) had its build or distribution infrastructure accessed and three binaries — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — trojanized. The malicious installers were digitally signed with AVB Disc Soft's legitimate certificate, enabling them to bypass signature‑based detection, the KEV entry says.
In a related supply-chain style incident, K7 Labs reported a trojanized MSI for RVTools that deployed a modular Python-based RAT via a VBScript loader. The installer used a legitimately issued Sectigo code‑signing certificate registered to what appears to be a shell entity, Xiamen Lunwei Huage Network Co.(Sectigo), Ltd; the certificate has since been revoked, though K7 Labs warned that revocation offers limited protection where real-time OCSP or CRL checks are not enforced.
Fake installers, Deno backdoors, Chrome extensions, GhostTree, and World Cup fraud
Attackers are distributing counterfeit installers and plugins masquerading as popular software — including ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, and Kontakt — on platforms such as GitHub and SourceForge, Malwarebytes found. Those installers drop a Deno backdoor called DinDoor (aka Tsundere), which then installs stealthy RATs. Anthropic, meanwhile, announced a security‑guidance plugin and a self‑hosted sandbox for Claude Managed Agents; the plugin automatically reviews and fixes common vulnerabilities in code changes as they are written, Anthropic said.
Other campaigns included a 126-extension Chrome Web Store network named WaSteal that impersonated WhatsApp CRM tools and affected nearly 148,000 users, researcher Jean‑Marie R. wrote; the operator is wascript.com.br, and the largest variant (WaSeller) had 100,000 installs and embedded a live Google Tag Manager container for silent remote code execution. Varonis disclosed GhostTree, a technique that abuses NTFS junctions to create recursive loops that hang endpoint scanners and leave folders unexamined. Meanwhile, Bitdefender, Check Point, Group‑IB and others described a wave of World Cup–themed scams — over 4,300 fraudulent domains, sophisticated phishing kits exploiting FIFA's PingIdentity SSO, and large-scale malvertising and fake stores targeting users worldwide.
What this means for law firms, FCEB agencies, and security teams
- Law firms: The FBI warned SRG (Silent Ransom Group) has targeted law firms via phone‑based social engineering and in‑person visits to exfiltrate data — firms should treat unsolicited IT calls and visits as high‑risk vectors.
- FCEB agencies: CISA's KEV listing for DAEMON Tools (CVE-2026-8398) imposes a May 30, 2026 remediation requirement; agencies must prioritize that patching effort and verify signer integrity where updates are consumed.
- Security teams: Commodity tooling, signed binaries, OAuth token capture, and NTFS-based scanning evasion are recurring themes — defenders must verify code signatures with real‑time checks, scrutinize OAuth authorizations, and test endpoint behavior against NTFS junction abuse.
These incidents converge on a single practical truth: trust — in signatures, MFA prompts, supply chains, and "internal‑only" tooling — continues to be the weakest link. As the bulletin put it: "Patch faster. Audit harder. Stop assuming signed software, MFA prompts, or 'internal-only' tooling means safe. The attackers already figured out the shortcuts. Might be time defenders stop pretending those shortcuts don't exist."
