Security Intelligence for Real-World Decisions
← Back to Archive

Lazarus Group Targets Financial Sector with Memory-Only RAT as Supply Chain Attacks Surge Across Multiple Ecosystems

Intelligence Briefing Date: Tuesday, May 26, 2026

Reporting Period: May 19–26, 2026

1. EXECUTIVE SUMMARY

This week's threat landscape is dominated by sophisticated supply chain attacks and nation-state activity targeting critical infrastructure sectors. Key developments requiring immediate attention:

  • Nation-State Threat Activity: The North Korea-linked Lazarus Group has deployed a new memory-only remote access trojan (RAT) called "RemotePE" specifically targeting financial institutions and cryptocurrency firms. This fileless malware represents a significant evolution in evasion capabilities.
  • Supply Chain Attack Surge: Multiple coordinated supply chain campaigns have emerged this week, including the "TrapDoor" campaign spanning npm, PyPI, and Crates.io ecosystems, the "Megalodon" attack infecting over 5,500 GitHub repositories, and poisoned Laravel-Lang packages. These attacks collectively threaten software development pipelines across all critical infrastructure sectors.
  • Healthcare Sector Breaches: Two significant healthcare data breaches affecting over 400,000 individuals have been disclosed, highlighting persistent vulnerabilities in the healthcare and public health sector.
  • Phishing Infrastructure Evolution: The FBI has issued warnings about the Kali365 phishing-as-a-service platform, which exploits OAuth device code authentication to bypass multi-factor authentication protections for Microsoft 365 accounts.
  • AI-Driven Vulnerability Discovery: Anthropic's Mythos/Glasswing AI system has identified between 10,000-23,000 potential vulnerabilities across open-source software projects, with many confirmed as critical or high-severity, signaling both opportunities and risks for vulnerability management.
  • International Enforcement Action: Dutch authorities seized 800 servers and arrested two individuals operating hosting infrastructure used by Russia for cyberattacks and influence operations.

Analyst Assessment: The convergence of sophisticated supply chain attacks across multiple package ecosystems, combined with nation-state actors deploying advanced evasion techniques, indicates an elevated threat environment for critical infrastructure. Organizations should prioritize software supply chain security controls and review authentication mechanisms, particularly for cloud-based services.

2. THREAT LANDSCAPE

Nation-State Threat Actor Activities

Lazarus Group (DPRK) – RemotePE Campaign

  • Target Sectors: Financial Services, Cryptocurrency
  • Capability: Cross-platform, memory-only RAT designed to evade traditional endpoint detection
  • Technical Details: RemotePE operates entirely in memory without writing to disk, significantly complicating forensic analysis and detection by traditional antivirus solutions
  • Assessment: This represents a tactical evolution for Lazarus Group, demonstrating continued investment in evasion capabilities. Financial sector organizations should review memory-based detection capabilities.
  • Source: The Hacker News

Russian Cyber Operations Infrastructure Disrupted

  • Action: Netherlands authorities seized 800 servers and arrested two co-owners of hosting companies
  • Impact: Infrastructure was used to support Russian cyberattacks and influence operations
  • Significance: Demonstrates continued international cooperation in disrupting adversary infrastructure
  • Source: KrebsOnSecurity

Ransomware and Cybercriminal Developments

CISO Ransomware Payment Posture

  • Finding: 58% of CISOs surveyed indicate they would pay ransom demands to recover data
  • Implication: This statistic may embolden threat actors and suggests continued viability of ransomware as a business model
  • Recommendation: Organizations should ensure robust backup and recovery capabilities to reduce payment pressure during incidents
  • Source: CSO Online

Kali365 Phishing-as-a-Service Platform

  • Alert Source: FBI Warning
  • Target: Microsoft 365 accounts
  • Technique: Exploits OAuth device code authentication to steal session tokens
  • Impact: Bypasses traditional MFA protections by capturing authenticated session tokens
  • Significance: Lowers barrier to entry for credential theft attacks against enterprise cloud services
  • Sources: Bleeping Computer, Infosecurity Magazine

Chinese-Language PhaaS Evolution

  • Trend: Chinese-speaking threat actors are increasingly competing with Russian-speaking groups in the phishing-as-a-service market
  • Impact: Diversification of PhaaS ecosystem increases overall threat volume and sophistication
  • Source: Mandiant Blog

Supply Chain Attack Campaigns

TrapDoor Campaign (CRITICAL)

  • Scope: Coordinated cross-ecosystem attack spanning npm, PyPI, and Crates.io
  • Payload: Credential-stealing malware
  • Impact: Threatens development environments across multiple programming languages (JavaScript, Python, Rust)
  • Recommendation: Audit dependencies, implement software composition analysis, and review recent package updates
  • Source: The Hacker News

Megalodon GitHub Attack (CRITICAL)

  • Scope: Over 5,500 GitHub repositories infected
  • Technique: Fake automated commits injecting malicious GitHub Actions workflows
  • Payload: Designed to steal credentials, CI secrets, keys, and tokens
  • Impact: Compromises CI/CD pipelines and potentially downstream software builds
  • Source: SecurityWeek

Laravel-Lang Package Poisoning

  • Technique: Malicious tags published within a 15-minute window
  • Payload: Backdoors designed to exfiltrate CI secrets
  • Target: PHP/Laravel development environments
  • Source: SecurityWeek

Emerging Attack Vectors

Ghost CMS Exploitation (CVE-2026-26980)

  • Scope: Over 700 websites compromised, including Harvard, Oxford, and DuckDuckGo
  • Technique: Exploitation of critical vulnerability to inject malicious JavaScript
  • Purpose: Fuel ClickFix social engineering attacks
  • Attribution: Activity tracked by QiAnXin XLab
  • Sources: SecurityWeek, The Hacker News

KnowledgeDeliver ViewState Deserialization

  • Vulnerability Type: ViewState deserialization
  • Status: Active exploitation observed
  • Source: Mandiant Blog

Authentication Security Concerns

  • Finding: Security experts are cautioning that MFA alone can no longer reliably stop threat actors
  • Context: Techniques like OAuth token theft (as seen with Kali365) and session hijacking are increasingly bypassing traditional MFA
  • Recommendation: Implement defense-in-depth approaches including conditional access policies, continuous authentication, and anomaly detection
  • Source: CSO Online

3. SECTOR-SPECIFIC ANALYSIS

Financial Services Sector

Threat Level: ELEVATED

Active Threats

  • Lazarus Group RemotePE Campaign: Direct targeting of financial institutions and cryptocurrency firms with sophisticated memory-only malware
  • Cryptocurrency Focus: Continued DPRK interest in cryptocurrency theft to fund regime activities

Recommended Actions

  • Deploy memory-based threat detection capabilities (EDR with memory scanning)
  • Review and enhance monitoring of cryptocurrency-related systems and wallets
  • Implement behavioral analytics to detect anomalous process activity
  • Ensure incident response plans account for fileless malware scenarios

Healthcare & Public Health Sector

Threat Level: ELEVATED

Data Breach Incidents

Radiology Associates of Richmond

  • Impact: 266,000 individuals affected
  • Data Compromised: Names and protected health information (PHI)
  • Source: SecurityWeek

Oncology Institute Third-Party Breach

  • Impact: Undisclosed number of patients
  • Vector: Third-party vendor compromise (potentially TriZetto)
  • Significance: Highlights supply chain risks in healthcare
  • Source: SecurityWeek

DocketWise Data Breach

  • Impact: 143,000 individuals
  • Data Compromised: Names, addresses, Social Security numbers, financial information, medical data
  • Vector: Third-party partner repository compromise
  • Source: SecurityWeek

Recommended Actions

  • Review third-party vendor security assessments and contracts
  • Implement data minimization practices for PHI shared with vendors
  • Ensure breach notification procedures comply with HIPAA requirements
  • Consider participation in upcoming HIPAA Security 2026 conference (September 2026)

Communications & Information Technology Sector

Threat Level: HIGH

Critical Concerns

  • Supply Chain Attacks: Multiple coordinated campaigns (TrapDoor, Megalodon, Laravel-Lang) directly threaten software development infrastructure
  • Ghost CMS Exploitation: Over 700 websites compromised, including major educational and technology organizations
  • Microsoft 365 Targeting: Kali365 PhaaS platform specifically designed to compromise enterprise cloud services

AI Security Developments

  • Vulnerability Discovery: Anthropic's Mythos/Glasswing AI has identified 10,000-23,000 potential vulnerabilities across 1,000+ open-source projects
  • Dual-Use Concern: While beneficial for defenders, similar AI capabilities could be weaponized by threat actors
  • Security Paradigm Shift: Researchers argue AI security needs to shift focus from models to systems
  • Sources: SecurityWeek, CSO Online

Recommended Actions

  • Implement comprehensive software composition analysis (SCA) across development pipelines
  • Review GitHub Actions workflows for unauthorized modifications
  • Audit OAuth application permissions in Microsoft 365 environments
  • Patch Ghost CMS installations immediately if CVE-2026-26980 is applicable

Energy Sector

Threat Level: BASELINE

No sector-specific incidents reported during this period. However, energy sector organizations should remain vigilant regarding:

  • Supply chain risks from compromised software dependencies
  • Potential targeting by nation-state actors (particularly given Russian infrastructure disruption)
  • OT/ICS systems that may use affected open-source components

Water & Wastewater Systems

Threat Level: BASELINE

No sector-specific incidents reported during this period. Water utilities should:

  • Review remote access authentication mechanisms in light of MFA bypass techniques
  • Ensure OT networks are properly segmented from IT systems that may be affected by supply chain attacks

Transportation Systems

Threat Level: BASELINE

No sector-specific incidents reported during this period. General supply chain and authentication security guidance applies.

4. VULNERABILITY & MITIGATION UPDATES

Critical Vulnerabilities Requiring Immediate Attention

CVE-2026-26980 – Ghost CMS Critical Vulnerability

SeverityCRITICAL
StatusActively Exploited
Impact700+ websites compromised
Attack VectorRemote code execution enabling JavaScript injection
Affected OrganizationsHarvard, Oxford, DuckDuckGo, and others
RecommendationImmediate patching; review sites for indicators of compromise

KnowledgeDeliver ViewState Deserialization

SeverityHIGH (Estimated)
StatusActively Exploited
RecommendationReview Mandiant advisory for IOCs and mitigation guidance

AI-Discovered Vulnerabilities

  • Anthropic Mythos/Glasswing Findings: 10,000-23,000 potential vulnerabilities identified across 1,000+ open-source projects
  • Confirmation Status: Many findings confirmed as critical or high-severity
  • Implication: Organizations should anticipate increased CVE disclosures for open-source components in coming weeks
  • Recommendation: Proactively inventory open-source dependencies and establish monitoring for new CVE announcements

Supply Chain Security Mitigations

For TrapDoor, Megalodon, and Laravel-Lang Attacks

Immediate Actions:

  • Audit all npm, PyPI, Crates.io, and Composer dependencies for recent unexpected updates
  • Review GitHub Actions workflows for unauthorized modifications
  • Implement package pinning and hash verification
  • Enable dependency vulnerability scanning in CI/CD pipelines
  • Review CI/CD secrets and rotate any potentially exposed credentials

Strategic Mitigations:

  • Implement Software Bill of Materials (SBOM) practices
  • Deploy software composition analysis (SCA) tools
  • Establish approved package registries or mirrors
  • Implement code signing verification for dependencies

Authentication Security Recommendations

Given the Kali365 PhaaS platform and broader MFA bypass concerns:

  • Review OAuth Application Permissions: Audit and restrict OAuth applications in Microsoft 365 and other cloud services
  • Implement Conditional Access: Require compliant devices, restrict by location, and implement risk-based authentication
  • Monitor for Token Theft: Deploy detection for anomalous token usage patterns
  • Consider Phishing-Resistant MFA: Evaluate FIDO2/WebAuthn implementations where feasible
  • User Awareness: Train users on device code phishing techniques

New Security Tools

CVE Lite CLI

  • Purpose: Vulnerability information tool deliberately designed without AI integration
  • Use Case: Organizations seeking deterministic, auditable vulnerability data
  • Source: CSO Online

5. RESILIENCE & CONTINUITY PLANNING

Lessons from Current Incidents

Supply Chain Attack Preparedness

The convergence of TrapDoor, Megalodon, and Laravel-Lang attacks demonstrates:

  • Cross-Ecosystem Risk: Attackers are simultaneously targeting multiple package ecosystems, requiring comprehensive coverage
  • CI/CD as Target: Build pipelines and automation systems are high-value targets for credential theft
  • Speed of Attack: Laravel-Lang poisoning occurred within a 15-minute window, emphasizing need for real-time monitoring

Third-Party Risk Management

Healthcare sector breaches highlight:

  • Vendor security assessments must be ongoing, not point-in-time
  • Data sharing agreements should include breach notification requirements
  • Organizations remain responsible for PHI regardless of where it's processed

SBOM Implementation Guidance

Security Magazine published practical guidance on "Weaponizing SBOMs" for security practitioners:

  • SBOMs enable precision in vulnerability response vs. guesswork
  • Critical for responding to supply chain attacks affecting specific components
  • Supports compliance with emerging federal requirements
  • Source: Security Magazine

Cross-Sector Dependencies

Software Supply Chain Impact:

  • All critical infrastructure sectors depend on software development ecosystems
  • Compromised packages in npm, PyPI, or Crates.io could affect OT/ICS systems, healthcare applications, financial platforms, and more
  • Organizations should map software dependencies to understand potential cascading impacts

Cloud Service Dependencies:

  • Microsoft 365 is widely used across all critical infrastructure sectors
  • Kali365-style attacks could compromise communications and collaboration across multiple organizations simultaneously
  • Consider business continuity plans for cloud service compromise scenarios

Ransomware Resilience

Given that 58% of CISOs indicate willingness to pay ransoms:

  • Review backup and recovery capabilities to reduce payment pressure
  • Test restoration procedures regularly
  • Ensure backups are isolated from production networks
  • Document decision-making frameworks for ransomware incidents in advance

6. REGULATORY & POLICY DEVELOPMENTS

International Enforcement Actions

Netherlands Server Seizure

  • Action: 800 servers seized, 2 arrests
  • Target: Hosting infrastructure supporting Russian cyber operations
  • Significance: Demonstrates continued international cooperation in disrupting adversary infrastructure
  • Implication: Organizations should expect continued law enforcement focus on infrastructure providers enabling malicious activity

Healthcare Compliance

HIPAA Security Developments

  • HHS OCR and NIST are co-hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" in September
  • Healthcare organizations should monitor for updated guidance following recent breach activity

AI Governance Considerations

  • Anthropic's Mythos/Glasswing AI vulnerability discovery raises questions about responsible disclosure at scale
  • Researchers argue AI security frameworks need to shift from model-centric to system-centric approaches
  • Organizations should monitor for emerging AI security guidance from NIST and other bodies

Upcoming Compliance Considerations

  • Organizations using Ghost CMS should document remediation efforts for compliance purposes
  • Healthcare entities affected by disclosed breaches face HIPAA notification timelines
  • Software supply chain security requirements continue to evolve under federal guidance

7. TRAINING & RESOURCE SPOTLIGHT

New Tools and Frameworks

SBOM Implementation

  • Security Magazine's practical guide on weaponizing SBOMs for security practitioners
  • Relevant for all organizations seeking to improve supply chain visibility

CVE Lite CLI

  • AI-free vulnerability information tool for deterministic security workflows
  • Useful for organizations with strict auditability requirements

Agentic AI for NDR

  • The Hacker News reports on Network Detection and Response solutions incorporating agentic AI capabilities
  • May help address alert fatigue challenges in security operations

Best Practices Highlighted This Week

Supply Chain Security

  • Implement package pinning and hash verification
  • Deploy software composition analysis in CI/CD
  • Maintain current SBOMs for all applications
  • Establish approved package registries

Authentication Security

  • Implement defense-in-depth beyond MFA
  • Deploy conditional access policies
  • Monitor for OAuth token abuse
  • Consider phishing-resistant authentication methods

Memory-Based Threat Detection

  • Deploy EDR with memory scanning capabilities
  • Implement behavioral analytics for process monitoring
  • Update incident response procedures for fileless malware

8. LOOKING AHEAD: UPCOMING EVENTS

Upcoming Conferences and Workshops

NIST AI for Manufacturing Workshop

  • Date: May 27, 2026
  • Focus: AI integration in manufacturing product development and production processes
  • Relevance: Manufacturing sector cybersecurity and AI security considerations
  • Source: NIST

NCCoE Manufacturing Cybersecurity Incident Response Update

  • Date: June 4, 2026, 1:00–2:00 PM
  • Format: Virtual
  • Focus: Upcoming guidelines on improving cybersecurity incident response in manufacturing
  • Source: NIST NCCoE

NIST NCCoE Genomic Data PETs Testbed & Dioptra Webinar

  • Date: June 9, 2026, 1:00–3:30 PM EDT
  • Focus: Privacy-Enhancing Technologies (PETs) Testbed and Dioptra platform
  • Relevance: Healthcare and research data protection
  • Source: NIST NCCoE

NIST Workshop on Hardware CPE and CVSS Updates

  • Date: June 22, 2026
  • Focus: Hardware representation in CPE and CVSS applicability to hardware
  • Relevance: OT/ICS and hardware security vulnerability management
  • Source: NIST

Iris Experts Group Annual Meeting

  • Date: June 25, 2026
  • Focus: Iris recognition technology for government agencies
  • Relevance: Physical security and identity management
  • Source: NIST

2026 Time and Frequency Seminar

  • Date: July 21, 2026
  • Focus: Precision clocks, atomic frequency standards, synchronization
  • Relevance: Critical timing infrastructure for communications and financial systems
  • Source: NIST

Safeguarding Health Information: HIPAA Security 2026

  • Date: September 2, 2026
  • Hosts: HHS OCR and NIST ITL
  • Focus: HIPAA security compliance and best practices
  • Relevance: Healthcare sector security and compliance
  • Source: NIST

Threat Awareness Periods

  • Ongoing: Supply chain attack campaigns (TrapDoor, Megalodon) remain active; heightened vigilance for software dependencies recommended
  • Ongoing: Kali365 PhaaS platform actively targeting Microsoft 365 accounts
  • Ongoing: Ghost CMS exploitation continues; unpatched installations at risk

Anticipated Developments

  • Vulnerability Disclosures: Expect increased CVE announcements as Anthropic Mythos/Glasswing findings are validated and disclosed
  • Anthropic Mythos Public Release: Indications that the restricted Mythos model may be released for Claude Code, potentially expanding AI-assisted vulnerability discovery
  • Supply Chain Attack Evolution: Given success of current campaigns, anticipate continued targeting of package ecosystems

This intelligence briefing is derived from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with sector partners through appropriate channels.

Report Prepared: Tuesday, May 26, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.