Iranian APT Campaigns Target Aviation and Software Sectors; CISA Issues Six ICS Advisories for ABB Systems; Major Data Breaches Hit Charter, 7-Eleven, and Lithuania
1. Executive Summary
This week's intelligence cycle (May 20-27, 2026) reveals significant threat activity across multiple critical infrastructure sectors, with Iranian state-sponsored actors conducting aggressive campaigns against aviation and software companies using updated tooling. Key developments include:
- Nation-State Activity: Iranian APT group Nimbus Manticore (also tracked as Screening Serpens/UNC1549) has launched coordinated campaigns targeting aviation and software companies across nine countries using new MiniFast and MiniJunk V2 backdoors, employing both phishing and SEO poisoning techniques.
- ICS/OT Vulnerabilities: CISA released six Industrial Control System advisories on May 26, all affecting ABB products including AC500 V2 PLCs, Terra AC EV chargers, Ability Camera Connect, Zenon Remote Transport, LVS MConfig, and B&R Automation Runtime—systems deployed across energy, manufacturing, and transportation sectors.
- Major Data Breaches: Charter Communications confirmed a breach following ShinyHunters extortion threats; 7-Eleven disclosed 185,000 individuals affected by an April breach; Lithuania reports over 600,000 national register entries leaked with suspected foreign involvement.
- Emerging Threats: Supply chain attacks via GitHub Actions ("Megalodon" campaign) compromised 5,500 repositories; new "TrapDoor" malware campaign specifically targets developer workstations; Chinese threat actors shifting from static phishing to live credential interception techniques.
- Policy Developments: White House issued new federal cybersecurity logging requirements; India's CERT-In mandates 12-hour patching for internet-facing vulnerabilities; Trump Administration announces $2 billion quantum computing investment with security implications.
2. Threat Landscape
Nation-State Threat Actor Activities
Iranian Operations - Nimbus Manticore (High Priority)
The Iranian state-sponsored threat actor Nimbus Manticore has been attributed to an aggressive campaign affecting at least nine organizations across nine countries on four continents during Q1 2026. The group has continued operations during and after the US military campaign against Iran, demonstrating persistent capability and intent.
- Targets: Aviation sector, software companies, and related supply chains
- TTPs: Phishing campaigns impersonating aviation organizations; SEO poisoning to drive victims to malicious downloads; DLL side-loading techniques
- New Tooling: MiniFast backdoor (reportedly AI-assisted development), MiniJunk V2 malware variant
- Assessment: The targeting of aviation and software sectors suggests intelligence collection objectives potentially related to defense industrial base and technology transfer
Sources: SecurityWeek, The Hacker News
MuddyWater Campaign Expansion
Iranian hacking group MuddyWater has been linked to a parallel campaign using DLL side-loading techniques, affecting organizations across multiple continents. This activity demonstrates Iran's sustained cyber espionage tempo despite geopolitical pressures.
Source: The Hacker News
Russian-Aligned Infrastructure Disruption
Dutch authorities arrested administrators of bulletproof hosting services allegedly used by Russia-aligned threat actors. The two individuals owned Dutch companies providing infrastructure services that enabled malicious operations. This enforcement action may temporarily disrupt some Russian cyber operations but is unlikely to significantly degrade overall capability.
Source: SecurityWeek
Chinese Phishing Evolution
Chinese threat actors have shifted tactics from static phishing pages to live credential interception techniques. Analysis indicates almost all organizations impersonated by Chinese phishing platforms are non-Chinese entities, suggesting operators deliberately avoid domestic targets to reduce detection risk.
Source: Infosecurity Magazine
Ransomware and Cybercriminal Developments
ShinyHunters Extortion Campaign
The ShinyHunters extortion group has been particularly active this week:
- Charter Communications: Confirmed data breach following extortion threat; scope of compromise under investigation
- 7-Eleven: 185,000+ individuals affected by April 2026 breach; leaked data includes email addresses, names, physical addresses, and dates of birth
Sources: Bleeping Computer, SecurityWeek
BTMOB Android RAT
A new Android Remote Access Trojan (BTMOB) is being sold as a service with a no-code builder enabling rapid creation of regional phishing lures. This lowered barrier to entry expands the potential threat actor pool targeting mobile devices.
Source: Infosecurity Magazine
Supply Chain and Development Environment Threats
Megalodon GitHub Actions Attack
A sophisticated supply chain attack dubbed "Megalodon" has abused GitHub Actions to inject malicious commits into approximately 5,500 repositories. This campaign represents a significant threat to software supply chain integrity and may have downstream impacts on organizations using affected code.
Source: CSO Online
TrapDoor Developer Workstation Campaign
A new malware campaign specifically targeting developer workstations has emerged, highlighting the need for CISOs to expand security focus beyond traditional server infrastructure to include development environments that often have elevated privileges and access to source code repositories.
Source: CSO Online
Emerging Attack Vectors
AI-Assisted Attack Acceleration
Multiple reports this week highlight the growing role of AI in accelerating attack timelines:
- AI-powered DDoS attacks demonstrating increased sophistication
- Evidence of AI-assisted malware development (MiniFast backdoor)
- Compressed exploitation timelines driving CERT-In's 12-hour patching mandate
MFA Bypass Techniques
Security experts are cautioning that MFA alone can no longer stop determined threat actors. MFA prompt bombing and other bypass techniques continue to evolve, requiring organizations to implement additional controls beyond traditional second-factor authentication.
Sources: The Hacker News, CSO Online
Wi-Fi Router Identification
Research has demonstrated techniques for identifying individuals using Wi-Fi router signals, raising privacy and surveillance concerns for facilities relying on wireless infrastructure.
Source: Schneier on Security
3. Sector-Specific Analysis
Energy Sector
ABB Industrial Control System Vulnerabilities
CISA released six ICS advisories on May 26, 2026, all affecting ABB products widely deployed in energy sector environments:
| Product | Advisory ID | Sector Impact |
|---|---|---|
| ABB AC500 V2 PLCs | ICSA-26-146-02 | Power generation, substations, industrial automation |
| ABB Terra AC EV Chargers | ICSA-26-146-01 | Electric vehicle charging infrastructure |
| ABB Ability Camera Connect | ICSA-26-146-05 | Physical security monitoring at energy facilities |
| ABB Zenon Remote Transport | ICSA-26-146-03 | SCADA communications, remote monitoring |
| ABB LVS MConfig | ICSA-26-146-06 | Low voltage switchgear configuration |
| ABB B&R Automation Runtime (SDM) | ICSA-26-146-04 | Industrial automation, manufacturing |
Recommended Actions:
- Review CSAF files for detailed vulnerability information and affected versions
- Prioritize patching for internet-exposed systems
- Implement network segmentation for affected devices
- Monitor for anomalous communications from ABB systems
Source: CISA ICS Advisories
Critical Infrastructure Security Research Expansion
Texas Tech University has begun construction to expand its institute devoted to examining U.S. critical infrastructure vulnerabilities. This academic investment will enhance research capabilities for identifying and addressing energy sector security gaps.
Source: Security Magazine
Transportation Systems
Aviation Sector Targeting by Iranian APT
The aviation sector faces elevated threat levels from Nimbus Manticore's ongoing campaign. Organizations should:
- Increase monitoring for phishing attempts impersonating aviation industry entities
- Review SEO-driven traffic for potential poisoning indicators
- Hunt for MiniFast and MiniJunk V2 indicators of compromise
- Brief personnel on social engineering tactics specific to this campaign
EV Charging Infrastructure
The ABB Terra AC EV charger vulnerabilities (ICSA-26-146-01) affect transportation electrification infrastructure. As EV charging networks expand, these systems represent an increasingly attractive target for disruption.
Communications & Information Technology
Charter Communications Breach
U.S. telecommunications giant Charter Communications confirmed a data breach following ShinyHunters extortion threats. Given Charter's role as a major communications provider, this incident may have implications for:
- Customer data protection
- Network infrastructure security
- Downstream service dependencies
Source: Bleeping Computer
Microsoft SharePoint RCE Vulnerability
Microsoft patched a remote code execution vulnerability (CVE-2026-45659) affecting SharePoint Server versions. This vulnerability could be exploited without specialized conditions, making it a priority for organizations using SharePoint in critical infrastructure environments.
Source: The Hacker News
Windows Server 2016 Domain Controller Issue
Microsoft confirmed a known issue affecting Windows Server 2016 systems where domain controller lookups fail after installing the KB5087537 May 2026 security update. Organizations should test this update in non-production environments before deployment.
Source: Bleeping Computer
Healthcare & Public Health
HIPAA Security Developments
HHS Office for Civil Rights and NIST are preparing for the "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" conference scheduled for September 2026. Healthcare organizations should monitor for updated guidance emerging from this initiative.
Genomic Data Privacy
NIST NCCoE is advancing work on Privacy-Enhancing Technologies (PETs) for genomic data, with a webinar scheduled for June 9, 2026. This research has implications for healthcare organizations handling sensitive genetic information.
Financial Services
SaaS Security Developments
New AI-powered tools for SaaS security governance are emerging, including AppOmni's Marlin AI for autonomous investigation of misconfigurations. Financial services organizations with significant SaaS footprints should evaluate these capabilities for enhanced security monitoring.
Source: SecurityWeek
Government Facilities
Lithuania National Register Breach
Lithuanian authorities are investigating a massive data leak involving more than 600,000 entries from national data registers. Officials suspect foreign involvement, highlighting the ongoing threat to government data systems from nation-state actors.
Sources: SecurityWeek, Security Magazine
Education Facilities
KnowledgeDeliver LMS Zero-Day Exploitation
A critical zero-day vulnerability in Digital Knowledge KnowledgeDeliver, a Learning Management System popular in Japan, was exploited to deploy Godzilla web shells and Cobalt Strike. The vulnerability involved hardcoded machineKey values enabling ViewState deserialization attacks leading to remote code execution.
Implications:
- Educational institutions using this LMS should immediately apply available patches
- Hunt for Godzilla web shell and Cobalt Strike indicators
- Review other applications for similar hardcoded cryptographic key vulnerabilities
Sources: Bleeping Computer, SecurityWeek
4. Vulnerability & Mitigation Updates
Critical Vulnerabilities Requiring Immediate Attention
CISA Known Exploited Vulnerability - Drupal SQL Injection
CISA has ordered federal agencies to secure servers against an actively exploited SQL injection vulnerability in the Drupal content management system by Wednesday evening (May 27, 2026). Non-federal organizations using Drupal should also prioritize this patch.
Source: Bleeping Computer
Microsoft SharePoint CVE-2026-45659
- Severity: Critical (RCE)
- Affected: Multiple SharePoint Server versions
- Exploitation: No specialized conditions required
- Action: Apply Microsoft updates immediately
KnowledgeDeliver LMS (Actively Exploited)
- Vulnerability: Hardcoded machineKey enabling ViewState deserialization
- Impact: Remote code execution
- Exploitation: Confirmed zero-day exploitation in the wild
- Action: Patch immediately; hunt for web shells
ICS/OT Advisories
Organizations operating ABB equipment should review the following CISA advisories and associated CSAF files:
- ICSA-26-146-01 - ABB Terra AC
- ICSA-26-146-02 - ABB AC500 V2
- ICSA-26-146-03 - ABB Zenon Remote Transport
- ICSA-26-146-04 - ABB B&R Automation Runtime SDM
- ICSA-26-146-05 - ABB Ability Camera Connect
- ICSA-26-146-06 - ABB LVS MConfig
Weekly Vulnerability Summary
US-CERT published the vulnerability summary for the week of May 18, 2026, cataloging high, medium, and low severity vulnerabilities. Security teams should review this summary for vulnerabilities affecting their technology stack.
Source: US-CERT Bulletins
Recommended Defensive Measures
MFA Enhancement
Given increasing MFA bypass techniques, organizations should:
- Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible
- Deploy number matching or additional context for push notifications
- Monitor for MFA prompt bombing patterns
- Consider risk-based authentication that evaluates additional signals
Endpoint Isolation Capabilities
Microsoft is previewing automatic device isolation in Defender for Endpoint, which will automatically isolate compromised endpoints to prevent lateral movement. Organizations should evaluate this capability for their environments.
Source: Bleeping Computer
Container Security
The open-source DockSec tool (OWASP incubator project) correlates findings from multiple container security scanners and uses AI to generate remediation guidance. Organizations with containerized workloads should evaluate this tool for vulnerability management.
Source: SecurityWeek
5. Resilience & Continuity Planning
Lessons Learned
Vulnerability Exploitation Timelines
Analysis indicates vulnerabilities have become cyber attackers' primary entry point to enterprise environments. The compressed timeline between vulnerability disclosure and exploitation—now potentially measured in hours rather than days—requires organizations to:
- Maintain comprehensive asset inventories
- Establish rapid patching capabilities for internet-facing systems
- Implement compensating controls when immediate patching isn't feasible
- Consider India's CERT-In 12-hour patching guidance as a benchmark for critical exposures
Source: CSO Online
Supply Chain Security
GitHub Actions and CI/CD Pipeline Security
The Megalodon attack affecting 5,500 repositories highlights the need for:
- Code signing and verification for all commits
- Restricted permissions for automated workflows
- Monitoring for unexpected changes in CI/CD pipelines
- Regular audits of third-party actions and dependencies
Developer Workstation Security
The TrapDoor campaign targeting developer workstations emphasizes that development environments require security controls commensurate with their access privileges. Recommendations include:
- Endpoint detection and response on developer systems
- Network segmentation for development environments
- Privileged access management for source code repositories
- Security awareness training specific to developer threats
AI-Assisted Security Operations
Anthropic Mythos/Glasswing Results
Anthropic reports that its AI-powered vulnerability discovery tool has identified more than 10,000 software flaws in its first month of operation, with some partners seeing a tenfold increase in bug discovery. However, this creates a widening gap between finding flaws and fixing them, requiring organizations to scale remediation capabilities alongside detection.
Sources: CyberScoop, CSO Online
Quantum Computing Preparedness
Apple Quantum-Resistant Encryption
Apple has open-sourced quantum-resistant encryption code, including implementations of two quantum-secure algorithms. The release demonstrates how formal verification caught bugs that traditional testing would have missed. Organizations should:
- Begin inventorying cryptographic dependencies
- Monitor NIST post-quantum cryptography standardization
- Develop migration plans for quantum-vulnerable systems
Source: CyberScoop
Federal Quantum Investment
The Trump Administration's $2 billion quantum computing investment will accelerate both quantum computing capabilities and the need for quantum-resistant security measures across critical infrastructure.
Source: Security Magazine
6. Regulatory & Policy Developments
Federal Guidelines
White House Cybersecurity Logging Requirements
The Trump administration published a memo last week establishing new requirements for federal agency cybersecurity logging, replacing guidance from the previous administration. Security analysts have expressed concern about potential gaps in the new requirements. Organizations supporting federal agencies should review the updated guidance for compliance implications.
Source: CyberScoop
International Developments
India CERT-In 12-Hour Patching Mandate
India's Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of disclosure. This aggressive timeline reflects the reality of AI-assisted attacks compressing exploitation windows.
Key Requirements:
- 12-hour patching window for critical vulnerabilities in internet-facing systems
- Enhanced vulnerability management processes
- Rapid response capabilities for emerging threats
Implications for U.S. Organizations:
- Multinational organizations with Indian operations must comply
- May signal direction for future U.S. regulatory requirements
- Establishes benchmark for industry best practices
Sources: The Hacker News, Infosecurity Magazine
AI Governance
Enterprise AI Security Integration
Anthropic expanded Claude's enterprise security governance with 28 new integrations, including CrowdStrike, Palo Alto Networks, Microsoft, Okta, Zscaler, Netskope, Cloudflare, Fortinet, and Wiz. This reflects growing enterprise demand for AI tools that integrate with existing security infrastructure.
Source: SecurityWeek
AI Governance as Release Infrastructure
Industry guidance suggests organizations should stop treating AI governance as a review layer and instead integrate it into release infrastructure, embedding security and compliance checks into AI deployment pipelines.
Source: CSO Online
7. Training & Resource Spotlight
New Tools and Frameworks
DockSec Container Security Tool
DockSec, an OWASP incubator project, provides:
- Correlation of findings from multiple container security scanners
- AI-generated plain-English remediation guidance
- Exact Dockerfile fixes for identified vulnerabilities
- Open-source availability for community contribution
Source: SecurityWeek
On-Demand Training
Threat Detection & Incident Response Summit
SecurityWeek's Threat Detection & Incident Response Summit sessions are now available on demand. The content covers tools, strategies, and frameworks for building resilient security programs.
Source: SecurityWeek
AI DDoS Defense Webinar
The Hacker News is offering a webinar on defending against AI-powered DDoS attacks, addressing the evolution of attack techniques and defensive countermeasures.
Source: The Hacker News
8. Looking Ahead: Upcoming Events
May 2026
May 27, 2026 - NIST AI for Manufacturing Workshop
NIST workshop examining AI integration in manufacturing product development and production processes, addressing productivity and resilience improvements through AI adoption.
Source: NIST
June 2026
June 4, 2026 - NCCoE Manufacturing Project Update (1:00 PM - 2:00 PM)
Virtual event providing an overview of upcoming guidelines on improving cybersecurity incident response for manufacturing environments.
Source: NIST NCCoE
June 9, 2026 - NIST NCCoE Genomic Data PETs Testbed & Dioptra Webinar (1:00 PM - 3:30 PM EDT)
Webinar showcasing Privacy-Enhancing Technologies (PETs) Testbed and Dioptra platform for genomic data protection.
Source: NIST NCCoE
June 22, 2026 - NIST Workshop on Hardware CPE and CVSS Updates
One-day workshop on hardware representation in Common Platform Enumeration
This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.