Patch Tuesday Analysis · May 2026 May 2026 Patch Tuesday: No Zero-Days for the First Time in 23 Months, but Three Unauthenticated 9.8 RCEs in the Queue Microsoft fixes 118 to 138 CVEs depending on methodology, including 16 critical, with no actively exploited or publicly disclosed vulnerability. First Patch Tuesday without a zero-day since June…
CTI Analysis · Unpatched Windows Vulnerability MiniPlasma: Chaotic Eclipse Reopens cldflt.sys and Revives the Question of Microsoft Patch Durability A fifth uncoordinated public disclosure in six weeks, a PoC targeting the Windows Cloud Files Mini Filter Driver, and an extraordinary claim: the CVE-2020-17103 patch would not be present on fully patched Windows 11 and Windows…
CTI Analysis · Disclosure Doctrine The Embargo Isn’t Dead Everywhere: What the AMD-SB-7052 Disclosure Reminds Us Seven months of embargo, no leak, successful multi-actor coordination. In the middle of a series documenting the erosion of responsible disclosure, the AMD-SB-7052 case deserves to be read for what it is: a demonstration that the classical model still…
CTI Analysis · Critical Vulnerability BitLocker Is No Longer a Promise: What the YellowKey Case Reveals Two Windows zero-days disclosed without coordination, a researcher openly challenging Microsoft, and a phantom component in the Windows Recovery Environment whose true nature, bug or backdoor, no one can yet determine. Published May 14, 2026 Reading time 15 minutes…
Universal Local Privilege Escalation in the Linux Kernel Executive summary On May 7, 2026, researcher Hyunwoo Kim (alias @v4bel) publicly disclosed a new class of Linux kernel vulnerabilities named Dirty Frag (1) (2). This disclosure, brought forward as a result of an embargo break by an unrelated third party, exposes an exploitation chain combining two…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
