CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active exploitation of Ivanti EPMM and Palo Alto PAN-OS vulnerabilities alongside new Linux RAT and cloud credential harvesting campaigns

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Wide-ranging exploitation activity observed this week encompassing critical software vulnerabilities, new Linux malware families, cloud-focused credential theft, and espionage operations masquerading as ransomware. Attackers are weaponizing CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) for remote code execution with administrative privileges, while Palo Alto PAN-OS CVE-2026-0300 is being exploited to achieve root-level access on PA-Series and VM-Series firewalls. Concurrently, a new modular Linux remote access trojan named Quasar Linux RAT (QLNX) has emerged with P2P mesh networking, kernel-level rootkit capabilities, and PAM authentication backdoors, enabling resilient persistence and lateral movement across Linux and cloud infrastructure. Credential harvesting campaigns are escalating, with one campaign replacing TeamPCP malware to steal cloud and developer credentials while propagating via open cloud infrastructure and Common Crawl data. Iranian state-sponsored actor MuddyWater conducted an espionage operation disguised as Chaos ransomware activity to obfuscate true objectives. Supply chain compromises affected DAEMON Tools and JDownloader, delivering data miners, QUIC RAT implants, and Python-based RATs. Phishing campaigns are increasingly leveraging legitimate Remote Monitoring and Management (RMM) tools such as SimpleHelp and ScreenConnect to establish persistent remote access. The combined impact includes unauthorized access to enterprise networks, cloud environments, and operational technology systems, with demonstrated ability to exfiltrate data, deploy secondary payloads, and persist across reboots and updates.

Timeline

  1. 11.05.2026 15:36 1 articles · 3h ago

    Multiple high-impact software flaws exploited in the wild as Linux RAT and cloud credential harvesting campaigns expand

    Active exploitation of CVE-2026-6973 (Ivanti EPMM) and CVE-2026-0300 (Palo Alto PAN-OS) observed this week, enabling authenticated remote code execution and unauthenticated root-level access respectively. Concurrently, the modular Linux RAT Quasar Linux (QLNX) emerged with P2P mesh networking and kernel-level evasion, while cloud credential harvesting campaigns replaced TeamPCP malware with PCPJack to steal credentials and propagate laterally across open cloud infrastructure. DAEMON Tools and JDownloader supply chain compromises delivered miners and RATs including QUIC RAT and Python-based payloads. MuddyWater conducted espionage under Chaos ransomware cover. RMM tools SimpleHelp and ScreenConnect now being abused for persistent remote access in phishing campaigns.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited to allow authenticated administrators to execute remote code via improper input validation.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • Palo Alto Networks PAN-OS CVE-2026-0300, a memory corruption flaw in the authentication portal, is under active exploitation enabling unauthenticated attackers to achieve root-level code execution on PA-Series and VM-Series firewalls.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • Censys estimates approximately 263,000 internet-exposed hosts running PAN-OS are potentially vulnerable to CVE-2026-0300 before patches scheduled for May 13, 2026.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • Quasar Linux RAT (QLNX) is a modular Linux implant featuring P2P mesh networking, kernel-level rootkit functionality via LD_PRELOAD, PAM-based authentication backdoors, and persistence mechanisms that mimic legitimate Linux services to evade detection.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • A new campaign has replaced TeamPCP malware with PCPJack malware to harvest credentials from cloud, container, developer, productivity, and financial services, while propagating laterally and targeting open cloud infrastructure using Common Crawl data for discovery.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • Iranian state-sponsored group MuddyWater conducted a 2026 intrusion campaign masquerading as Chaos ransomware activity, performing reconnaissance, credential harvesting, and data exfiltration without deploying file-encrypting ransomware; victim added to Chaos leak site as cover.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • DAEMON Tools supply chain attack compromised installers affecting users in over 100 countries; malicious versions delivered a data miner to most victims and selectively deployed QUIC RAT to targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, including one educational institution in Russia.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • JDownloader website compromised on May 6, 2026, at 12:01 UTC to distribute malicious installers embedding malicious shell code (Linux) and Python-based RATs (Windows) that enlist devices into a botnet and execute arbitrary Python code supplied by the operator.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources

  • Legitimate Remote Monitoring and Management (RMM) tools SimpleHelp and ScreenConnect are being weaponized in phishing campaigns to establish persistent remote access to compromised hosts across multiple industries, avoiding traditional malware to blend with normal operations.

    First reported: 11.05.2026 15:36
    1 source, 1 article
    Show sources