Get SRA’s free report: The Purple Perspective 2026

TIGR Threat Watch

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩 The Gentlemen ransomware combines strong cryptography with worm-like self-propagation to rapidly compromise enterprise networks.

May 29, 2026

Microsoft Threat Intelligence published new research on “The Gentlemen,” a rapidly growing ransomware-as-a-service (RaaS) operation tracked as Storm-2697. Active since mid-2025, the group evolved from a closed ransomware crew into a broader affiliate-driven ecosystem and recently partnered with BreachForums to recruit penetration testers and initial access brokers. The ransomware targets organizations across healthcare, education, transportation, finance, and other sectors globally. Written in Go and obfuscated with Garble, the malware combines double extortion tactics with aggressive lateral movement capabilities designed to maximize operational impact once initial access is achieved.

Unlike many ransomware families that focus primarily on encryption, The Gentlemen incorporates extensive self-propagation functionality that behaves similarly to a network worm. The malware attempts 21 different lateral movement execution paths per target system using PsExec, WMI, scheduled tasks, PowerShell remoting, Windows services, SMB shares, and SYSTEM-level task creation. Prior to encryption, it disables Microsoft Defender, deletes shadow copies and event logs, clears PowerShell history, terminates backup and EDR services, and weakens remote system defenses through automated PowerShell scripts. The ransomware uses Curve25519 and XChaCha20 cryptography with per-file ephemeral keys, partially encrypts large files for speed, appends the .umc16h extension, and can optionally wipe free disk space to prevent forensic recovery.

Impact: Successful compromise can lead to rapid enterprise-wide ransomware propagation, widespread encryption of local and network shares, theft of sensitive data for double extortion, disruption of backup and recovery operations, and long-term operational outages. The malware’s extensive defense evasion and multi-path lateral movement significantly increase the likelihood of full-domain compromise once a single system is infected.

Recommendation:

  • Enable tamper protection, cloud-delivered protection, EDR in block mode, automated investigation and remediation, and ransomware-focused attack surface reduction rules where available.
  • Block or tightly control PsExec, WMIC, WMI remote process creation, PowerShell remoting, remote scheduled task creation, and remote service creation unless explicitly required.
  • Monitor for The Gentlemen command-line arguments, including --password--full--system--shares--spread--fast--superfast--ultrafast--wipe, and --keep.
  • Hunt for scheduled tasks or services named gentlemen_systemUpdateSystemUpdateUserDefUUpdateGUUpdateGU2DefSvcUpdateSvc, or UpdateSvc2.
  • Monitor for Defender tampering, broad AV exclusions, disabled firewall profiles, SMB1 enablement, permissive anonymous share settings, and creation of hidden SMB shares such as share$.
  • Alert on shadow copy deletion, event log clearing, PowerShell history deletion, prefetch removal, and deletion of Defender diagnostic or support logs.
  • Review for ransomware staging in C:\Temp, PsExec execution from unusual locations, and payload execution through remote shares or C:\Temp on multiple hosts.
  • Monitor for mass file renaming to .umc16h, ransom notes named README-GENTLEMEN.txt, and wallpaper changes involving gentlemen.bmp.
  • Ensure backups are isolated, immutable where possible, and protected from domain administrator compromise or ransomware-driven deletion.
  • Add the published The Gentlemen ransomware encryptor hash, PsExec hash, and wallpaper bitmap hash to detection workflows.Enable tamper protection and cloud-delivered protection within Microsoft Defender or equivalent endpoint security platforms.

Critical Gogs Vulnerability Enables Authenticated Remote Code Execution Through Malicious Git Rebase Operations

May 29, 2026

Researchers at Rapid7 disclosed a critical remote code execution (RCE) vulnerability affecting Gogs, an open-source self-hosted Git service. The vulnerability allows an authenticated user to execute arbitrary commands on a vulnerable server by abusing the “Rebase before merging” feature. The flaw stems from improper handling of attacker-controlled branch names during Git rebase operations. An attacker can create a specially crafted branch name containing the --exec argument, which Git interprets as a command execution flag during the rebase process. The attack does not require administrative privileges or interaction from another user. In default Gogs deployments that allow public registration and repository creation, an attacker can create an account, establish a repository, enable rebase merging, and execute the exploit chain independently. Rapid7 assigned the vulnerability a CVSS score of 9.4 and confirmed that the issue affects multiple platforms, including Linux, Windows, and macOS. As of publication, Gogs has not released an official patch for the vulnerability.

Impact: This vulnerability may allow attackers to gain remote code execution on affected Gogs servers and potentially take full control of the underlying system. Successful exploitation could enable threat actors to access private repositories, extract credentials, modify source code, deploy malicious updates, or move laterally to other systems connected to the network. Organizations that use Gogs to manage internal software development or shared repositories face an elevated risk of cross-tenant data exposure and software supply chain compromise. Internet-facing Gogs instances that permit user registration or unrestricted repository creation are particularly vulnerable because attackers can exploit the flaw with minimal access. The public release of a Metasploit module that automates exploitation further increases the likelihood of active attacks against unpatched systems.

Recommendation: Organizations should immediately restrict access to Gogs environments by disabling public user registration and limiting repository creation to trusted users only. Administrators should disable the “Rebase before merging” feature wherever operationally feasible until an official patch becomes available. Security teams should review repository permissions to ensure that only authorized users maintain write or merge access. Organizations should also monitor server logs for suspicious branch names containing --exec or abnormal Git rebase activity, including repeated HTTP 500 errors associated with merge operations. Teams should isolate internet-facing Gogs instances from sensitive internal systems and ensure backups of repositories and configuration files remain current. In the long term, organizations should establish secure development platform hardening standards, implement least-privilege access controls, and maintain continuous monitoring of software development infrastructure for signs of abuse or unauthorized changes.

🚩Russia-Nexus Threat Group GREYVIBE Conducts Persistent Espionage Campaigns Against Ukrainian Military, Government, and Civilian Targets Using AI-Assisted Custom Malware

May 29, 2026

WithSecure disclosed an ongoing and persistent set of intrusion activity targeting Ukraine and Ukraine-related entities, attributed to a previously untracked threat group designated GREYVIBE. The group has been active since at least August 2025 and targets military, government, civilian, and business entities, with victimology consistent with Russian state intelligence-gathering objectives in the context of the Russia-Ukraine war. WithSecure assesses with moderate confidence that the group has ties to the broader cybercrime ecosystem and may involve current or former cybercriminal actors, though its exact relationship to the Russian state remains unclear.

GREYVIBE employs multiple delivery vectors including spearphishing emails with malicious archives, ClickFix-style fake CAPTCHA pages, and fraudulent Ukrainian adult-club websites. These campaigns deliver a family of custom malware including PhantomRelay, a PowerShell-based RAT; LegionRelay, a lightweight PowerShell RAT communicating via REST API; and FallSpy, an Android spyware targeting contacts, call logs, location data, and media files. The group uses custom obfuscators including DAYLIGHT and TEASOUP, which are rotated regularly, and has demonstrated systematic use of generative AI tools including ChatGPT, Google Gemini, and Ideogram AI across lure development, malware development, and post-compromise activity. Exploitation is confirmed in the wild.

Impact: Successful compromise provides attackers with persistent remote access, enabling file enumeration and exfiltration, browser credential theft, screenshot capture, RDP access setup, and Telegram and WhatsApp data collection. The PrincessClub campaign introduced a WebRTC-based live call feature on lure sites that can capture victim audio and video post-infection, representing a potential human intelligence collection capability. The group’s systematic use of AI to generate and refactor tooling may reduce the reliability of signature and artifact-based detection over time, and could accelerate the group’s ability to diversify its operational footprint and complicate continuous tracking and attribution efforts.

Recommendation:

  • Alert on PowerShell-based RAT behaviors consistent with PhantomRelay and LegionRelay, including WebSocket-based C2 communication, dynamic execution of operator-delivered scripts, and PowerShell processes performing file enumeration, screenshot capture, or credential access.
  • Monitor for execution of heavily obfuscated PowerShell or JavaScript payloads delivered via archive files sourced from third-party file sharing services such as Google Drive and 4sync.
  • Implement email security controls that inspect and quarantine ZIP and RAR attachments delivered via spearphishing, particularly those using Ukrainian government or energy sector lures.
  • Alert on browser launches to domains masquerading as CAPTCHA verification or Cloudflare security checks that prompt users to run terminal or PowerShell commands.
  • For organizations with Android device exposure, deploy mobile threat defense coverage and monitor for FallSpy indicators including unauthorized access to contacts, call logs, location data, and media files.
  • Train users that fake CAPTCHA pages, adult content sites, and charitable donation sites are active delivery vectors in this campaign, and that no legitimate verification process requires running commands on a local device.

FortiClient EMS Vulnerability CVE-2026-35616 Exploited in Active Campaign to Deliver Credential-Stealing Malware Disguised as a Legitimate Fortinet Patch Across Managed Endpoints.

May 28, 2026

Arctic Wolf disclosed an active campaign exploiting CVE-2026-35616, an improper access control vulnerability in Fortinet’s FortiClient Endpoint Management Server. The vulnerability affects FortiClient EMS deployments and was first reported to Fortinet on March 31, 2026 after being observed exploited in the wild. The campaign abuses FortiClient EMS management infrastructure to deliver a previously unreported credential stealer, designated EKZ Infostealer, across all endpoints managed by a compromised EMS instance.

CVE-2026-35616 allows unauthenticated attackers to bypass API authentication and send privileged requests to FortiClient EMS, effectively gaining administrative access without valid credentials. Following exploitation, attackers modified Remote Access Profile configurations to insert malicious scripts that execute automatically when managed endpoints establish a VPN tunnel. This triggered a process chain originating from FortiClient’s own components, downloading and silently executing a credential stealer named FortiEndpoint_Patch.exe via base64-encoded PowerShell. EKZ Infostealer extracts credentials, session cookies, and autofill data from Chromium and Firefox-family browsers, stages results locally, and exfiltrates them via HTTP POST to attacker-controlled infrastructure at 83.138.53.110. Exploitation is confirmed in the wild.

Impact: Because exploitation occurs at the EMS management layer, a single successful intrusion provides a path to execute malicious code across every endpoint in the managed fleet without requiring individual device compromise. Harvested session cookies may allow attackers to access cloud services and internal applications while bypassing MFA prompts. The payload’s masquerade as a legitimate Fortinet update and its execution through trusted FortiClient process chains reduces the likelihood of user detection and may complicate endpoint security alerting in environments that whitelist FortiClient activity.

Recommendation:

  • Upgrade FortiClient EMS to a fixed version as a priority given confirmed active exploitation; consult Fortinet’s advisory for affected and patched version details.
  • Restrict network access to the FortiClient EMS management port 8013 to explicitly trusted IP ranges only, reducing the attack surface for unauthenticated exploitation attempts.
  • Review FortiClient EMS logs for the exploitation indicators documented by Arctic Wolf, specifically the log line “Certificate not found in request header” followed within seconds by “Certificate user: fortinet-ca2 … successfully updated.”
  • Audit Remote Access Profile and endpoint policy configurations for unauthorized on_connect script directives or recently modified script execution settings.
  • Hunt for the known malicious indicator 83.138.53.110 across network logs, focusing on HTTP downloads from that IP and subsequent HTTP POST exfiltration activity from the same endpoints.
  • Alert on PowerShell execution spawned by fortitray.exe or ipsec.exe, particularly invocations involving base64-encoded commands or downloads from raw IP addresses.
  • Monitor for creation of log.txt in C:\ProgramData and executable staging in that directory, followed by HTTP POST activity and subsequent file deletion, which matches the observed exfiltration and cleanup pattern.
  • Ingest the full IOC list published in Arctic Wolf’s GitHub repository into endpoint and network detection controls.

🚩 Chinese-Language PhaaS Ecosystem Expands Real-Time MFA Interception and Digital Wallet Fraud Capabilities

May 28, 2026

Google Threat Intelligence Group reported that Chinese-language phishing-as-a-service offerings are rapidly maturing into a distinct cybercrime ecosystem focused on scalable social engineering, real-time credential interception, and payment card monetization. GTIG analyzed a dozen active Chinese-language PhaaS services and found a shift away from static password harvesting toward live administrative panels that allow operators to capture credentials and one-time passcodes in real time. These services also increasingly use RCS and iMessage delivery to bypass traditional SMS filtering and make phishing lures appear more legitimate to victims.

The ecosystem’s monetization model focuses heavily on digital wallet provisioning, where attackers use stolen credentials, payment details, and OTPs to add a victim’s card to an attacker-controlled digital wallet for contactless payments, high-value transactions, or ATM withdrawals. GTIG also highlighted the YY Lai Yu platform, which supports phishing across 119 countries and offers more than 400 templates, with significant focus on Japanese brands, payment apps, banks, transit, e-commerce, gaming, and rewards programs. Several operators are also adopting AI-powered page generation and browser automation to clone legitimate websites dynamically, making each phishing page more unique and harder to detect using static signatures.

Impact: Organizations and consumers may face increased risk from phishing campaigns that bypass MFA through real-time OTP interception and exploit trusted communication channels such as RCS and iMessage. The focus on digital wallet provisioning creates direct financial fraud risk even when attackers do not maintain long-term account access. Financial institutions, retailers, telecom providers, payment platforms, and organizations with large customer bases may see more localized phishing campaigns that use region-specific brands, loyalty programs, subsidies, delivery notices, or account verification themes to increase victim trust.

Recommendation:

  • Adopt phishing-resistant authentication such as FIDO2/WebAuthn for workforce and high-risk customer authentication where supported.
  • Reduce reliance on SMS, OTP, and push-only MFA for sensitive transactions or account recovery workflows.
  • Monitor for real-time phishing indicators, including repeated OTP requests, rapid failed-and-successful login sequences, new device enrollment, and suspicious session creation immediately after user interaction.
  • Strengthen digital wallet provisioning controls with device fingerprinting, risk-based verification, step-up authentication, transaction velocity checks, and alerts for new wallet enrollment.
  • Monitor for brand impersonation across localized domains, lookalike pages, loyalty point themes, subsidy lures, delivery notices, and payment app verification pages.
  • Use on-device protections, mobile threat defense, and browser protections where possible, since encrypted messaging channels can limit server-side inspection.

🚩 Tycoon 2FA AiTM Kit Continues to Bypass MFA Across Entra ID and Google Workspace

May 28, 2026

Elastic Security Labs reported that Tycoon 2FA remains a prolific phishing-as-a-service platform used to conduct adversary-in-the-middle attacks against Microsoft 365 and Google Workspace accounts. The kit operates as a reverse proxy between the victim and the legitimate identity provider, relaying credentials and MFA challenges in real time so attackers can intercept authenticated session tokens after the victim completes MFA. Elastic noted that, despite a March 2026 takedown that seized more than 300 domains, operators adapted within weeks and continued using both classic WebSocket-based AiTM flows and Microsoft OAuth device code phishing.

The report highlights distinct telemetry patterns across Entra ID and Google Workspace. In Microsoft environments, Tycoon 2FA uses a two-tier model involving a cloud-hosted kit relay for token acquisition and renewal, followed by an operator console that performs post-compromise reconnaissance through Microsoft Graph API calls. The kit can also register a device and obtain primary refresh token persistence, which may survive standard session revocation if associated devices are not removed. In Google Workspace, Elastic observed a more compressed relay sequence involving successful login, second-factor verification, OAuth authorization for the Google Chrome client, and new device registration within roughly one second, with limited visibility from some native risk and alerting streams.

Impact: Successful Tycoon 2FA activity can allow attackers to bypass non-phishing-resistant MFA and access cloud accounts using stolen session tokens. In Microsoft 365, attackers may rapidly enumerate roles, mailbox settings, contacts, tenant relationships, licensing, applications, and organization details through Graph API calls. Device registration and PRT persistence can make containment harder if response actions only revoke sessions or reset passwords. In Google Workspace, attackers can establish authenticated Chrome OAuth sessions and register new devices, creating risk for account takeover, follow-on phishing, and cloud data access depending on the victim’s permissions and available applications.

Recommendation:

  • Deploy phishing-resistant MFA such as FIDO2 security keys or passkeys for high-risk users and administrators.
  • Enforce managed and compliant device requirements through Conditional Access or equivalent access controls where feasible.
  • Block Microsoft OAuth device code flows except for explicitly approved kiosk, headless, or operational use cases.
  • Enable token protection, token binding, Continuous Access Evaluation, and risk-based session controls where available.
  • In Entra ID, monitor for Node.js-style user agents such as nodeaxiosundici, and node-fetch tied to Microsoft Authentication Broker or OfficeHome sign-ins.
  • Hunt for cross-tier activity where the same user authenticates from a cloud-VPS ASN and a residential-shaped ASN within a short time window.
  • Monitor Microsoft Graph for rapid multi-category reconnaissance bursts involving role assignments, tenant relationships, mailbox settings, contacts, organization metadata, licensing, and application inventory.
  • During Microsoft 365 incident response, delete suspicious registered devices before revoking sessions to break device-PRT persistence.
  • In Google Workspace, monitor for rapid sequences of login success, second-factor verification, Chrome OAuth authorization, and device registration from cloud-hosting ASNs.
  • Hunt for bursts of device registrations, impossible travel, atypical ASNs, and repeated OAuth authorization using the Google Chrome client ID 77185425430.apps.googleusercontent.com.
  • Treat successful AiTM alerts as time-sensitive and automate containment where possible, including account disablement, device removal, token revocation, and case creation.

Sign up here!

To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

  • In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
  • In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed

Threat Bulletin Archive

See full archive here

About TIGR Threat Watch

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.