TL;DR
F5 released patches for two critical NGINX RCE flaws (CVE-2026-42530, CVSS 9.2). Microsoft disclosed a Windows clipboard-stealing malware campaign active since February 2026 using USB worms and Tor C2. INC ransomware group claims 830+ victims since 2023, positioning itself as a major RaaS threat post-LockBit/BlackCat disruption.
Executive Summary
- F5 released patches for CVE-2026-42530 (CVSS 9.2), a critical use-after-free vulnerability in NGINX Open Source enabling remote code execution.
- Microsoft disclosed a Windows-based cryptocurrency clipper campaign active since February 2026 that deploys self-spreading USB worms via shortcut files and uses Tor-based command-and-control infrastructure.
- INC ransomware operation has emerged as a major RaaS threat with 830+ claimed victims since August 2023, capitalizing on disruptions to LockBit and BlackCat.
- Salesforce customers continue exposure through compromised third-party integrations; the Klue OAuth breach enabled the “Icarus” threat group to extract CRM data from multiple organizations in ongoing extortion attacks.
- Gentlemen ransomware gang actively develops and maintains multiple EDR evasion tools to disable endpoint protections during attacks.
Top Threats Today
1. Critical NGINX Remote Code Execution (CVE-2026-42530)
Severity: HIGH Affected: Technology
F5 has released security updates addressing a critical use-after-free vulnerability in NGINX Open Source [1]. The flaw (CVE-2026-42530) carries a CVSS v4 score of 9.2 and enables remote code execution on affected systems [1]. Organizations running vulnerable NGINX versions should apply F5’s patches immediately to prevent exploitation.
Sources:[1] The Hacker News
Recommended Action
- Identify all systems running NGINX Open Source and determine their current version
- Apply F5’s released security patches without delay
- Monitor for exploitation attempts targeting the patched vulnerability in network logs
2. Windows Clipboard-Stealing Malware Campaign (Active Since February 2026)
Severity: HIGH Affected: Technology
Microsoft has disclosed details of an active Windows-based cryptocurrency clipper campaign targeting users since February 2026 [1]. The attack chain relies on self-spreading USB worms delivered via Windows shortcut (.LNK) files, Windows Script Host, and ActiveX logic to launch a bundled Tor proxy and establish communication with hidden-service command-and-control infrastructure [1][2]. The malware intercepts clipboard data to redirect cryptocurrency transactions, making it a direct financial threat to cryptocurrency users.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Educate users on risks of connecting unknown USB devices and opening suspicious .LNK files
- Deploy behavioral detection rules for Windows Script Host and ActiveX execution patterns associated with Tor proxies
- Monitor for Tor proxy processes spawned by script execution and block known hidden-service C2 addresses at the network edge
- Segment cryptocurrency-related systems and enforce hardware wallet use where feasible
3. INC Ransomware: Prolific RaaS Operation with 830+ Victims
Severity: HIGH Affected: Technology
Cybersecurity researchers have documented the evolution of INC from an emerging ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no fewer than 830 victims since August 2023 [1]. The group has capitalized on the disruptions to LockBit and BlackCat to attract affiliates and expand its victim base [1]. As a maturing RaaS platform offering revenue-sharing models to affiliates, INC poses an elevated threat to organizations across all sectors.
Sources:[1] The Hacker News
Recommended Action
- Review and harden remote access controls (VPN, RDP, SSH); enforce multi-factor authentication
- Implement immutable backup strategies with air-gapped or offline copies
- Monitor for suspicious lateral movement and data exfiltration patterns in network traffic
- Maintain current incident response and ransomware playbooks with regular tabletop exercises
4. Salesforce Data Theft via Compromised Klue Integration
Severity: HIGH Affected: Technology
Market intelligence platform Klue suffered an OAuth breach that enabled the “Icarus” threat group to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign [1]. Klue’s Battlecards integration has now become the third integrated application compromised for Salesforce data theft; victims reportedly include cybersecurity vendor Huntress [1][2]. This pattern demonstrates the persistent risk of trusting third-party application integrations with sensitive customer relationship management systems.
Sources:[1] BleepingComputer[2] Dark Reading
Recommended Action
- Audit all OAuth and API token permissions granted to third-party Salesforce applications
- Revoke or rotate OAuth credentials for any Klue integration and other connected apps pending security review
- Monitor Salesforce audit logs for anomalous data access or download patterns linked to integrated applications
- Enforce principle of least privilege on all third-party integrations; consider requiring connector re-approval on a quarterly basis
5. Gentlemen Ransomware: Expanding EDR Evasion Arsenal
Severity: HIGH Affected: Technology
The Gentlemen ransomware-as-a-service (RaaS) group is actively developing and maintaining a suite of endpoint detection and response (EDR) killer tools to help affiliates evade detection during attacks [1]. The group has emerged as the second most active ransomware gang by victim count and attracts talent through an aggressive recruitment strategy offering affiliates ⚠ up to 90 percent of ransom payments [2]. The continued evolution of EDR evasion capabilities underscores the operational sophistication and resources available to this threat group.
Sources:[1] BleepingComputer[2] Krebs on Security
Recommended Action
- Ensure EDR solutions are current and all behavioral detection signatures for known EDR-killer techniques are deployed
- Implement kernel-level protections and immutable EDR agent configurations where supported
- Monitor for suspicious privilege escalation attempts and driver loading events that may indicate EDR circumvention
- Maintain isolated backups and test restoration procedures regularly
Today’s Action Checklist
- ☐ URGENT: Inventory NGINX Open Source deployments and apply F5 patches for CVE-2026-42530
- ☐ URGENT: Audit and rotate OAuth tokens for Klue and other third-party Salesforce integrations; review data access logs
- ☐ HIGH: Deploy behavioral detection and network blocking rules for Tor proxy activity and hidden-service C2 communication patterns
- ☐ HIGH: Review and strengthen remote access controls; enforce MFA on all critical systems
- ☐ HIGH: Validate EDR agent health, update evasion detection rules, and test backup/recovery procedures