Executive Summary
- VENOMOUS#HELPER phishing campaign has compromised 80+ organizations using legitimate RMM tools (SimpleHelp and ScreenConnect) for persistent remote access since April 2025
- Progress MOVEit Automation critical authentication bypass vulnerability (CVE pending) released patches; cPanel critical vulnerability (CVE-2026-41940) demands federal agency patching by Sunday per CISA mandate
- Supply-chain attacks intensifying: backdoored PyTorch Lightning package on PyPI delivers credential stealers; Trellix source code repository and DigiCert support portal breached
- State-sponsored Russian military intelligence harvesting Microsoft Office authentication tokens via compromised router exploits targeting mass user bases
- Cryptocurrency theft reaching historic levels with North Korean actors stealing 76% of 2026 crypto heists, increasingly AI-assisted
Top Threats Today
1. RMM-Based Phishing Campaign (VENOMOUS#HELPER)
Severity: CRITICAL Affected: Technology Finance Government
An active phishing campaign codenamed VENOMOUS#HELPER has targeted over 80 organizations since April 2025, leveraging legitimate Remote Monitoring and Management (RMM) software including SimpleHelp and ScreenConnect to establish persistent remote access. Attackers abuse the trust placed in these management tools to maintain long-term access to compromised infrastructure, making detection significantly more difficult than traditional malware delivery.
Recommended Action
- Audit all RMM tool deployments; cross-reference with vendor threat intelligence for indicators of compromise
- Implement network segmentation isolating RMM tools from critical infrastructure and data repositories
- Enable enhanced logging and monitoring for RMM administrative activities; flag unexpected access patterns
- Review recent RMM activity logs for unauthorized connections or privilege escalation attempts
2. Critical cPanel Authentication Bypass (CVE-2026-41940)
Severity: CRITICAL Affected: Technology Government Finance
CISA has mandated federal agencies patch a critical cPanel vulnerability (CVE-2026-41940) by Sunday. Successful exploitation grants attackers complete control over cPanel hosts, configurations, databases, and managed websites. Multiple proof-of-concept exploits have appeared post-disclosure, with researcher claims of zero-day activity dating back one month. This vulnerability represents an immediate threat to all organizations running cPanel infrastructure.
Recommended Action
- Prioritize cPanel patching above all other systems; treat as emergency response protocol
- If patching cannot be completed by deadline, implement WAF rules and access controls to restrict cPanel exposure
- Scan web server logs for exploitation attempts; monitor for suspicious administrative activity
- Verify integrity of databases and website files post-patching
3. Progress MOVEit Automation Authentication Bypass
Severity: CRITICAL Affected: Finance Technology Government
Progress Software released patches for two security flaws in MOVEit Automation (formerly Central), including a critical authentication bypass vulnerability in their managed file transfer (MFT) solution. Organizations using MOVEit for secure file scheduling and automation face immediate risk of unauthorized access to file transfer operations and potentially sensitive data in transit.
Recommended Action
- Deploy Progress MOVEit Automation patches immediately across all instances
- Review file transfer logs for unauthorized access or unusual data movement patterns
- Verify all user accounts and API credentials remain valid and uncompromised post-patch
4. Supply-Chain Malware – Backdoored PyTorch Lightning Package
Severity: CRITICAL Affected: Technology Defense
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers credential-stealing payloads targeting browser credentials, environment files, and cloud service authentication. This supply-chain attack compromises development environments and can propagate credential theft across multiple organizational systems. All organizations running Python-based AI/ML workloads are at risk.
Recommended Action
- Audit all PyTorch Lightning installations; identify version and deployment timestamps
- Isolate and regenerate all authentication credentials (API keys, cloud service tokens, passwords) on affected systems
- Scan affected machines for credential-stealing malware; run forensic analysis on file systems
- Implement dependency pinning and package verification in development pipelines
5. Russian State-Sponsored Router Exploitation for Token Harvesting
Severity: CRITICAL Affected: Government Defense Finance
Russian military intelligence units are exploiting known vulnerabilities in older internet routers to mass harvest authentication tokens from Microsoft Office users. This campaign allows state-backed actors to quietly siphon Office 365 credentials at scale, bypassing traditional network security controls by operating at the network perimeter. The attack impacts organizations across government, defense, and financial sectors.
Recommended Action
- Audit router inventory and identify all legacy/end-of-life devices; prioritize replacement or decommissioning
- Apply all available router firmware patches immediately; verify update deployment
- Implement network access controls limiting router administrative access to hardened jump hosts
- Monitor for suspicious outbound token-like traffic patterns; enforce token expiration policies
- Enable multi-factor authentication for all Microsoft Office 365 accounts
Today’s Action Checklist
- ☐ URGENT: Verify cPanel patch deployment across all infrastructure; establish 48-hour emergency patching window
- ☐ URGENT: Audit PyTorch Lightning package installations; regenerate all credentials on affected systems
- ☐ URGENT: Review RMM tool (SimpleHelp, ScreenConnect) access logs for unauthorized administrative activity
- ☐ HIGH: Deploy Progress MOVEit Automation patches; verify successful deployment
- ☐ HIGH: Conduct router firmware audit; prioritize patches for CVEs exploited by Russian actors
- ☐ HIGH: Enable multi-factor authentication on all cloud service accounts and administrative access
- ☐ MEDIUM: Review CISA KEV list for additional exploitation confirmation and mitigation guidance
- ☐ MEDIUM: Conduct tabletop exercise simulating RMM tool compromise response procedures