18th May – Threat Intelligence Report

18TH MAY – THREAT INTELLIGENCE REPORT May 18, 2026 For the latest discoveries in cyber research for the week of 18th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Vodafone, a major international telecom, has sustained a source code leak claimed by the Lapsus$ extortion group. The company confirmed limited access to GitHub files through compromised third-party development software, while stating that customer data and core network infrastructure were not affected by the incident. Cryptocurrency platform THORChain, based in Switzerland, has encountered a security breach that led to the theft of about $10.7M. Trading was halted after one of six vaults was compromised, and the company said losses were limited to protocol-owned assets across several blockchains. West Pharmaceutical Services, a global manufacturer of drug delivery components, has experienced a ransomware attack that disrupted shipping, manufacturing, and shared service functions. The company disclosed that some systems were encrypted and data was stolen, but no ransomware group has publicly claimed responsibility. Foxconn, a global electronics manufacturer, has confirmed it was hit by a cyberattack on its North American operations after the Nitrogen ransomware group claimed to have stolen 8TB of data. The company confirmed disruption at some factories and said affected facilities were resuming normal production. AI THREATS Researchers unveiled ‘Claw Chain’, four vulnerabilities in OpenClaw, an autonomous AI agent platform, that allow attackers to bypass sandbox controls, expose restricted files, leak secrets, and gain owner-level access. The flaws include the critical CVE-2026-44112, rated CVSS 9.6. Researchers developed an AI-assisted macOS kernel exploit that bypasses Apple’s Memory Integrity Enforcement on M5 chips and grants full system control on macOS 26.4.1. Anthropic’s Mythos Preview reportedly accelerated bug discovery, and the findings were privately reported to Apple before public disclosure. Researchers detailed how threat actors abuse Vercel’s AI website generator, v0.dev, to mass-produce realistic phishing pages mimicking brands such as Microsoft and Spotify. The campaigns utilize Telegram bots to capture credentials and payment details in real time. Researchers found a popular Hugging Face repository hiding Windows-targeting malware after it amassed over 200,000 downloads. The package posed as OpenAI’s privacy filter and installed an infostealer that harvested browser passwords, cookies, SSH keys, VPN configurations, and cryptocurrency wallets before exfiltrating the data. VULNERABILITIES AND PATCHES Two Windows zero-day vulnerabilities, YellowKey and GreenPlasma, affect Windows 11 and recent Windows Server versions. YellowKey allows BitLocker bypass through Windows Recovery Environment with physical access, while GreenPlasma abuses the CTFMON framework to escalate privileges to SYSTEM. Proof-of-concept code is public, and the vulnerabilities are still unpatched. F5 has fixed CVE-2026-42945, a critical memory flaw in the NGINX rewrite module affecting versions 0.6.27 through 1.30.0. The 18-year-old bug enables denial of service and, under specific configurations, possible remote code execution. Public exploit code requires memory protections to be disabled. Check Point IPS provides protection against this threat (Nginx Heap Overflow (CVE-2026-42945)) Cisco has addressed CVE-2026-20182, a critical authentication bypass in Catalyst SD-WAN controllers that is being actively exploited. The flaw allows remote, unauthenticated attackers to gain full administrative control of affected systems. CISA ordered federal agencies to patch vulnerable devices following Cisco’s fixes. Apple has released security updates for CVE-2026-28819, an out-of-bounds write flaw in the Wi-Fi component affecting iOS, iPadOS, and macOS. Successful exploitation could allow an app to execute code with kernel privileges. The issue was addressed with improved bounds checking. THREAT INTELLIGENCE REPORTS Check Point Research has analyzed an internal leak from The Gentlemen ransomware operation, exposing chats, infrastructure details, affiliate roles, and ransom negotiations. The report links the zeta88 account to the administrator, maps 8 affiliate TOX IDs, and details the use of Fortinet and Cisco vulnerabilities as well as NTLM relay and OWA/M365 for initial access in attacks. Check Point Threat Emulation and Harmony Endpoint provide protection against this threat Check Point Research has summarized Q1 2026 ransomware trends, recording 2,122 leak-site victims, which is the second-highest Q1 on record, and renewed consolidation. The top 10 groups were responsible for 71% of victims. Qilin led with 338 victims, The Gentlemen rose to third, and LockBit 5.0 returned with 163 victims. Check Point Research have quantified a World Cup 2026-driven surge in cyber activity, with weekly attacks per organization rising in Mexico, Canada, and the United States in April, across the media, hospitality, transportation and travel sectors. FIFA-themed domains reached 9,741 in April, and by early May, one in 41 were malicious. Researchers attributed a months-long intrusion against an Azerbaijani oil and gas company to the Chinese-linked FamousSparrow group. Attackers exploited an unpatched Microsoft Exchange server to deploy web shells, then alternated between Deed RAT and TernDoor across three waves of persistent activity. GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 We use cookies and similar technologies to operate our website, improve your experience, and support analytics and advertising. You can manage your preferences at any time. For more information, please see our Privacy Policy and Cookie Notice. Do Not Sell or Share My Personal Data When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. While this information may not directly identify you by name, it may include online identifiers (such as browser or device information) but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies are generally required for the operation of the website and are not used for marketing purposes. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. We use this information in aggregated form to help us understand how the website is used and to improve its performance. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers (such as service providers supporting website functionality or content) whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used to help deliver content and advertisements that are more relevant to your interests, including across different online services. They may use identifiers associated with your browser or device for this purpose. If you do not allow these cookies, you may receive less relevant advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices