Malware Activity
Rising Threats Target Both Network Infrastructure and Software Supply Chains
Recent cybersecurity activity highlights two rapidly evolving threats targeting both infrastructure and software ecosystems. The C0XMO botnet is actively exploiting a known vulnerability in DD-WRT router firmware, allowing attackers to take control of unpatched devices without authentication and spread across routers, DVRs, and other Linux-based systems. Once inside, it scans for additional targets, uses weak credentials to expand, and launches large-scale DDoS attacks while maintaining persistence by hiding in system files and restarting itself automatically. At the same time, supply chain attacks like Miasma and IronWorm are targeting developers by abusing trusted software distribution processes. These threats spread through compromised accounts and malicious package updates, quietly stealing credentials such as API keys and cloud access tokens. It subsequently spreads to infect additional repositories and projects. What makes these campaigns especially dangerous is their ability to appear as normal activity, either routine code commits or standard dependency updates, and making detection difficult. Together, these threats demonstrate a broader shift in attacker strategy, combining infrastructure exploitation with deep infiltration of development pipelines. Ultimately increasing risk for organizations that rely on connected devices and open-source software. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: C0XMO Botnet Spreads Via DD-WRT Router Flaw, Kills Rival Malware article
- TheHackerNews: Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack article
- TheHackerNews: IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks article
Threat Actor Activity
UNC3753/Silent Ransom Group Using Vishing and Fake IT Support to Extort US Law Firms
UNC3753, also known as Silent Ransom Group, Luna Moth, and Chatty Spider, is running a fast, financially motivated data-theft extortion campaign against US legal, professional, and financial services firms (tracked from January to May 2026). The group starts with benign invoice-themed emails from consumer accounts to create a pretext, then follows up with vishing calls while impersonating internal IT helpdesk staff. Victims are guided into Zoom/Teams/Quick Assist sessions and convinced to install legitimate RMM tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, often with links and commands shared via self-destructing notes on
- Bleeping Computer: UNC375 Article
- The Hacker News: UNC375 Article
- Google: UNC3753 Report
- FBI: UNC3753 Advisory
Vulnerabilities
Check Point Zero-Day VPN Authentication Bypass Exploited in Targeted Attacks, Linked to Qilin Ransomware
Check Point has released security updates to address a critical authentication bypass vulnerability, that has been actively exploited as a zero-day against Remote Access VPN, Mobile Access, and Spark firewall deployments. The flaw tracked as CVE-2026-50751, allows unauthenticated remote attackers to establish VPN access by bypassing authentication requirements, but only affects systems configured to use the deprecated IKEv1 key exchange protocol, accept legacy Remote Access clients, and do not require machine certificate authentication. Check Point observed exploitation beginning on May 7, 2026, with activity increasing in early June and impacting several dozen organizations globally. In at least one (1) confirmed case, post-compromise activity was linked to a Qilin ransomware affiliate, highlighting the vulnerability’s potential use as an initial access vector for ransomware operations. During its investigation, Check Point also identified a second flaw, CVE-2026-50752, which affects certificate validation in IKEv1 and could enable man-in-the-middle (MiTM)attacks against site-to-site VPN connections, although no active exploitation has been observed. Customers are strongly urged to apply patches immediately and, where patching is delayed, disable legacy Remote Access client support, migrate to IKEv2, enforce machine certificate authentication, and enable IPS protections. The disclosure further underscores the ongoing security risks posed by legacy VPN configurations and deprecated protocols that remain exposed in enterprise environments. CTIX analysts urge any affected readers to follow the Check Point guidance to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
