Malware Activity
When Trusted Platforms Become the Delivery Vehicle for Malware
Recent research highlights two (2) growing malware campaigns that show how attackers are exploiting trust and familiarity to bypass security controls. In one campaign, Mac users searching Google for a Claude AI download are lured by sponsored ads that appear legitimate and lead to shared Claude chat pages posing as official setup guides. These guides trick users into pasting Terminal commands that quietly install malware, which runs mostly in memory, changes its code frequently, and steals sensitive data like browser credentials and keychain information. In a separate but equally concerning campaign, a banking trojan called TCLBanker spreads through fake software installers that mimic trusted applications, such as a signed Logitech program. Thus, making the malware harder to detect. Once active, TCLBanker targets users in Brazil, displays convincing fake banking screens to steal login details, and can automatically spread by hijacking WhatsApp and Microsoft Outlook accounts to message trusted contacts. Together, these campaigns show how attackers are increasingly abusing trusted brands, platforms, and everyday tools to lower user suspicion, spread malware quickly, and steal sensitive financial and personal data. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Hackers Abuse Google Ads, Claude.ai Chats to Push Mac Malware article
- TheHackerNews: TCLBANKER Banking Trojan Targets Financial Platforms Via WhatsApp and Outlook Worms article
Threat Actor Activity
ShinyHunters Breach Disrupts Canvas and Threatens Massive Student Data Leak
ShinyHunters has again breached Instructure, the education technology giant and maker of the widely used Canvas learning platform, leading to exam delays and outages across hundreds of US universities and K-12 districts. After an initial late-April attack in which they claim to have stolen up to 3.6 TB of data from thousands of schools, the group exploited a vulnerability to deface roughly 330 Canvas login portals and the app with an extortion message demanding ransom by May 12, or student data would be leaked. Instructure briefly took Canvas offline, tying the defacement to abuse of Free-For-Teacher accounts and temporarily shutting those down while restoring service. The company says the first breach exposed names, emails, IDs, and messages, but no new data was taken in the second incident. ShinyHunters is a long running data theft and extortion brand active since 2018, now among the most prolific actors targeting Salesforce and other cloud SaaS environments, with victims including Google, Cisco, Pornhub, and Match Group. They often breach third party integrators, steal SSO tokens via vishing and device code scams, and then raid connected services like Microsoft 365, Google Workspace, and Salesforce. Despite multiple arrests tied to Snowflake, PowerSchool, and Breached v2, extortion emails signed “We are ShinyHunters” continue to surface. Authorities including the FBI and CISA were notified.
Vulnerabilities
Dirty Frag: Linux Zero-Day Enables Reliable Root Privilege Escalation
A newly disclosed Linux zero-day vulnerability dubbed “Dirty Frag,” also known as “Copy Fail 2,” allows unprivileged local users to reliably escalate privileges to root on most major Linux distributions and may already be under active exploitation in the wild. The exploit chains two (2) kernel vulnerabilities (CVE-2026-43284 in the xfrm-ESP IPsec component and CVE-2026-43500 in the RxRPC subsystem) to modify protected system files in memory without authorization. The flaws, introduced roughly nine (9) years ago in the Linux kernel’s algif_aead cryptographic interface, belong to the same vulnerability class as Dirty Pipe and Copy Fail but are considered especially dangerous because exploitation is deterministic, does not rely on race conditions, avoids kernel crashes, and has a very high success rate. Affected systems include Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, Fedora, and openSUSE Tumbleweed, with potential implications for containerized environments as well. Public disclosure accelerated after a third party leaked exploit details before patches were available, prompting Kim to release full technical documentation and proof-of-concept code. Microsoft reported observing limited suspicious activity potentially linked to Dirty Frag or Copy Fail exploitation, with attackers using compromised SSH accounts, web shells, service account abuse, or remote access compromises to gain initial access before escalating privileges. Observed post-exploitation activity included modification of GLPI LDAP authentication files, system reconnaissance, deletion of PHP session files, and access to remaining session data, indicating attempts to disrupt operations and hijack sessions. Linux vendors including Red Hat, Canonical, Fedora, AlmaLinux, and Amazon have begun releasing patches and mitigations as concerns continue growing around actively exploited Linux kernel privilege escalation vulnerabilities. CTIX analysts urge any affected administrators to patch and apply mitigation techniques immediately to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
